import CS ima-evm-utils-1.5-3.el9

SOURCES/ima-add-sigs.sh

@@ -1,16 +1,31 @@
 #!/bin/bash
 #
 # This script add IMA signatures to installed RPM package files
-# Usage: add_ima_sigs.sh [--package=PACKAGE_NAME|ALL] [--ima-cert=IMA_CERT_PATH] [--reinstall_threshold=NUM]
-#
-# By default, it will add IMA sigantures to all installed package files. Or you
-# can provide a package name to only add IMA signature for files of specicifed
-# package.  If it detects >=20 packages (or 1 package if you specify a package
-# name) missing signatures in the RPM database, it will reinstall the packages
-# in order to get the IMA signatures.
-#
-# With the signing IMA cert path specified, it will also try to verify
-# the added IMA signature.
+usage() {
+	echo "Add IMA signatures to installed packages."
+	cat <<EOF
+usage: $0 [--package=PACKAGE_NAME|ALL] [--ima-cert=IMA_CERT_PATH] [--reinstall_threshold=NUM]
+
+       --package
+       By default, it will add IMA sigantures to all installed package files.
+       Or you can provide a package name to only add IMA signature for files of
+       specicifed package.
+
+       --reinstall_threshold
+       When there are >reinstall_threshold (=20 by default) packages in the RPM
+       DB missing IMA signatures, reinstalling the packages to add IMA
+       signatures to the packages.  By default, IMA sigatures will be obtained
+       from the RPM DB. However the RPM DB may not have the signatures. Dectect
+       this case by checking if there are >reinstall_threshold package missing
+       IMA signatures.
+
+       --ima-cert
+       With the signing IMA cert path specified, it will also try to verify the
+       added IMA signature.
+
+EOF
+	exit 1
+}
 
 for _opt in "$@"; do
 	case "$_opt" in
@@ -24,7 +39,7 @@ for _opt in "$@"; do
 		ima_cert=${_opt#*=}
 		;;
 	*)
-		usage
+		[[ -n $1 ]] && usage
 		;;
 	esac
 done
@@ -41,7 +56,7 @@ abort() {
 # Add IMA signatures from RPM database
 add_from_rpm_db() {
 	if ! command -v setfattr &>/dev/null; then
-			abort "Please install attr"
+		abort "Please install attr"
 	fi
 
 	# use "|" as deliminator since it won't be used in a filename or signature
@@ -80,7 +95,7 @@ if [[ -z $reinstall_threshold ]]; then
 	if [[ $package == "--all" ]]; then
 		reinstall_threshold=20
 	else
-		if ! rpm -q --quiet $package; then
+		if ! rpm -q --quiet "$package"; then
 			dnf install "$package" -yq >/dev/null
 			exit 0
 		fi
@@ -88,7 +103,7 @@ if [[ -z $reinstall_threshold ]]; then
 	fi
 fi
 
-unsigned_packages_in_rpm_db=$(rpm -q --queryformat "%{SIGPGP:pgpsig}\n" $package | grep "^(none)$" | wc -l)
+unsigned_packages_in_rpm_db=$(rpm -q --queryformat "%{SIGPGP:pgpsig}\n" "$package" | grep "^(none)$" | wc -l)
 
 if [[ $unsigned_packages_in_rpm_db -ge $reinstall_threshold ]]; then
 	add_by_reinstall

SOURCES/ima-setup.sh

@@ -17,8 +17,12 @@ usage: $0 --policy=IMA_POLICY_PATH [--reinstall_threshold=NUM]
        /usr/share/ima/policies or you can use your own IMA policy
 
        --reinstall_threshold
-       When there are >reinstall_threshold packages in the RPM DB missing IMA signatures, reinstalling the packages to add IMA signatures to the packages.
-       By default, IMA sigatures will be obtained from the RPM DB. However the RPM DB may not have the signatures. Dectect this case by checking if there are >reinstall_threshold package missing IMA signatures.
+       When there are >reinstall_threshold packages in the RPM DB missing IMA
+       signatures, reinstalling the packages to add IMA signatures to the
+       packages.  By default, IMA sigatures will be obtained from the RPM DB.
+       However the RPM DB may not have the signatures. Dectect this case by
+       checking if there are >reinstall_threshold package missing IMA
+       signatures.
 
 EOF
 	exit 1

SOURCES/policy-01-appraise-exectuables-and-lib-signatures

@@ -1,2 +0,0 @@
-appraise func=MMAP_CHECK mask=MAY_EXEC appraise_type=imasig
-appraise func=BPRM_CHECK appraise_type=imasig

SOURCES/policy-01-appraise-executable-and-lib-signatures

@@ -0,0 +1,28 @@
+# Skip some unsupported filesystems
+# This list of the filesystems can be found on
+# https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy
+# PROC_SUPER_MAGIC
+dont_appraise fsmagic=0x9fa0
+# SYSFS_MAGIC
+dont_appraise fsmagic=0x62656572
+# DEBUGFS_MAGIC
+dont_appraise fsmagic=0x64626720
+# TMPFS_MAGIC
+dont_appraise fsmagic=0x01021994
+# RAMFS_MAGIC
+dont_appraise fsmagic=0x858458f6
+# DEVPTS_SUPER_MAGIC
+dont_appraise fsmagic=0x1cd1
+# BINFMTFS_MAGIC
+dont_appraise fsmagic=0x42494e4d
+# SECURITYFS_MAGIC
+dont_appraise fsmagic=0x73636673
+# SELINUX_MAGIC
+dont_appraise fsmagic=0xf97cff8c
+# CGROUP_SUPER_MAGIC
+dont_appraise fsmagic=0x27e0eb
+# NSFS_MAGIC
+dont_appraise fsmagic=0x6e736673
+
+appraise func=MMAP_CHECK mask=MAY_EXEC appraise_type=imasig
+appraise func=BPRM_CHECK appraise_type=imasig

SOURCES/policy_list

@@ -1,2 +1,2 @@
-01-appraise-exectuables-and-lib-signatures
+01-appraise-executable-and-lib-signatures
 02-keylime-remote-attestation

SPECS/ima-evm-utils.spec

@@ -8,7 +8,7 @@
 
 Name:    ima-evm-utils
 Version: 1.5
-Release: 2%{?dist}
+Release: 3%{?dist}
 Summary: IMA/EVM support utilities
 License: GPLv2
 Url:     http://linux-ima.sourceforge.net/
@@ -18,7 +18,7 @@ Source0:  https://github.com/mimizohar/ima-evm-utils/releases/download/v%{versio
 Source2: dracut-98-integrity.conf
 Source3: ima-add-sigs.sh
 Source4: ima-setup.sh
-Source100: policy-01-appraise-exectuables-and-lib-signatures
+Source100: policy-01-appraise-executable-and-lib-signatures
 Source101: policy-02-keylime-remote-attestation
 Source200: policy_list
 Source300: redhatimarelease-9.der
@@ -138,6 +138,9 @@ install -m 644 %{SOURCE300} %{SOURCE301} $RPM_BUILD_ROOT/etc/keys/ima/
 %{_libdir}/libimaevm.so
 
 %changelog
+* Wed Nov 13 2024 Coiby Xu <coxu@redhat.com> - 1.5-3
+- Skip unsupported file systems for sample appraisal rule (RHEL-62817)
+
 * Fri Jun 07 2024 Coiby Xu <coxu@redhat.com> - 1.5-2
 - add some IMA setup tools (RHEL-33751)