From 55f1d7467be9490faa0d04523ba73502d3db3a69 Mon Sep 17 00:00:00 2001 From: Coiby Xu Date: Sat, 14 Feb 2026 16:29:07 +0800 Subject: [PATCH] Don't allow files in tmpfs to be executed Resolves: https://issues.redhat.com/browse/RHEL-153545 Upstream: Fedora Commit 83b610d ("Skip some file systems for appraisal") was to make gnome-shell work but the policy becomes unnecessarily unrestrictive. So only make an exception for mmap exec which may be needed by libffi. Fixes: 83b610d ("Skip some file systems for appraisal") Suggested-by: Marko Myllynen Signed-off-by: Coiby Xu --- ...-01-appraise-executable-and-lib-signatures | 27 ++----------------- 1 file changed, 2 insertions(+), 25 deletions(-) diff --git a/policy-01-appraise-executable-and-lib-signatures b/policy-01-appraise-executable-and-lib-signatures index 53feed5..1d5ab50 100644 --- a/policy-01-appraise-executable-and-lib-signatures +++ b/policy-01-appraise-executable-and-lib-signatures @@ -1,28 +1,5 @@ -# Skip some unsupported filesystems -# This list of the filesystems can be found on -# https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy -# PROC_SUPER_MAGIC -dont_appraise fsmagic=0x9fa0 -# SYSFS_MAGIC -dont_appraise fsmagic=0x62656572 -# DEBUGFS_MAGIC -dont_appraise fsmagic=0x64626720 -# TMPFS_MAGIC -dont_appraise fsmagic=0x01021994 -# RAMFS_MAGIC -dont_appraise fsmagic=0x858458f6 -# DEVPTS_SUPER_MAGIC -dont_appraise fsmagic=0x1cd1 -# BINFMTFS_MAGIC -dont_appraise fsmagic=0x42494e4d -# SECURITYFS_MAGIC -dont_appraise fsmagic=0x73636673 -# SELINUX_MAGIC -dont_appraise fsmagic=0xf97cff8c -# CGROUP_SUPER_MAGIC -dont_appraise fsmagic=0x27e0eb -# NSFS_MAGIC -dont_appraise fsmagic=0x6e736673 +# Allow use cases like libffi +dont_appraise mask=MAY_EXEC func=MMAP_CHECK fsmagic=0x01021994 appraise func=MMAP_CHECK mask=MAY_EXEC appraise_type=imasig appraise func=BPRM_CHECK appraise_type=imasig