Hi! On Tue, Sep 30, 2025 at 12:23 PM Mimi Zohar <[email protected]> wrote: > On Fri, 2025-09-26 at 01:45 +0200, Jann Horn wrote: > > This series adds a "dont_audit" action that cancels out following > > "audit" actions (as we already have for other action types), and also > > adds an "fs_subtype" that can be used to distinguish between FUSE > > filesystems. > > > > With these two patches applied, as a toy example, you can use the > > following policy: > > ``` > > dont_audit fsname=fuse fs_subtype=sshfs > > audit func=BPRM_CHECK fsname=fuse > > ``` > > > > I have tested that with this policy, executing a binary from a > > "fuse-zip" FUSE filesystem results in an audit log entry: > > ``` > > type=INTEGRITY_RULE msg=audit([...]): > > file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...] > > ``` > > while executing a binary from an "sshfs" FUSE filesystem does not > > generate any audit log entries. > > > > Signed-off-by: Jann Horn <[email protected]> > > > Thanks, Jann. The patches look fine.
What's the next step here - are the patches going to land in the next-integrity branch, so that they will go into 6.19?
