From a7a5814e2d79be824ad602bdf3e71fb021a5482b Mon Sep 17 00:00:00 2001 From: Lu Ken Date: Tue, 26 Dec 2023 14:39:07 +0800 Subject: [PATCH] cvm-image-rewriter/ima: update policy (#184) Signed-off-by: Lu, Ken --- .github/workflows/pr-container-check.yaml | 2 +- .github/workflows/pr-doclint.yaml | 2 +- .github/workflows/pr-golang-check.yaml | 2 +- .github/workflows/pr-license-python.yaml | 2 +- .github/workflows/pr-pylint.yaml | 4 ++-- .github/workflows/pr-shell-check.yaml | 2 +- .../pre-stage/98-ima-enable-simple/file_list | 2 +- .../files/etc/ima/ima-policy | 16 +++++++++++++++- tools/cvm-image-rewriter/run.sh | 8 ++++---- 9 files changed, 27 insertions(+), 13 deletions(-) diff --git a/.github/workflows/pr-container-check.yaml b/.github/workflows/pr-container-check.yaml index 4f3d86cc..e30ba39d 100644 --- a/.github/workflows/pr-container-check.yaml +++ b/.github/workflows/pr-container-check.yaml @@ -15,7 +15,7 @@ on: jobs: build_container: name: Build job for container - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - name: Checkout Code uses: actions/checkout@v3 diff --git a/.github/workflows/pr-doclint.yaml b/.github/workflows/pr-doclint.yaml index 0ed5b28e..f57847e4 100644 --- a/.github/workflows/pr-doclint.yaml +++ b/.github/workflows/pr-doclint.yaml @@ -9,7 +9,7 @@ on: jobs: scan_doc: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v3 - uses: streetsidesoftware/cspell-action@v2 diff --git a/.github/workflows/pr-golang-check.yaml b/.github/workflows/pr-golang-check.yaml index 24522a21..d5a2adb3 100644 --- a/.github/workflows/pr-golang-check.yaml +++ b/.github/workflows/pr-golang-check.yaml @@ -26,7 +26,7 @@ permissions: jobs: golangci-lint: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v3 with: diff --git a/.github/workflows/pr-license-python.yaml b/.github/workflows/pr-license-python.yaml index 7a844dfe..15ab6e5e 100644 --- a/.github/workflows/pr-license-python.yaml +++ b/.github/workflows/pr-license-python.yaml @@ -8,7 +8,7 @@ on: jobs: python-license-scan: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v3 - uses: actions/setup-python@v4 diff --git a/.github/workflows/pr-pylint.yaml b/.github/workflows/pr-pylint.yaml index 46c06c1e..6f59fc4d 100644 --- a/.github/workflows/pr-pylint.yaml +++ b/.github/workflows/pr-pylint.yaml @@ -13,7 +13,7 @@ on: jobs: scan_python: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - name: Checkout PR uses: actions/checkout@v3 @@ -27,7 +27,7 @@ jobs: python3 -m pip install pylint python3 -m pip install -r ./sdk/python3/requirements.txt - - name: Analyze python code + - name: Analyze python code run: | set -ex export PYTHONPATH=$PWD/ccnp:$PYTHONPATH diff --git a/.github/workflows/pr-shell-check.yaml b/.github/workflows/pr-shell-check.yaml index 3a8d7d11..b84cd747 100644 --- a/.github/workflows/pr-shell-check.yaml +++ b/.github/workflows/pr-shell-check.yaml @@ -9,7 +9,7 @@ on: jobs: codescan: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v3 - name: Run ShellCheck diff --git a/tools/cvm-image-rewriter/pre-stage/98-ima-enable-simple/file_list b/tools/cvm-image-rewriter/pre-stage/98-ima-enable-simple/file_list index 6e8424fe..3fdc08df 100644 --- a/tools/cvm-image-rewriter/pre-stage/98-ima-enable-simple/file_list +++ b/tools/cvm-image-rewriter/pre-stage/98-ima-enable-simple/file_list @@ -14,5 +14,5 @@ /etc/ /usr/lib/ /usr/share/ -/run/ +#/run/ /var/lib/ diff --git a/tools/cvm-image-rewriter/pre-stage/98-ima-enable-simple/files/etc/ima/ima-policy b/tools/cvm-image-rewriter/pre-stage/98-ima-enable-simple/files/etc/ima/ima-policy index 2dffa14a..8369522d 100644 --- a/tools/cvm-image-rewriter/pre-stage/98-ima-enable-simple/files/etc/ima/ima-policy +++ b/tools/cvm-image-rewriter/pre-stage/98-ima-enable-simple/files/etc/ima/ima-policy @@ -1,3 +1,17 @@ +#dont_measure fsmagic=0x9fa0 +#dont_measure fsmagic=0x62656572 +#dont_measure fsmagic=0x64626720 +#dont_measure fsmagic=0x1021994 +#dont_measure fsmagic=0x858458f6 +#dont_measure fsmagic=0x1cd1 +#dont_measure fsmagic=0x42494e4d +#dont_measure fsmagic=0x73636673 +#dont_measure fsmagic=0xf97cff8c +#dont_measure fsmagic=0x43415d53 +#dont_measure fsmagic=0x6e736673 +#dont_measure fsmagic=0x27e0eb +#dont_measure fsmagic=0x63677270 + dont_appraise fsmagic=0x9fa0 dont_appraise fsmagic=0x62656572 dont_appraise fsmagic=0x64626720 @@ -11,4 +25,4 @@ dont_appraise fsmagic=0x43415d53 dont_appraise fsmagic=0x6e736673 dont_appraise fsmagic=0x27e0eb dont_appraise fsmagic=0x63677270 -appraise fowner=0 +#appraise fowner=0 diff --git a/tools/cvm-image-rewriter/run.sh b/tools/cvm-image-rewriter/run.sh index 307553b3..102f8d8b 100755 --- a/tools/cvm-image-rewriter/run.sh +++ b/tools/cvm-image-rewriter/run.sh @@ -8,7 +8,7 @@ SCRIPTS_DIR="${TOP_DIR}/scripts" TARGET_FILES_DIR="$(mktemp -d /tmp/cvm_target_files.XXXXXX)" INPUT_IMG="" OUTPUT_IMG="output.qcow2" -TIMEOUT=3 +TIMEOUT=6 CONNECTION_SOCK="" CONSOLE_OPT="" @@ -34,8 +34,8 @@ Usage: $(basename "$0") [OPTION]... Required -i Specify initial guest image file Optional - -t Specify the timeout of rewriting, 3 minutes default, - If enabling ima, recommend timeout >6 minutes + -t Specify the timeout of rewriting, 6 minutes default, + If enabling ima, recommend timeout >8 minutes -s Default is connection URI is qemu:///system, if install libvirt, you can specify to "/var/run/libvirt/libvirt-sock" then the corresponding URI is "qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock" @@ -302,7 +302,7 @@ do_cloud_init() { --connect ${CONNECT_URI} \ --disk /tmp/ciiso.iso,device=cdrom \ --os-type Linux \ - --os-variant ubuntu21.10 \ + --os-variant ubuntu21.10 \ --virt-type kvm \ --graphics none \ --import \