On Fri, 2025-09-26 at 01:45 +0200, Jann Horn wrote: > This series adds a "dont_audit" action that cancels out following > "audit" actions (as we already have for other action types), and also > adds an "fs_subtype" that can be used to distinguish between FUSE > filesystems. > > With these two patches applied, as a toy example, you can use the > following policy: > ``` > dont_audit fsname=fuse fs_subtype=sshfs > audit func=BPRM_CHECK fsname=fuse > ``` > > I have tested that with this policy, executing a binary from a > "fuse-zip" FUSE filesystem results in an audit log entry: > ``` > type=INTEGRITY_RULE msg=audit([...]): > file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...] > ``` > while executing a binary from an "sshfs" FUSE filesystem does not > generate any audit log entries. > > Signed-off-by: Jann Horn <[email protected]>
Thanks, Jann. The patches look fine. Assuming the "toy" test program creates and mounts the fuse filesystems, not just loads the IMA policy rules, could you share it? thanks, Mimi
