On Tue, 2025-09-30 at 16:26 +0200, Jann Horn wrote: > On Tue, Sep 30, 2025 at 12:23 PM Mimi Zohar <[email protected]> wrote: > > On Fri, 2025-09-26 at 01:45 +0200, Jann Horn wrote: > > > This series adds a "dont_audit" action that cancels out following > > > "audit" actions (as we already have for other action types), and also > > > adds an "fs_subtype" that can be used to distinguish between FUSE > > > filesystems. > > > > > > With these two patches applied, as a toy example, you can use the > > > following policy: > > > ``` > > > dont_audit fsname=fuse fs_subtype=sshfs > > > audit func=BPRM_CHECK fsname=fuse > > > ``` > > > > > > I have tested that with this policy, executing a binary from a > > > "fuse-zip" FUSE filesystem results in an audit log entry: > > > ``` > > > type=INTEGRITY_RULE msg=audit([...]): > > > file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...] > > > ``` > > > while executing a binary from an "sshfs" FUSE filesystem does not > > > generate any audit log entries. > > > > > > Signed-off-by: Jann Horn <[email protected]> > > > > > > Thanks, Jann. The patches look fine. Assuming the "toy" test program > > creates > > and mounts the fuse filesystems, not just loads the IMA policy rules, could > > you > > share it? > > Thanks for the quick review! To clarify, by "toy example" I meant that > while I was using real FUSE filesystems, the policy I was using is not > very sensible. > > I used real FUSE filesystems for this since I figured that would be > the easiest way to test, https://github.com/libfuse/sshfs and > https://bitbucket.org/agalanin/fuse-zip. These are packaged in distros > like Debian (as "sshfs" and "fuse-zip"). I mounted sshfs with these > commands (mounting the home directory over ssh at ~/mnt/ssh): > > user@vm:~$ cp /usr/bin/echo ~/ima/ > user@vm:~$ sshfs localhost: ~/mnt/ssh > > and mounted fuse-zip with: > > user@vm:~/ima$ zip -rD echo.zip /usr/bin/echo > adding: usr/bin/echo (deflated 62%) > user@vm:~/ima$ mkdir zipmount > user@vm:~/ima$ fuse-zip echo.zip zipmount/ > > I then ran the executables ~/ima/zipmount/usr/bin/echo and ~/mnt/ssh/ima/echo.
Thank you for the instructions. Due to the holidays, there was a delay. The patches are now queued in next-integrity for 6.19. Mimi
