diff mbox series

[meta-security,v2,2/8] ima: Fix the ima_policy_appraise_all to appraise executables & libraries

Message ID 20230509133053.1032476-3-stefanb@linux.ibm.com
State New
Headers show
Series Fix IMA and EVM support | expand

Commit Message

Stefan Berger May 9, 2023, 1:30 p.m. UTC
Fix the ima_policy_appraise_all policy to appraise all executables
and libraries. Also update the list of files that are not appraised to not
appraise cgroup related files.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 .../files/ima_policy_appraise_all                        | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
index 36e71a7..3387edc 100644
--- a/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
+++ b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
@@ -25,5 +25,12 @@  dont_appraise fsmagic=0xf97cff8c
 dont_appraise fsmagic=0x6e736673
 # EFIVARFS_MAGIC
 dont_appraise fsmagic=0xde5e81e4
+# Cgroup
+dont_appraise fsmagic=0x27e0eb
+# Cgroup2
+dont_appraise fsmagic=0x63677270
 
-appraise
+# Appraise libraries
+appraise func=MMAP_CHECK mask=MAY_EXEC appraise_type=imasig
+# Appraise executables
+appraise func=BPRM_CHECK appraise_type=imasig