On Thu, Oct 11, 2018 at 4:03 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > On Thu, 2018-10-11 at 13:30 -0700, Matthew Garrett wrote: > > Ok, should this just be part of the IMA policy? > > How would you be able to differentiate between different FUSE > filesystems for example? There's a couple of ways. We could extend the filesystem type matching logic to also check the subtype - you'd then need to enforce that at the LSM level in order to protect against untrusted filesystems spoofing the filesystem type. Alternatively, we could add an additional policy match type for mount point and iterate through s_mounts on the superblock - if any match, we could define the policy there?
