From 909a75b55473e457bc91c20eedb13e8e6f2597b4 Mon Sep 17 00:00:00 2001 From: Coiby Xu Date: Tue, 5 Nov 2024 11:29:13 +0800 Subject: [PATCH] Skip some file systems for appraisal Resolves: https://issues.redhat.com/browse/RHEL-34778 Conflict: None Upstream Status: https://src.fedoraproject.org/rpms/ima-evm-utils.git commit 83b610d7edee02804dc1cecab8e151728925e90b Author: Coiby Xu Date: Wed Oct 16 13:48:01 2024 +0800 Skip some file systems for appraisal Resolves: https://issues.redhat.com/browse/RHEL-62817 When 01-appraise-exectuables-and-lib-signatures is enabled, no login screen is available for user to log in. This happens because IMA stops gnome-shell from creating some temp files as can been from the audit log, type=INTEGRITY_DATA msg=audit(1728700747.130:10235): pid=3240 uid=42 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 op=appraise_data cause=IMA-signature-required comm="gnome-shell" name="/dev/shm/#3223" dev="tmpfs" ino=3223 res=0 errno=0UID="gdm" AUID="unset" type=INTEGRITY_DATA msg=audit(1728700747.130:10236): pid=3240 uid=42 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 op=appraise_data cause=IMA-signature-required comm="gnome-shell" name="/run/user/42/#454" dev="tmpfs" ino=454 res=0 errno=0UID="gdm" AUID="unset" type=INTEGRITY_DATA msg=audit(1728700747.131:10237): pid=3240 uid=42 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 op=appraise_data cause=IMA-signature-required comm="gnome-shell" name="memfd:libffi" dev="tmpfs" ino=578 res=0 errno=0UID="gdm" AUID="unset" Skip the file systems as listed in https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy Reported-by: Raju Cheerla Signed-off-by: Coiby Xu --- ima-evm-utils.spec | 2 +- ...01-appraise-exectuables-and-lib-signatures | 2 -- ...-01-appraise-executable-and-lib-signatures | 28 +++++++++++++++++++ policy_list | 2 +- 4 files changed, 30 insertions(+), 4 deletions(-) delete mode 100644 policy-01-appraise-exectuables-and-lib-signatures create mode 100644 policy-01-appraise-executable-and-lib-signatures diff --git a/ima-evm-utils.spec b/ima-evm-utils.spec index 7b31b80..f38188e 100644 --- a/ima-evm-utils.spec +++ b/ima-evm-utils.spec @@ -18,7 +18,7 @@ Source0: https://github.com/mimizohar/ima-evm-utils/releases/download/v%{version Source2: dracut-98-integrity.conf Source3: ima-add-sigs.sh Source4: ima-setup.sh -Source100: policy-01-appraise-exectuables-and-lib-signatures +Source100: policy-01-appraise-executable-and-lib-signatures Source101: policy-02-keylime-remote-attestation Source200: policy_list Source300: redhatimarelease-10.der diff --git a/policy-01-appraise-exectuables-and-lib-signatures b/policy-01-appraise-exectuables-and-lib-signatures deleted file mode 100644 index afc4530..0000000 --- a/policy-01-appraise-exectuables-and-lib-signatures +++ /dev/null @@ -1,2 +0,0 @@ -appraise func=MMAP_CHECK mask=MAY_EXEC appraise_type=imasig -appraise func=BPRM_CHECK appraise_type=imasig diff --git a/policy-01-appraise-executable-and-lib-signatures b/policy-01-appraise-executable-and-lib-signatures new file mode 100644 index 0000000..53feed5 --- /dev/null +++ b/policy-01-appraise-executable-and-lib-signatures @@ -0,0 +1,28 @@ +# Skip some unsupported filesystems +# This list of the filesystems can be found on +# https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy +# PROC_SUPER_MAGIC +dont_appraise fsmagic=0x9fa0 +# SYSFS_MAGIC +dont_appraise fsmagic=0x62656572 +# DEBUGFS_MAGIC +dont_appraise fsmagic=0x64626720 +# TMPFS_MAGIC +dont_appraise fsmagic=0x01021994 +# RAMFS_MAGIC +dont_appraise fsmagic=0x858458f6 +# DEVPTS_SUPER_MAGIC +dont_appraise fsmagic=0x1cd1 +# BINFMTFS_MAGIC +dont_appraise fsmagic=0x42494e4d +# SECURITYFS_MAGIC +dont_appraise fsmagic=0x73636673 +# SELINUX_MAGIC +dont_appraise fsmagic=0xf97cff8c +# CGROUP_SUPER_MAGIC +dont_appraise fsmagic=0x27e0eb +# NSFS_MAGIC +dont_appraise fsmagic=0x6e736673 + +appraise func=MMAP_CHECK mask=MAY_EXEC appraise_type=imasig +appraise func=BPRM_CHECK appraise_type=imasig diff --git a/policy_list b/policy_list index 23ff71a..af81a74 100644 --- a/policy_list +++ b/policy_list @@ -1,2 +1,2 @@ -01-appraise-exectuables-and-lib-signatures +01-appraise-executable-and-lib-signatures 02-keylime-remote-attestation