cvm-image-rewriter/ima: update policy (#184)

Signed-off-by: Lu, Ken <ken.lu@intel.com>

.github/workflows/pr-container-check.yaml

@@ -15,7 +15,7 @@ on:
 jobs:
   build_container:
     name: Build job for container
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout Code
         uses: actions/checkout@v3

.github/workflows/pr-doclint.yaml

@@ -9,7 +9,7 @@ on:
 
 jobs:
   scan_doc:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v3
       - uses: streetsidesoftware/cspell-action@v2

.github/workflows/pr-golang-check.yaml

@@ -26,7 +26,7 @@ permissions:
 
 jobs:
   golangci-lint:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v3
         with:

.github/workflows/pr-license-python.yaml

@@ -8,7 +8,7 @@ on:
 
 jobs:
   python-license-scan:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4

.github/workflows/pr-pylint.yaml

@@ -13,7 +13,7 @@ on:
 
 jobs:
   scan_python:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout PR
         uses: actions/checkout@v3
@@ -27,7 +27,7 @@ jobs:
           python3 -m pip install pylint
           python3 -m pip install -r ./sdk/python3/requirements.txt
 
-      - name: Analyze python code 
+      - name: Analyze python code
         run: |
           set -ex
           export PYTHONPATH=$PWD/ccnp:$PYTHONPATH

.github/workflows/pr-shell-check.yaml

@@ -9,7 +9,7 @@ on:
 
 jobs:
   codescan:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v3
       - name: Run ShellCheck

tools/cvm-image-rewriter/pre-stage/98-ima-enable-simple/file_list

@@ -14,5 +14,5 @@
 /etc/
 /usr/lib/
 /usr/share/
-/run/
+#/run/
 /var/lib/

tools/cvm-image-rewriter/pre-stage/98-ima-enable-simple/files/etc/ima/ima-policy

@@ -1,3 +1,17 @@
+#dont_measure  fsmagic=0x9fa0
+#dont_measure  fsmagic=0x62656572
+#dont_measure  fsmagic=0x64626720
+#dont_measure  fsmagic=0x1021994
+#dont_measure  fsmagic=0x858458f6
+#dont_measure  fsmagic=0x1cd1
+#dont_measure  fsmagic=0x42494e4d
+#dont_measure  fsmagic=0x73636673
+#dont_measure  fsmagic=0xf97cff8c
+#dont_measure  fsmagic=0x43415d53
+#dont_measure  fsmagic=0x6e736673
+#dont_measure  fsmagic=0x27e0eb
+#dont_measure  fsmagic=0x63677270
+
 dont_appraise fsmagic=0x9fa0
 dont_appraise fsmagic=0x62656572
 dont_appraise fsmagic=0x64626720
@@ -11,4 +25,4 @@ dont_appraise fsmagic=0x43415d53
 dont_appraise fsmagic=0x6e736673
 dont_appraise fsmagic=0x27e0eb
 dont_appraise fsmagic=0x63677270
-appraise fowner=0
+#appraise fowner=0

tools/cvm-image-rewriter/run.sh

@@ -8,7 +8,7 @@ SCRIPTS_DIR="${TOP_DIR}/scripts"
 TARGET_FILES_DIR="$(mktemp -d /tmp/cvm_target_files.XXXXXX)"
 INPUT_IMG=""
 OUTPUT_IMG="output.qcow2"
-TIMEOUT=3
+TIMEOUT=6
 CONNECTION_SOCK=""
 CONSOLE_OPT=""
 
@@ -34,8 +34,8 @@ Usage: $(basename "$0") [OPTION]...
 Required
   -i <guest image>          Specify initial guest image file
 Optional
-  -t <number of minutes>    Specify the timeout of rewriting, 3 minutes default,
-                            If enabling ima, recommend timeout >6 minutes
+  -t <number of minutes>    Specify the timeout of rewriting, 6 minutes default,
+                            If enabling ima, recommend timeout >8 minutes
   -s <connection socket>    Default is connection URI is qemu:///system,
                             if install libvirt, you can specify to "/var/run/libvirt/libvirt-sock"
                             then the corresponding URI is "qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock"
@@ -302,7 +302,7 @@ do_cloud_init() {
         --connect ${CONNECT_URI} \
         --disk /tmp/ciiso.iso,device=cdrom \
         --os-type Linux \
-	    --os-variant ubuntu21.10 \
+        --os-variant ubuntu21.10 \
         --virt-type kvm \
         --graphics none \
         --import \