On Thu, Oct 16, 2025 at 5:52 PM Mimi Zohar <[email protected]> wrote: > On Tue, 2025-09-30 at 16:26 +0200, Jann Horn wrote: > > On Tue, Sep 30, 2025 at 12:23 PM Mimi Zohar <[email protected]> wrote: > > > On Fri, 2025-09-26 at 01:45 +0200, Jann Horn wrote: > > > > This series adds a "dont_audit" action that cancels out following > > > > "audit" actions (as we already have for other action types), and also > > > > adds an "fs_subtype" that can be used to distinguish between FUSE > > > > filesystems. > > > > > > > > With these two patches applied, as a toy example, you can use the > > > > following policy: > > > > ``` > > > > dont_audit fsname=fuse fs_subtype=sshfs > > > > audit func=BPRM_CHECK fsname=fuse > > > > ``` > > > > > > > > I have tested that with this policy, executing a binary from a > > > > "fuse-zip" FUSE filesystem results in an audit log entry: > > > > ``` > > > > type=INTEGRITY_RULE msg=audit([...]): > > > > file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...] > > > > ``` > > > > while executing a binary from an "sshfs" FUSE filesystem does not > > > > generate any audit log entries. > > > > > > > > Signed-off-by: Jann Horn <[email protected]> > > > > > > > > > Thanks, Jann. The patches look fine. Assuming the "toy" test program > > > creates > > > and mounts the fuse filesystems, not just loads the IMA policy rules, > > > could you > > > share it? > > > > Thanks for the quick review! To clarify, by "toy example" I meant that > > while I was using real FUSE filesystems, the policy I was using is not > > very sensible. > > > > I used real FUSE filesystems for this since I figured that would be > > the easiest way to test, https://github.com/libfuse/sshfs and > > https://bitbucket.org/agalanin/fuse-zip. These are packaged in distros > > like Debian (as "sshfs" and "fuse-zip"). I mounted sshfs with these > > commands (mounting the home directory over ssh at ~/mnt/ssh): > > > > user@vm:~$ cp /usr/bin/echo ~/ima/ > > user@vm:~$ sshfs localhost: ~/mnt/ssh > > > > and mounted fuse-zip with: > > > > user@vm:~/ima$ zip -rD echo.zip /usr/bin/echo > > adding: usr/bin/echo (deflated 62%) > > user@vm:~/ima$ mkdir zipmount > > user@vm:~/ima$ fuse-zip echo.zip zipmount/ > > > > I then ran the executables ~/ima/zipmount/usr/bin/echo and > > ~/mnt/ssh/ima/echo. > > Thank you for the instructions. Due to the holidays, there was a delay. The > patches are now queued in next-integrity for 6.19.
Thanks a lot!
