From: Mimi Zohar <zohar@linux.ibm.com>
To: Jann Horn <jannh@google.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Eric Snowberg <eric.snowberg@oracle.com>
Cc: Frank Dinoff <fdinoff@google.com>,
linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org
Subject: Re: [PATCH 0/2] ima: add dont_audit and fs_subtype to policy language
Date: Tue, 30 Sep 2025 06:23:47 -0400 [thread overview]
Message-ID: <ef7c07585e41c8afbb2b97df98fd47c9374b15cb.camel@linux.ibm.com> (raw)
In-Reply-To: <20250926-ima-audit-v1-0-64d75fdc8fdc@google.com>
On Fri, 2025-09-26 at 01:45 +0200, Jann Horn wrote:
> This series adds a "dont_audit" action that cancels out following
> "audit" actions (as we already have for other action types), and also
> adds an "fs_subtype" that can be used to distinguish between FUSE
> filesystems.
>
> With these two patches applied, as a toy example, you can use the
> following policy:
> ```
> dont_audit fsname=fuse fs_subtype=sshfs
> audit func=BPRM_CHECK fsname=fuse
> ```
>
> I have tested that with this policy, executing a binary from a
> "fuse-zip" FUSE filesystem results in an audit log entry:
> ```
> type=INTEGRITY_RULE msg=audit([...]): file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...]
> ```
> while executing a binary from an "sshfs" FUSE filesystem does not
> generate any audit log entries.
>
> Signed-off-by: Jann Horn <jannh@google.com>
Thanks, Jann. The patches look fine. Assuming the "toy" test program creates
and mounts the fuse filesystems, not just loads the IMA policy rules, could you
share it?
thanks,
Mimi
next prev parent reply other threads:[~2025-09-30 10:24 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-25 23:45 [PATCH 0/2] ima: add dont_audit and fs_subtype to policy language Jann Horn
2025-09-25 23:45 ` [PATCH 1/2] ima: add dont_audit action to suppress audit actions Jann Horn
2025-09-25 23:45 ` [PATCH 2/2] ima: add fs_subtype condition for distinguishing FUSE instances Jann Horn
2025-09-30 10:23 ` Mimi Zohar [this message]
2025-09-30 14:26 ` [PATCH 0/2] ima: add dont_audit and fs_subtype to policy language Jann Horn
2025-10-16 15:52 ` Mimi Zohar
2025-10-16 15:53 ` Jann Horn
2025-10-14 15:55 ` Jann Horn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ef7c07585e41c8afbb2b97df98fd47c9374b15cb.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=fdinoff@google.com \
--cc=jannh@google.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=roberto.sassu@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox