Message ID | 20230509133053.1032476-3-stefanb@linux.ibm.com |
---|---|
State | New |
Headers | show |
Series | Fix IMA and EVM support | expand |
diff --git a/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all index 36e71a7..3387edc 100644 --- a/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all +++ b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all @@ -25,5 +25,12 @@ dont_appraise fsmagic=0xf97cff8c dont_appraise fsmagic=0x6e736673 # EFIVARFS_MAGIC dont_appraise fsmagic=0xde5e81e4 +# Cgroup +dont_appraise fsmagic=0x27e0eb +# Cgroup2 +dont_appraise fsmagic=0x63677270 -appraise +# Appraise libraries +appraise func=MMAP_CHECK mask=MAY_EXEC appraise_type=imasig +# Appraise executables +appraise func=BPRM_CHECK appraise_type=imasig
Fix the ima_policy_appraise_all policy to appraise all executables and libraries. Also update the list of files that are not appraised to not appraise cgroup related files. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> --- .../files/ima_policy_appraise_all | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)