Skip to content

Commit

Permalink
Merge pull request #12791 from matusmarhefka/unauthorized_world_writable
Browse files Browse the repository at this point in the history 
Update file_permissions_unauthorized_world_writable
  • Loading branch information
@jan-cerny
jan-cerny authored Jan 8, 2025
2 parents 0cd545d + b7679cd commit 4f3a557
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 2 deletions.
8 changes: 6 additions & 2 deletions ...uide/system/permissions/files/file_permissions_unauthorized_world_writable/bash/shared.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,16 @@
# disruption = low

FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | awk '{ print $1 }')

# Do not consider /sysroot partition because it contains only the physical
# read-only root on bootable containers.
PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | awk '{ print $1 }' | grep -v "/sysroot")

for PARTITION in $PARTITIONS; do
find "${PARTITION}" -xdev -type f -perm -002 -exec chmod o-w {} \; 2>/dev/null
done

# Ensure /tmp is also fixed whem tmpfs is used.
# Ensure /tmp is also fixed when tmpfs is used.
if grep "^tmpfs /tmp" /proc/mounts; then
find /tmp -xdev -type f -perm -002 -exec chmod o-w {} \; 2>/dev/null
fi
6 changes: 6 additions & 0 deletions ...ide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,11 @@
operation="pattern match">^/selinux/(?:(?:member)|(?:user)|(?:relabel)|(?:create)|(?:access)|(?:context))$</unix:filepath>
</unix:file_state>

<unix:file_state id="state_file_permissions_unauthorized_world_write_sysroot" version="1"
comment="Used to filter out all files in the /sysroot directory">
<unix:filepath operation="pattern match">^/sysroot/.*$</unix:filepath>
</unix:file_state>

{{%- set var_local_mount_points = "var_" ~ rule_id ~ "_local_mountpoints" -%}}
{{{ create_local_mount_points_list(var_local_mount_points) }}}

Expand All @@ -35,6 +40,7 @@
<unix:filename operation="pattern match">^.*$</unix:filename>
<filter action="include">state_file_permissions_unauthorized_world_write</filter>
<filter action="exclude">state_file_permissions_unauthorized_world_write_special_selinux_files</filter>
<filter action="exclude">state_file_permissions_unauthorized_world_write_sysroot</filter>
</unix:file_object>

<unix:file_test id="test_file_permissions_unauthorized_world_write" version="1"
Expand Down

0 comments on commit 4f3a557

Please sign in to comment.