ima: add fs_subtype condition for distinguishing FUSE instances

Linux systems often use FUSE for several different purposes, where the contents of some FUSE instances can be of more interest for auditing than others. Allow distinguishing between them based on the filesystem subtype (s_subtype) using the new condition "fs_subtype". The subtype string is supplied by userspace FUSE daemons when a FUSE connection is initialized, so policy authors who want to filter based on subtype need to ensure that FUSE mount operations are sufficiently audited or restricted. Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
author: Jann Horn <jannh@google.com> 2025-09-26 01:45:07 +0200
committer: Mimi Zohar <zohar@linux.ibm.com> 2025-10-16 11:12:20 -0400
commit: 43369273518f57b7d56c1cf12d636a809b7bd81b (patch)
tree: d7a7e3d28552c1b1f6c2e8fd4467e38c93209e01 /Documentation/ABI
parent: 345123d650db724d53ffee84d7365008c6f729de (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index 5d548dd2c6e7..d4b3696a9efb 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -23,6 +23,7 @@ Description:
 			  audit | dont_audit | hash | dont_hash
 		  condition:= base | lsm  [option]
 			base:	[[func=] [mask=] [fsmagic=] [fsuuid=] [fsname=]
+				[fs_subtype=]
 				[uid=] [euid=] [gid=] [egid=]
 				[fowner=] [fgroup=]]
 			lsm:	[[subj_user=] [subj_role=] [subj_type=]
author	Jann Horn <jannh@google.com>	2025-09-26 01:45:07 +0200
committer	Mimi Zohar <zohar@linux.ibm.com>	2025-10-16 11:12:20 -0400
commit	43369273518f57b7d56c1cf12d636a809b7bd81b (patch)
tree	d7a7e3d28552c1b1f6c2e8fd4467e38c93209e01 /Documentation/ABI
parent	345123d650db724d53ffee84d7365008c6f729de (diff)