From 6e0f7dff8db5f15e56b534e7d4ae63412192df9a Mon Sep 17 00:00:00 2001
From: Coiby Xu <coxu@redhat.com>
Date: Sat, 8 Jun 2024 03:16:47 +0800
Subject: [PATCH] ima-setup: include the integrity module for the default
 kernel

Resolves: https://issues.redhat.com/browse/RHEL-34778
Conflict: fix a typo

Upstream Status: https://src.fedoraproject.org/rpms/ima-evm-utils.git

commit 62f613cbb7e1753b2e8fa0ce547c02be24842b22
Author: Coiby Xu <coxu@redhat.com>
Date:   Mon Jun 3 14:39:06 2024 +0800

    ima-setup: include the integrity module for the default kernel

    ima-setup may run after a new kernel is installed. Detect this case by
    checking if the default kernel is the running kernel.

    Suggested-by: Marko Myllynen <myllynen@redhat.com>
    Signed-off-by: Coiby Xu <coxu@redhat.com>

Signed-off-by: Coiby Xu <coxu@redhat.com>
---
 ima-setup.sh | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/ima-setup.sh b/ima-setup.sh
index dde370f..a997582 100755
--- a/ima-setup.sh
+++ b/ima-setup.sh
@@ -124,6 +124,15 @@ if ! lsinitrd --mod | grep -q integrity; then
 	cp --preserve=xattr /usr/share/ima/dracut-98-integrity.conf /etc/dracut.conf.d/98-integrity.conf
 	echo "Rebuilding the initramfs of kernel-$(uname -r) to include the dracut integrity module"
 	dracut -f
+
+	if command -v grubby >/dev/null; then
+		_default_kernel=$(grubby --default-kernel | sed -En "s/.*vmlinuz-(.*)/\1/p")
+		if [[ $_default_kernel != $(uname -r) ]]; then
+			echo "Current kernel is not the default kernel ($_default_kernel), include dracut integrity for it as well"
+			dracut -f --kver "$_default_kernel"
+		fi
+	fi
+
 fi
 
 if ! load_ima_policy "$ima_policy_path"; then