This series adds a "dont_audit" action that cancels out following "audit" actions (as we already have for other action types), and also adds an "fs_subtype" that can be used to distinguish between FUSE filesystems.
With these two patches applied, as a toy example, you can use the following policy: ``` dont_audit fsname=fuse fs_subtype=sshfs audit func=BPRM_CHECK fsname=fuse ``` I have tested that with this policy, executing a binary from a "fuse-zip" FUSE filesystem results in an audit log entry: ``` type=INTEGRITY_RULE msg=audit([...]): file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...] ``` while executing a binary from an "sshfs" FUSE filesystem does not generate any audit log entries. Signed-off-by: Jann Horn <[email protected]> --- Jann Horn (2): ima: add dont_audit action to suppress audit actions ima: add fs_subtype condition for distinguishing FUSE instances Documentation/ABI/testing/ima_policy | 3 +- security/integrity/ima/ima_policy.c | 57 ++++++++++++++++++++++++++++++++---- 2 files changed, 54 insertions(+), 6 deletions(-) --- base-commit: 00642a06d60c897a8348784e1eee9e5369219ce5 change-id: 20250925-ima-audit-8bd219dcc6f6 -- Jann Horn <[email protected]>
