Skip some file systems for appraisal

Resolves: https://issues.redhat.com/browse/RHEL-34778 Conflict: None Upstream Status: https://src.fedoraproject.org/rpms/ima-evm-utils.git commit 83b610d7edee02804dc1cecab8e151728925e90b Author: Coiby Xu <coxu@redhat.com> Date: Wed Oct 16 13:48:01 2024 +0800 Skip some file systems for appraisal Resolves: https://issues.redhat.com/browse/RHEL-62817 When 01-appraise-exectuables-and-lib-signatures is enabled, no login screen is available for user to log in. This happens because IMA stops gnome-shell from creating some temp files as can been from the audit log, type=INTEGRITY_DATA msg=audit(1728700747.130:10235): pid=3240 uid=42 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 op=appraise_data cause=IMA-signature-required comm="gnome-shell" name="/dev/shm/#3223" dev="tmpfs" ino=3223 res=0 errno=0UID="gdm" AUID="unset" type=INTEGRITY_DATA msg=audit(1728700747.130:10236): pid=3240 uid=42 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 op=appraise_data cause=IMA-signature-required comm="gnome-shell" name="/run/user/42/#454" dev="tmpfs" ino=454 res=0 errno=0UID="gdm" AUID="unset" type=INTEGRITY_DATA msg=audit(1728700747.131:10237): pid=3240 uid=42 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 op=appraise_data cause=IMA-signature-required comm="gnome-shell" name="memfd:libffi" dev="tmpfs" ino=578 res=0 errno=0UID="gdm" AUID="unset" Skip the file systems as listed in https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy Reported-by: Raju Cheerla <rcheerla@redhat.com> Signed-off-by: Coiby Xu <coxu@redhat.com>
2024-11-05 11:29:13 +08:00 · 2024-11-05 11:29:13 +08:00 · 909a75b554
commit 909a75b554
parent 84d7562079
4 changed files with 30 additions and 4 deletions
--- a/ima-evm-utils.spec
+++ b/ima-evm-utils.spec
@ -18,7 +18,7 @@ Source0: https://github.com/mimizohar/ima-evm-utils/releases/download/v%{version
 Source2: dracut-98-integrity.conf
 Source3: ima-add-sigs.sh
 Source4: ima-setup.sh
-Source100: policy-01-appraise-exectuables-and-lib-signatures
+Source100: policy-01-appraise-executable-and-lib-signatures
 Source101: policy-02-keylime-remote-attestation
 Source200: policy_list
 Source300: redhatimarelease-10.der
--- a/2
+++ b/2
@ -1,2 +0,0 @@
-appraise func=MMAP_CHECK mask=MAY_EXEC appraise_type=imasig
-appraise func=BPRM_CHECK appraise_type=imasig
--- a/28
+++ b/28
@ -0,0 +1,28 @@
+# Skip some unsupported filesystems
+# This list of the filesystems can be found on
+# https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy
+# PROC_SUPER_MAGIC
+dont_appraise fsmagic=0x9fa0
+# SYSFS_MAGIC
+dont_appraise fsmagic=0x62656572
+# DEBUGFS_MAGIC
+dont_appraise fsmagic=0x64626720
+# TMPFS_MAGIC
+dont_appraise fsmagic=0x01021994
+# RAMFS_MAGIC
+dont_appraise fsmagic=0x858458f6
+# DEVPTS_SUPER_MAGIC
+dont_appraise fsmagic=0x1cd1
+# BINFMTFS_MAGIC
+dont_appraise fsmagic=0x42494e4d
+# SECURITYFS_MAGIC
+dont_appraise fsmagic=0x73636673
+# SELINUX_MAGIC
+dont_appraise fsmagic=0xf97cff8c
+# CGROUP_SUPER_MAGIC
+dont_appraise fsmagic=0x27e0eb
+# NSFS_MAGIC
+dont_appraise fsmagic=0x6e736673
+
+appraise func=MMAP_CHECK mask=MAY_EXEC appraise_type=imasig
+appraise func=BPRM_CHECK appraise_type=imasig
--- a/2
+++ b/2
@ -1,2 +1,2 @@
-01-appraise-exectuables-and-lib-signatures
+01-appraise-executable-and-lib-signatures
 02-keylime-remote-attestation