From 88f3dbaa8ab47336bde39432226373731e9e4cac Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 7 Dec 2023 16:43:00 -0600
Subject: [PATCH 1/2] Remove remediations from partition_for_dev_shm

Both the Blueprint and Anaconda are not applicable on modern Linux OSs.
---
 .../partition_for_dev_shm/rule.yml            | 29 ++++++++++++-------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_dev_shm/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_dev_shm/rule.yml
index 263a88213a2..afb9aa2e5c7 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_dev_shm/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_dev_shm/rule.yml
@@ -3,19 +3,19 @@ documentation_complete: true
 title: 'Ensure /dev/shm is configured'
 
 description: |-
-    The <tt>/dev/shm</tt> is a traditional shared memory concept. 
-    One program will create a memory portion, which other processes 
-    (if permitted) can access. If <tt>/dev/shm</tt> is not configured, 
+    The <tt>/dev/shm</tt> is a traditional shared memory concept.
+    One program will create a memory portion, which other processes
+    (if permitted) can access. If <tt>/dev/shm</tt> is not configured,
     tmpfs will be mounted to /dev/shm by systemd.
 
 rationale: |-
-    Any user can upload and execute files inside the <tt>/dev/shm</tt> similar to 
-    the <tt>/tmp</tt> partition. Configuring <tt>/dev/shm</tt> allows an administrator 
-    to set the noexec option on the mount, making /dev/shm useless for an attacker to 
-    install executable code. It would also prevent an attacker from establishing a 
-    hardlink to a system setuid program and wait for it to be updated. Once the program 
-    was updated, the hardlink would be broken and the attacker would have his own copy 
-    of the program. If the program happened to have a security vulnerability, the attacker 
+    Any user can upload and execute files inside the <tt>/dev/shm</tt> similar to
+    the <tt>/tmp</tt> partition. Configuring <tt>/dev/shm</tt> allows an administrator
+    to set the noexec option on the mount, making /dev/shm useless for an attacker to
+    install executable code. It would also prevent an attacker from establishing a
+    hardlink to a system setuid program and wait for it to be updated. Once the program
+    was updated, the hardlink would be broken and the attacker would have his own copy
+    of the program. If the program happened to have a security vulnerability, the attacker
     could continue to exploit the known flaw.
 
 severity: low
@@ -39,8 +39,15 @@ fixtext: '{{{ fixtext_separate_partition(part="/dev/shm") }}}'
 
 platform: machine
 
+warnings:
+- general: |-
+    This rule does not have a remedation.
+    It is expected that this will be managed by systemd and will be a tmpfs partition.
+
 template:
     name: mount
     vars:
         mountpoint: /dev/shm
-        min_size: 2147483648
+    backends:
+        blueprint: 'off'
+        anaconda: 'off'

From 490f4c01d4eafe63b68b806008b9c40d8ac33297 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 7 Dec 2023 16:23:04 -0600
Subject: [PATCH 2/2] Turn off blueprint remediation for mount_option_dev_shm_*

Since this should be tmpfs and this making IB builds fail these rules'
blueprint remediation has been disabled.
---
 .../permissions/partitions/mount_option_dev_shm_nodev/rule.yml   | 1 +
 .../permissions/partitions/mount_option_dev_shm_noexec/rule.yml  | 1 +
 .../permissions/partitions/mount_option_dev_shm_nosuid/rule.yml  | 1 +
 3 files changed, 3 insertions(+)

diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml
index 0c28efb1451..594309bbe55 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml
@@ -66,6 +66,7 @@ template:
         type@sle12: ''
     backends:
         anaconda: 'off'
+        blueprint: 'off'
 
 
 fixtext: |-
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml
index 7debed33dab..b86b80493c3 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml
@@ -73,3 +73,4 @@ template:
         type@sle12: ''
     backends:
         anaconda: 'off'
+        blueprint: 'off'
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml
index f8bf73b56bb..2cd40a6f3c9 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml
@@ -66,6 +66,7 @@ template:
         type@sle12: ''
     backends:
         anaconda: 'off'
+        blueprint: 'off'
 
 fixtext: |-
     {{{ fixtext_mount_option("/dev/shm", "nosuid") }}}