[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ef7c07585e41c8afbb2b97df98fd47c9374b15cb.camel@linux.ibm.com>
Date: Tue, 30 Sep 2025 06:23:47 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Jann Horn <jannh@...gle.com>, Roberto Sassu <roberto.sassu@...wei.com>,
Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
Eric Snowberg
<eric.snowberg@...cle.com>
Cc: Frank Dinoff <fdinoff@...gle.com>, linux-kernel@...r.kernel.org,
linux-integrity@...r.kernel.org
Subject: Re: [PATCH 0/2] ima: add dont_audit and fs_subtype to policy
language
On Fri, 2025-09-26 at 01:45 +0200, Jann Horn wrote:
> This series adds a "dont_audit" action that cancels out following
> "audit" actions (as we already have for other action types), and also
> adds an "fs_subtype" that can be used to distinguish between FUSE
> filesystems.
>
> With these two patches applied, as a toy example, you can use the
> following policy:
> ```
> dont_audit fsname=fuse fs_subtype=sshfs
> audit func=BPRM_CHECK fsname=fuse
> ```
>
> I have tested that with this policy, executing a binary from a
> "fuse-zip" FUSE filesystem results in an audit log entry:
> ```
> type=INTEGRITY_RULE msg=audit([...]): file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...]
> ```
> while executing a binary from an "sshfs" FUSE filesystem does not
> generate any audit log entries.
>
> Signed-off-by: Jann Horn <jannh@...gle.com>
Thanks, Jann. The patches look fine. Assuming the "toy" test program creates
and mounts the fuse filesystems, not just loads the IMA policy rules, could you
share it?
thanks,
Mimi
Powered by blists - more mailing lists