Merge pull request #14379 from vojtapolasek/fix_mount_option_nodev_local_parts_vfat

mount_option_nodev_nonroot_local_partitions: ignore vfat partitions

Author: Mab879

linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml

@@ -31,6 +31,7 @@
       - lustre
       - davfs
       - fuse.sshfs
+      - vfat
 
 - name: "{{{ rule_title }}}: Ensure non-root local partitions are mounted with nodev option"
   ansible.posix.mount:
@@ -41,6 +42,7 @@
     fstype: "{{ item.fstype }}"
   when:
     - "item.mount is match('/\\w')"
+    - "item.mount is not match('/(boot|efi)')"
     - "item.options is not search('nodev')"
     - "item.fstype not in excluded_fstypes"
   with_items:
@@ -49,5 +51,5 @@
 - name: "{{{ rule_title }}}: Ensure non-root local partitions are present with nodev option in /etc/fstab"
   ansible.builtin.replace:
     path: /etc/fstab
-    regexp: '^\s*(?!#)(/dev/\S+|UUID=\S+)\s+(/\w\S*)\s+(\S+)\s+(?!.*\bnodev\b)(\S+)(.*)$'
+    regexp: '^\s*(?!#)(/dev/\S+|UUID=\S+)\s+(/(?!boot|efi)\w\S*)\s+(?!vfat\s)(\S+)\s+(?!.*\bnodev\b)(\S+)(.*)$'
     replace: '\1 \2 \3 \4,nodev \5'

linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh

@@ -30,6 +30,7 @@ excluded_fstypes=(
     lustre
     davfs
     fuse.sshfs
+    vfat
 )
 
 for partition_record in "${partitions_records[@]}"; do
@@ -38,6 +39,11 @@ for partition_record in "${partitions_records[@]}"; do
     device="$(echo "${partition_record}" | cut -d " " -f2)"
     device_type="$(echo "${partition_record}" | cut -d " " -f3)"
 
+    # Skip /boot and /efi partitions
+    if [[ "$mount_point" =~ ^/(boot|efi) ]]; then
+        continue
+    fi
+
     # Skip polyinstantiated directories
     if printf '%s\0' "${polyinstantiated_dirs[@]}" | grep -qxzF "$mount_point"; then
         continue
@@ -59,5 +65,5 @@ for partition_record in "${partitions_records[@]}"; do
     {{{ bash_ensure_partition_is_mounted("$mount_point")     | indent(4) }}}
 done
 
-# Remediate unmounted /etc/fstab entries
-sed -i -E '/nodev/! s;^\s*(/dev/\S+|UUID=\S+)\s+(/\w\S*)\s+(\S+)\s+(\S+)(.*)$;\1 \2 \3 \4,nodev \5;' /etc/fstab
+# Remediate unmounted /etc/fstab entries, excluding /boot, /efi, and vfat partitions
+sed -i -E '/nodev/! { /^\s*(\/dev\/\S+|UUID=\S+)\s+\/(boot|efi)/! { /^\s*(\/dev\/\S+|UUID=\S+)\s+\/\w\S*\s+vfat\s/! s;^\s*(/dev/\S+|UUID=\S+)\s+(/\w\S*)\s+(\S+)\s+(\S+)(.*)$;\1 \2 \3 \4,nodev \5; } }' /etc/fstab

linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/oval/shared.xml

@@ -33,7 +33,7 @@
   <linux:partition_state id="state_local_nodev" version="1">
     <!-- this check defines a local partition as one which has a device node in /dev -->
     <linux:device operation="pattern match">^/dev/.*$</linux:device>
-    <linux:fs_type operation="pattern match">^(?!afs$|autofs$|ceph$|cifs$|smb3$|smbfs$|sshfs$|ncpfs$|ncp$|nfs$|nfs4$|gfs$|gfs2$|glusterfs$|gpfs$|pvfs2$|ocfs2$|lustre$|davfs$|fuse\.sshfs$).+</linux:fs_type>
+    <linux:fs_type operation="pattern match">^(?!afs$|autofs$|ceph$|cifs$|smb3$|smbfs$|sshfs$|ncpfs$|ncp$|nfs$|nfs4$|gfs$|gfs2$|glusterfs$|gpfs$|pvfs2$|ocfs2$|lustre$|davfs$|fuse\.sshfs$|vfat$).+</linux:fs_type>
     <linux:mount_options datatype="string" entity_check="all"
     operation="not equal">nodev</linux:mount_options>
   </linux:partition_state>
@@ -46,7 +46,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object version="1" id="object_non_root_partitions_in_fstab">
     <ind:filepath>/etc/fstab</ind:filepath>
-    <ind:pattern operation="pattern match">^\s*(?!#)(?:/dev/\S+|UUID=\S+)\s+/\w\S*\s+\S+\s+(\S+)</ind:pattern>
+    <ind:pattern operation="pattern match">^\s*(?!#)(?:/dev/\S+|UUID=\S+)\s+/(?!boot|efi)\w\S*\s+(?!vfat\s)\S+\s+(\S+)</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
   <ind:textfilecontent54_state version="1"

linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml

@@ -24,6 +24,7 @@ ocil: |
 
 ocil_clause: "some mounts appear among output lines"
 
+
 severity: medium
 
 identifiers:
@@ -50,3 +51,16 @@ fixtext: |-
     Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions.
 
 srg_requirement: '{{{ full_name }}} must prevent special devices on non-root local partitions.'
+
+warnings:
+    - general: |-
+        This rule checks only local partitions, identified as those backed by
+        a device node in <tt>/dev</tt>. Network file systems such as NFS, CIFS,
+        GlusterFS and others are excluded because they do not expose local
+        device nodes. The <tt>/boot</tt> and <tt>/efi</tt> partitions are
+        excluded because they are special partitions usually handled by a
+        systemd mount unit, and enforcing <tt>nodev</tt> on them during
+        operating system installation causes issues. Partitions with the
+        <tt>vfat</tt> file system type are excluded because vfat does not
+        support Unix device special files, so <tt>nodev</tt> enforcement on
+        them is not meaningful.

linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/vfat_without_nodev.pass.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+. $SHARED/partition.sh
+
+# Add nodev option to all records in fstab to ensure that test will
+# run on environment where everything is set correctly for rule check.
+cp /etc/fstab /etc/fstab.backup
+sed -i -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
+# Remount all partitions. (--all option can't be used because it doesn't
+# mount e.g. /boot partition
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
+for partition in ${partitions[@]}; do
+    mount -o remount "$partition"
+done
+
+# A vfat partition without nodev should be ignored by the rule.
+PARTITION="/dev/new_partition1"; create_partition
+make_fstab_given_partition_line "/tmp/partition1" vfat defaults