fix: use correct FUSE magic for IMA fsmagic matching

twelho · smira · commit 141e452c4aa7 · 2025-06-03T15:12:12.000+04:00
`FUSE_CTL_SUPER_MAGIC` is the superblock magic of the [control filesystem](https://www.kernel.org/doc/html/v6.12/filesystems/fuse.html#control-filesystem), actual FUSE mount points have `FUSE_SUPER_MAGIC` in their superblock. This mismatch essentially makes the `dont_measure` rule a no-op, which causes all files under FUSE mount points to be measured with SHA-512 on every `open(2)`, equivalently to #11129, causing major performance overhead. As #11133 disables IMA globally for future releases, this is only relevant for v1.10 and before, see #11129 (comment) for details. Signed-off-by: Dennis Marttinen <twelho@welho.tech> Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
diff --git a/internal/app/machined/pkg/startup/ima.go b/internal/app/machined/pkg/startup/ima.go
@@ -44,7 +44,7 @@ var rules = []string{
 	"dont_measure fsmagic=0xef51",     // EXT2_OLD_SUPER_MAGIC
 	"dont_measure fsmagic=0xef53",     // EXT2_SUPER_MAGIC / EXT3_SUPER_MAGIC / EXT4_SUPER_MAGIC
 	"dont_measure fsmagic=0x00c36400", // CEPH_SUPER_MAGIC
-	"dont_measure fsmagic=0x65735543", // FUSE_CTL_SUPER_MAGIC
+	"dont_measure fsmagic=0x65735546", // FUSE_SUPER_MAGIC
 	"measure func=MMAP_CHECK mask=MAY_EXEC",
 	"measure func=BPRM_CHECK mask=MAY_EXEC",
 	"measure func=FILE_CHECK mask=^MAY_READ euid=0",
