On Tue, Sep 30, 2025 at 12:23 PM Mimi Zohar <[email protected]> wrote: > On Fri, 2025-09-26 at 01:45 +0200, Jann Horn wrote: > > This series adds a "dont_audit" action that cancels out following > > "audit" actions (as we already have for other action types), and also > > adds an "fs_subtype" that can be used to distinguish between FUSE > > filesystems. > > > > With these two patches applied, as a toy example, you can use the > > following policy: > > ``` > > dont_audit fsname=fuse fs_subtype=sshfs > > audit func=BPRM_CHECK fsname=fuse > > ``` > > > > I have tested that with this policy, executing a binary from a > > "fuse-zip" FUSE filesystem results in an audit log entry: > > ``` > > type=INTEGRITY_RULE msg=audit([...]): > > file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...] > > ``` > > while executing a binary from an "sshfs" FUSE filesystem does not > > generate any audit log entries. > > > > Signed-off-by: Jann Horn <[email protected]> > > > Thanks, Jann. The patches look fine. Assuming the "toy" test program creates > and mounts the fuse filesystems, not just loads the IMA policy rules, could > you > share it?
Thanks for the quick review! To clarify, by "toy example" I meant that while I was using real FUSE filesystems, the policy I was using is not very sensible. I used real FUSE filesystems for this since I figured that would be the easiest way to test, https://github.com/libfuse/sshfs and https://bitbucket.org/agalanin/fuse-zip. These are packaged in distros like Debian (as "sshfs" and "fuse-zip"). I mounted sshfs with these commands (mounting the home directory over ssh at ~/mnt/ssh): user@vm:~$ cp /usr/bin/echo ~/ima/ user@vm:~$ sshfs localhost: ~/mnt/ssh and mounted fuse-zip with: user@vm:~/ima$ zip -rD echo.zip /usr/bin/echo adding: usr/bin/echo (deflated 62%) user@vm:~/ima$ mkdir zipmount user@vm:~/ima$ fuse-zip echo.zip zipmount/ I then ran the executables ~/ima/zipmount/usr/bin/echo and ~/mnt/ssh/ima/echo.
