34 lines
1.4 KiB
Diff
34 lines
1.4 KiB
Diff
|
From 479b5cd94f16052cf6ea28d0e8abba2b926fff83 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Stefan Berger <stefanb@us.ibm.com>
|
||
|
|
Date: Thu, 13 Oct 2016 16:49:43 -0400
|
||
|
|
Subject: [PATCH] 98integrity: support validating the IMA policy file signature
|
||
|
|
|
||
|
|
IMA validates file signatures based on the security.ima xattr. As of
|
||
|
|
Linux-4.7, instead of cat'ing the IMA policy into the securityfs policy,
|
||
|
|
the IMA policy pathname can be written, allowing the IMA policy file
|
||
|
|
signature to be validated.
|
||
|
|
|
||
|
|
This patch first attempts to write the pathname, but on failure falls
|
||
|
|
back to cat'ing the IMA policy contents .
|
||
|
|
|
||
|
|
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
|
||
|
|
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
|
||
|
|
---
|
||
|
|
modules.d/98integrity/ima-policy-load.sh | 3 ++-
|
||
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/modules.d/98integrity/ima-policy-load.sh b/modules.d/98integrity/ima-policy-load.sh
|
||
|
|
index 0061cff..5460d02 100755
|
||
|
|
--- a/modules.d/98integrity/ima-policy-load.sh
|
||
|
|
+++ b/modules.d/98integrity/ima-policy-load.sh
|
||
|
|
@@ -30,7 +30,8 @@ load_ima_policy()
|
||
|
|
# check the existence of the IMA policy file
|
||
|
|
[ -f "${IMAPOLICYPATH}" ] && {
|
||
|
|
info "Loading the provided IMA custom policy";
|
||
|
|
- cat ${IMAPOLICYPATH} > ${IMASECDIR}/policy;
|
||
|
|
+ echo -n "${IMAPOLICYPATH}" > ${IMASECDIR}/policy || \
|
||
|
|
+ cat "${IMAPOLICYPATH}" > ${IMASECDIR}/policy
|
||
|
|
}
|
||
|
|
|
||
|
|
return 0
|