Don't allow files in tmpfs to be executed
Resolves: https://issues.redhat.com/browse/RHEL-153545 Upstream: Fedora Commit 83b610d ("Skip some file systems for appraisal") was to make gnome-shell work but the policy becomes unnecessarily unrestrictive. So only make an exception for mmap exec which may be needed by libffi. Fixes: 83b610d ("Skip some file systems for appraisal") Suggested-by: Marko Myllynen <myllynen@redhat.com> Signed-off-by: Coiby Xu <coxu@redhat.com>
This commit is contained in:
Coiby Xu
parent
787f8d22b7
commit
55f1d7467b
@ -1,28 +1,5 @@
|
||||
# Skip some unsupported filesystems
|
||||
# This list of the filesystems can be found on
|
||||
# https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy
|
||||
# PROC_SUPER_MAGIC
|
||||
dont_appraise fsmagic=0x9fa0
|
||||
# SYSFS_MAGIC
|
||||
dont_appraise fsmagic=0x62656572
|
||||
# DEBUGFS_MAGIC
|
||||
dont_appraise fsmagic=0x64626720
|
||||
# TMPFS_MAGIC
|
||||
dont_appraise fsmagic=0x01021994
|
||||
# RAMFS_MAGIC
|
||||
dont_appraise fsmagic=0x858458f6
|
||||
# DEVPTS_SUPER_MAGIC
|
||||
dont_appraise fsmagic=0x1cd1
|
||||
# BINFMTFS_MAGIC
|
||||
dont_appraise fsmagic=0x42494e4d
|
||||
# SECURITYFS_MAGIC
|
||||
dont_appraise fsmagic=0x73636673
|
||||
# SELINUX_MAGIC
|
||||
dont_appraise fsmagic=0xf97cff8c
|
||||
# CGROUP_SUPER_MAGIC
|
||||
dont_appraise fsmagic=0x27e0eb
|
||||
# NSFS_MAGIC
|
||||
dont_appraise fsmagic=0x6e736673
|
||||
# Allow use cases like libffi
|
||||
dont_appraise mask=MAY_EXEC func=MMAP_CHECK fsmagic=0x01021994
|
||||
|
||||
appraise func=MMAP_CHECK mask=MAY_EXEC appraise_type=imasig
|
||||
appraise func=BPRM_CHECK appraise_type=imasig
|
||||
|
||||
Loading…
Reference in New Issue
Block a user