rpms/ima-evm-utils
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI ima-evm-utils-1.6.2-1.el10

Browse Source
This commit is contained in:
eabdullin 2025-05-14 19:03:05 +00:00
parent 710dd15dff
commit 8796348da7
16 changed files with 643 additions and 363 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.gitignore vendored
View File

@ -1,2 +1,3 @@
SOURCES/ima-evm-utils-1.1.tar.gz
SOURCES/ima-evm-utils-1.3.2.tar.gz
centosimarelease-10.der
ima-evm-utils-1.6.2.tar.gz
redhatimarelease-10.der

2
.ima-evm-utils.metadata
View File

@ -1,2 +0,0 @@
58705b3544ae6e650042374dba535c0b3837b8fc SOURCES/ima-evm-utils-1.1.tar.gz
034d163533ae5f9c06001b375ec7e5a1b09a3853 SOURCES/ima-evm-utils-1.3.2.tar.gz

38
SOURCES/0001-Fix-sign_hash-not-observing-the-hashalgo-argument.patch
View File

@ -1,38 +0,0 @@
From ea10a33d26572eebde59565179f622b6fb240d04 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <patrick@puiterwijk.org>
Date: Wed, 6 Jan 2021 10:43:34 +0100
Subject: [PATCH] Fix sign_hash not observing the hashalgo argument
This fixes sign_hash not using the correct algorithm for creating the
signature, by ensuring it uses the passed in variable value.
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
---
src/libimaevm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/libimaevm.c b/src/libimaevm.c
index fa6c27858d0f..72d5e67f6fdd 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -916,7 +916,7 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
return -1;
}
- log_info("hash(%s): ", imaevm_params.hash_algo);
+ log_info("hash(%s): ", algo);
log_dump(hash, size);
pkey = read_priv_pkey(keyfile, imaevm_params.keypass);
@@ -942,7 +942,7 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
if (!EVP_PKEY_sign_init(ctx))
goto err;
st = "EVP_get_digestbyname";
- if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo)))
+ if (!(md = EVP_get_digestbyname(algo)))
goto err;
st = "EVP_PKEY_CTX_set_signature_md";
if (!EVP_PKEY_CTX_set_signature_md(ctx, md))
--
2.29.2

19
SOURCES/annocheck-opt-flag.patch
View File

@ -1,19 +0,0 @@
diff --git a/configure.ac b/configure.ac
index 6822f39..34e4a81 100644
--- a/configure.ac
+++ b/configure.ac
@@ -36,9 +36,9 @@ AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not found. You n
#debug support - yes for a while
PKG_ARG_ENABLE(debug, "yes", DEBUG, [Enable Debug support])
if test $pkg_cv_enable_debug = yes; then
- CFLAGS="$CFLAGS -g -O1 -Wall -Wstrict-prototypes -pipe"
+ CFLAGS="$CFLAGS -g -O2 -Wall -Wstrict-prototypes -pipe"
else
- CFLAGS="$CFLAGS -Wall -Wstrict-prototypes -pipe -fomit-frame-pointer"
+ CFLAGS="$CFLAGS -O2 -Wall -Wstrict-prototypes -pipe -fomit-frame-pointer"
fi
# for gcov
--
2.14.4

45
SOURCES/covscan-memory-leaks.patch
View File

@ -1,45 +0,0 @@
diff --git a/src/evmctl.c b/src/evmctl.c
index 2ffee78..b80a1c9 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1716,7 +1716,7 @@ static char *get_password(void)
if (tcsetattr(fileno(stdin), TCSANOW, &tmp_flags) != 0) {
perror("tcsetattr");
- return NULL;
+ goto get_pwd_err;
}
printf("PEM password: ");
@@ -1725,10 +1725,14 @@ static char *get_password(void)
/* restore terminal */
if (tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) {
perror("tcsetattr");
- return NULL;
+ goto get_pwd_err;
}
+ free(password);
return pwd;
+get_pwd_err:
+ free(password);
+ return NULL;
}
int main(int argc, char *argv[])
diff --git a/src/libimaevm.c b/src/libimaevm.c
index 6fa0ed4..39582f2 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -466,6 +466,8 @@ void init_public_keys(const char *keyfiles)
entry->next = public_keys;
public_keys = entry;
}
+
+ free(tmp_keyfiles);
}
int verify_hash_v2(const char *file, const unsigned char *hash, int size,
--
2.14.4

12
SOURCES/docbook-xsl-path.patch
View File

@ -1,12 +0,0 @@
diff -urNp ima-evm-utils-1.0-orig/Makefile.am ima-evm-utils-1.0/Makefile.am
--- ima-evm-utils-1.0-orig/Makefile.am 2015-07-30 15:28:53.000000000 -0300
+++ ima-evm-utils-1.0/Makefile.am 2017-11-20 16:20:04.245591165 -0200
@@ -24,7 +24,7 @@ rpm: $(tarname)
rpmbuild -ba --nodeps $(SPEC)
# requires asciidoc, xslproc, docbook-xsl
-MANPAGE_DOCBOOK_XSL = /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl
+MANPAGE_DOCBOOK_XSL = /usr/share/sgml/docbook/xsl-stylesheets/manpages/docbook.xsl
evmctl.1.html: README
@asciidoc -o $@ $<

37
SOURCES/libimaevm-keydesc-import.patch
View File

@ -1,37 +0,0 @@
diff --git a/src/libimaevm.c b/src/libimaevm.c
index 6fa0ed4..b6f9b9f 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -672,12 +672,11 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
memcpy(keyid, sha1 + 12, 8);
log_debug("keyid: ");
log_debug_dump(keyid, 8);
+ id = __be64_to_cpup((__be64 *) keyid);
+ sprintf(str, "%llX", (unsigned long long)id);
- if (params.verbose > LOG_INFO) {
- id = __be64_to_cpup((__be64 *) keyid);
- sprintf(str, "%llX", (unsigned long long)id);
+ if (params.verbose > LOG_INFO)
log_info("keyid-v1: %s\n", str);
- }
}
void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
@@ -694,11 +693,10 @@ void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
memcpy(keyid, sha1 + 16, 4);
log_debug("keyid: ");
log_debug_dump(keyid, 4);
+ sprintf(str, "%x", __be32_to_cpup(keyid));
- if (params.verbose > LOG_INFO) {
- sprintf(str, "%x", __be32_to_cpup(keyid));
+ if (params.verbose > LOG_INFO)
log_info("keyid: %s\n", str);
- }
free(pkey);
}
--
2.19.1

208
SPECS/ima-evm-utils.spec
View File

@ -1,208 +0,0 @@
%global compat_soversion 0
Name: ima-evm-utils
Version: 1.3.2
Release: 12%{?dist}
Summary: IMA/EVM support utilities
License: GPLv2
Url: http://linux-ima.sourceforge.net/
Source: http://sourceforge.net/projects/linux-ima/files/ima-evm-utils/%{name}-%{version}.tar.gz
Source10: ima-evm-utils-1.1.tar.gz
Patch0: 0001-Fix-sign_hash-not-observing-the-hashalgo-argument.patch
# compat patches
Patch1: docbook-xsl-path.patch
Patch2: covscan-memory-leaks.patch
Patch3: annocheck-opt-flag.patch
Patch4: libimaevm-keydesc-import.patch
BuildRequires: asciidoc
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: gcc
BuildRequires: keyutils-libs-devel
BuildRequires: libtool
BuildRequires: libxslt
BuildRequires: openssl-devel
BuildRequires: tpm2-tss-devel
# compat requirement
BuildRequires: libattr-devel
#Requires: tpm2-tss
%description
The Trusted Computing Group(TCG) run-time Integrity Measurement Architecture
(IMA) maintains a list of hash values of executables and other sensitive
system files, as they are read or executed. These are stored in the file
systems extended attributes. The Extended Verification Module (EVM) prevents
unauthorized changes to these extended attributes on the file system.
ima-evm-utils is used to prepare the file system for these extended attributes.
%package devel
Summary: Development files for %{name}
Requires: %{name} = %{version}-%{release}
%description devel
This package provides the header files for %{name}
%package -n %{name}%{compat_soversion}
Summary: Compatibility package of %{name}
%description -n %{name}%{compat_soversion}
This package provides the libimaevm.so.%{compat_soversion} relative to %{name}-1.1
%prep
%setup -q
%patch0 -p1
mkdir compat/
tar -zxf %{SOURCE10} --strip-components=1 -C compat/
cd compat/
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%build
# build compat version of the package
pushd compat/
autoreconf -vif
%configure --disable-static
%make_build
popd
autoreconf -vif
%configure --disable-static
%make_build
%install
%make_install
find %{buildroot}%{_libdir} -type f -name "*.la" -print -delete
# install compat libs
pushd compat/src/.libs/
install -p libimaevm.so.%{compat_soversion}.0.0 %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}.0.0
ln -s -f %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}.0.0 %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}
popd
%ldconfig_scriptlets
%files
%license COPYING
%doc NEWS README AUTHORS
%{_bindir}/*
# if you need to bump the soname version, coordinate with dependent packages
%{_libdir}/libimaevm.so.2
%{_libdir}/libimaevm.so.2.0.0
%{_mandir}/man1/*
%files devel
%{_pkgdocdir}/*.sh
%{_includedir}/*
%{_libdir}/libimaevm.so
%files -n %{name}%{compat_soversion}
%{_libdir}/libimaevm.so.%{compat_soversion}
%{_libdir}/libimaevm.so.%{compat_soversion}.0.0
%changelog
* Thu Feb 18 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-12
- Add compat subpackage for keeping the API stability in userspace
* Mon Jan 25 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-11
- Bump release number for yet another rebuild
* Mon Jan 25 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-10
- Add patch for fixing hash algorithm used through libimaevm
* Fri Jan 15 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-9
- Add tpm2-tss as a runtime dependency
* Sun Jan 10 2021 Michal Domonkos <mdomonko@redhat.com> - 1.3.2-8
- Bump release number for yet another couple of rebuilds
* Wed Jan 06 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-4
- Bump release number for yet another build for solving wrong target usage
* Wed Jan 06 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-3
- Bump release number for another build, handling build issues
* Tue Dec 01 2020 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-2
- Bump release number for forcing a new build
* Mon Nov 09 2020 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-1
- Rebase to upstream v1.3.2 version
- Sync specfile with Fedora's version
* Thu Mar 28 2019 Bruno E. O. Meneguele <bmeneg@redhat.com> - 1.1-5
- Add patch to correctly handle key description on keyring during importation
* Mon Oct 29 2018 Bruno E. O. Meneguele <bmeneg@redhat.com> - 1.1-4
- Solve a single memory leak not handled by the last patch
* Thu Oct 25 2018 Bruno E. O. Meneguele <bmeneg@redhat.com> - 1.1-3
- Solve memory leaks pointed by covscan tool
- Add optimization flag O2 during compilation to satisfy annocheck tool
* Fri Mar 02 2018 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.1-2
- Remove libtool files
- Run ldconfig scriptlets after un/installing
- Add -devel subpackage to handle include files and examples
- Disable any static file in the package
* Fri Feb 16 2018 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.1-1
- New upstream release
- Support for OpenSSL 1.1 was added directly to the source code in upstream,
thus removing specific patch for it
- Docbook xsl stylesheet updated to a local path
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Fri Feb 02 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.0-4
- Switch to %%ldconfig_scriptlets
* Fri Dec 01 2017 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.0-3
- Add OpenSSL 1.1 API support for the package, avoiding the need of
compat-openssl10-devel package
* Mon Nov 20 2017 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.0-2
- Adjusted docbook xsl path to match the correct stylesheet
- Remove only *.la files, considering there aren't any *.a files
* Tue Sep 05 2017 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.0-1
- New upstream release
- Add OpenSSL 1.0 compatibility package, due to issues with OpenSSL 1.1
- Remove libtool files
- Run ldconfig after un/installation to update *.so files
- Add -devel subpackage to handle include files and examples
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Tue Jan 26 2016 Lubomir Rintel <lkundrak@v3.sk> - 0.9-3
- Fix FTBFS
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Fri Oct 31 2014 Avesh Agarwal <avagarwa@redhat.com> - 0.9-1
- New upstream release
- Applied a patch to fix man page issues.
- Updated spec file
* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Tue Aug 27 2013 Vivek Goyal <vgoyal@redhat.com> - 0.6-1
- Initial package

1
dracut-98-integrity.conf Normal file
View File

@ -0,0 +1 @@
add_dracutmodules+=" integrity "

112
ima-add-sigs.sh Executable file
View File

@ -0,0 +1,112 @@
#!/bin/bash
#
# This script add IMA signatures to installed RPM package files
usage() {
echo "Add IMA signatures to installed packages."
cat <<EOF
usage: $0 [--package=PACKAGE_NAME|ALL] [--ima-cert=IMA_CERT_PATH] [--reinstall_threshold=NUM]
--package
By default, it will add IMA sigantures to all installed package files.
Or you can provide a package name to only add IMA signature for files of
specicifed package.
--reinstall_threshold
When there are >reinstall_threshold (=20 by default) packages in the RPM
DB missing IMA signatures, reinstalling the packages to add IMA
signatures to the packages. By default, IMA sigatures will be obtained
from the RPM DB. However the RPM DB may not have the signatures. Dectect
this case by checking if there are >reinstall_threshold package missing
IMA signatures.
--ima-cert
With the signing IMA cert path specified, it will also try to verify the
added IMA signature.
EOF
exit 1
}
for _opt in "$@"; do
case "$_opt" in
--reinstall_threshold=*)
reinstall_threshold=${_opt#*=}
;;
--package=*)
package=${_opt#*=}
;;
--ima_cert=*)
ima_cert=${_opt#*=}
;;
*)
[[ -n $1 ]] && usage
;;
esac
done
if [[ -z $package ]] || [[ $package == ALL ]]; then
package="--all"
fi
abort() {
echo "$1"
exit 1
}
# Add IMA signatures from RPM database
add_from_rpm_db() {
if ! command -v setfattr &>/dev/null; then
abort "Please install attr"
fi
# use "|" as deliminator since it won't be used in a filename or signature
while IFS="|" read -r path sig; do
# [[ -z "$sig" ]] somehow doesn't work for some files that don't have IMA
# signatures. This may be a issue of rpm
if [[ "$sig" != "0"* ]]; then
continue
fi
# Skip directory, soft links, non-existent files and vfat fs
if [[ -d "$path" || -L "$path" || ! -f "$path" || "$path" == "/boot/efi/EFI/"* ]]; then
continue
fi
if ! setfattr -n security.ima "$path" -v "0x$sig"; then
echo "Failed to add IMA sig for $path"
fi
[[ -e "$ima_cert" ]] || continue
# TODO
# don't verify the modified files like /etc?
if ! evmctl ima_verify -k "$ima_cert" "$path" &>/dev/null; then
echo "Failed to verify $path"
fi
done < <(rpm -q --queryformat "[%{FILENAMES}|%{FILESIGNATURES}\n]" "$package")
}
# Add IMA signatures by reinstalling all packages
add_by_reinstall() {
[[ $package == "--all" ]] && package='*'
dnf reinstall "$package" -yq >/dev/null
}
if [[ -z $reinstall_threshold ]]; then
if [[ $package == "--all" ]]; then
reinstall_threshold=20
else
if ! rpm -q --quiet "$package"; then
dnf install "$package" -yq >/dev/null
exit 0
fi
reinstall_threshold=1
fi
fi
unsigned_packages_in_rpm_db=$(rpm -q --queryformat "%{SIGPGP:pgpsig}\n" "$package" | grep "^(none)$" | wc -l)
if [[ $unsigned_packages_in_rpm_db -ge $reinstall_threshold ]]; then
add_by_reinstall
else
add_from_rpm_db
fi

312
ima-evm-utils.spec Normal file
View File

@ -0,0 +1,312 @@
# If the soname gets bumped we need to ship a compat library to be able
# to bootstrap and rebuild rpm else we end up with chicken and egg problem.
%global bootstrap 0
%if 0%{bootstrap}
%global compat_soversion 4
%endif
Name: ima-evm-utils
Version: 1.6.2
Release: 1%{?dist}
Summary: IMA/EVM support utilities
License: GPLv2
Url: http://linux-ima.sourceforge.net/
Source0: https://github.com/mimizohar/ima-evm-utils/releases/download/v%{version}/%{name}-%{version}.tar.gz
# IMA setup tools
Source2: dracut-98-integrity.conf
Source3: ima-add-sigs.sh
Source4: ima-setup.sh
Source100: policy-01-appraise-executable-and-lib-signatures
Source101: policy-02-keylime-remote-attestation
Source200: policy_list
Source300: redhatimarelease-10.der
Source301: centosimarelease-10.der
%if 0%{bootstrap}
# compat source and patches
Source10: ima-evm-utils-1.5.tar.gz
%endif
BuildRequires: asciidoc
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: gcc
BuildRequires: keyutils-libs-devel
BuildRequires: libtool
BuildRequires: libxslt
BuildRequires: make
BuildRequires: openssl-devel
BuildRequires: tpm2-tss-devel
Requires: keyutils
Requires: attr
%description
The Trusted Computing Group(TCG) run-time Integrity Measurement Architecture
(IMA) maintains a list of hash values of executables and other sensitive
system files, as they are read or executed. These are stored in the file
systems extended attributes. The Extended Verification Module (EVM) prevents
unauthorized changes to these extended attributes on the file system.
ima-evm-utils is used to prepare the file system for these extended attributes.
%package devel
Summary: Development files for %{name}
Requires: %{name} = %{version}-%{release}
%description devel
This package provides the header files for %{name}
%prep
%setup -q
%if 0%{bootstrap}
mkdir compat/
pushd compat/
tar -zxf %{SOURCE10} --strip-components=1
popd
%endif
%build
autoreconf -vif
%configure --disable-static --disable-engine
%make_build
%if 0%{bootstrap}
pushd compat/
autoreconf -vif
%configure --disable-static --disable-engine
%make_build
popd
%endif
%install
%make_install
find %{buildroot} -type f -name "*.la" -delete
%if 0%{bootstrap}
pushd compat/src/.libs/
install -p libimaevm.so.%{compat_soversion}.0.0 %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}.0.0
ln -s -f %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}.0.0 %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}
popd
%endif
%ldconfig_scriptlets
# IMA setup tools
install -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_datadir}/ima/dracut-98-integrity.conf
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/ima/policies
while IFS= read -r policy_file
do
install -m 644 %{_sourcedir}/policy-"$policy_file" $RPM_BUILD_ROOT%{_datadir}/ima/policies/"$policy_file"
done < %{SOURCE200}
install -D %{SOURCE3} $RPM_BUILD_ROOT%{_bindir}/ima-add-sigs
install -D %{SOURCE4} $RPM_BUILD_ROOT%{_bindir}/ima-setup
# IMA code-signing certs
install -d -m 755 $RPM_BUILD_ROOT/etc/keys/ima
install -m 644 %{SOURCE300} %{SOURCE301} $RPM_BUILD_ROOT/etc/keys/ima/
%files
%license COPYING
%doc NEWS README AUTHORS
%{_bindir}/evmctl
%{_mandir}/man1/evmctl*
# IMA setup tools
%{_datadir}/ima/policies
%{_datadir}/ima/dracut-98-integrity.conf
%{_bindir}/ima-add-sigs
%{_bindir}/ima-setup
# if you need to bump the soname version, coordinate with dependent packages
%{_libdir}/libimaevm.so.5*
%if 0%{bootstrap}
%{_libdir}/libimaevm.so.%{compat_soversion}
%{_libdir}/libimaevm.so.%{compat_soversion}.0.0
%endif
# IMA code-signing certs
/etc/keys/ima/*.der
%files devel
%{_pkgdocdir}/*.sh
%{_includedir}/imaevm.h
%{_libdir}/libimaevm.so
%changelog
* Wed Jan 15 2025 Coiby Xu <coxu@redhat.com> - 1.6.2-1
- Disable compat lib (RHEL-65376)
* Fri Nov 15 2024 Coiby Xu <coxu@redhat.com> - 1.6.2-0.1
- Update to upstream 1.6 (RHEL-65376)
* Fri Nov 08 2024 Coiby Xu <coxu@redhat.com> - 1.5-7
- add some IMA setup tools (RHEL-34778)
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.5-6
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.5-5
- Bump release for June 2024 mass rebuild
* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.5-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sat Jan 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Thu Jun 08 2023 Peter Robinson <pbrobinson@fedoraproject.org> - 1.5-1
- Disable bootstrap
* Wed Jun 07 2023 Peter Robinson <pbrobinson@fedoraproject.org> - 1.5-0.1
- Update to 1.5
- Streamline bootstrap process a little
- Bootstrap mode
- Update download URL
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.4-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.4-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Thu Jan 20 2022 Björn Esser <besser82@fedoraproject.org> - 1.4-4
- Build without compat bootstrap sub package
* Thu Jan 20 2022 Björn Esser <besser82@fedoraproject.org> - 1.4-3
- Build with compat bootstrap sub package
* Tue Jan 18 2022 Peter Robinson <pbrobinson@fedoraproject.org> - 1.4-2
- Add compat bootstrap sub package
* Mon Nov 08 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 1.4-1
- Update to 1.4
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1.3.2-4
- Rebuilt with OpenSSL 3.0.0
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Oct 28 2020 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-1
- Rebase to new upstream v1.3.2 minor release
* Tue Aug 11 2020 Bruno Meneguele <bmeneg@redhat.com> - 1.3.1-1
- Rebase to new upstream v1.3.1 minor release
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Sun Jul 26 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 1.3-2
- Fix devel deps
* Sun Jul 26 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 1.3-1
- Update to 1.3
- Use tpm2-tss instead of tss2
- Minor spec cleanups
* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 1.2.1-4
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Wed Jul 31 2019 Bruno E. O. Meneguele <bmeneg@redhat.com> - 1.2.1-2
- Add pull request to correct lib soname version, wich was bumped to 1.0.0
* Wed Jul 31 2019 Bruno E. O. Meneguele <bmeneg@redhat.com> - 1.2.1-1
- Rebase to upstream v1.2.1
- Remove both patches that were already solved in upstream version
- Add runtime dependency of tss2 to retrieve PCR bank data from TPM2.0
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jul 20 2018 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.1-4
- Add patch to remove dependency from libattr-devel package
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri Mar 02 2018 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.1-2
- Remove libtool files
- Run ldconfig scriptlets after un/installing
- Add -devel subpackage to handle include files and examples
- Disable any static file in the package
* Fri Feb 16 2018 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.1-1
- New upstream release
- Support for OpenSSL 1.1 was added directly to the source code in upstream,
thus removing specific patch for it
- Docbook xsl stylesheet updated to a local path
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Fri Feb 02 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.0-4
- Switch to %%ldconfig_scriptlets
* Fri Dec 01 2017 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.0-3
- Add OpenSSL 1.1 API support for the package, avoiding the need of
compat-openssl10-devel package
* Mon Nov 20 2017 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.0-2
- Adjusted docbook xsl path to match the correct stylesheet
- Remove only *.la files, considering there aren't any *.a files
* Tue Sep 05 2017 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.0-1
- New upstream release
- Add OpenSSL 1.0 compatibility package, due to issues with OpenSSL 1.1
- Remove libtool files
- Run ldconfig after un/installation to update *.so files
- Add -devel subpackage to handle include files and examples
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Tue Jan 26 2016 Lubomir Rintel <lkundrak@v3.sk> - 0.9-3
- Fix FTBFS
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Fri Oct 31 2014 Avesh Agarwal <avagarwa@redhat.com> - 0.9-1
- New upstream release
- Applied a patch to fix man page issues.
- Updated spec file
* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Tue Aug 27 2013 Vivek Goyal <vgoyal@redhat.com> - 0.6-1
- Initial package

145
ima-setup.sh Executable file
View File

@ -0,0 +1,145 @@
#!/bin/bash
#
# This script helps set up IMA.
#
IMA_SYSTEMD_POLICY=/etc/ima/ima-policy
IMA_POLICY_SYSFS=/sys/kernel/security/ima/policy
usage() {
echo "Set up IMA."
cat <<EOF
usage: $0 --policy=IMA_POLICY_PATH [--reinstall_threshold=NUM]
--policy
The path of IMA policy to be loaded. Sample polices are inside
/usr/share/ima/policies or you can use your own IMA policy
The path of IMA policy to be loaded. Sample polices are inside
/usr/share/ima/policies or you can use your own IMA policy
--reinstall_threshold
When there are >reinstall_threshold packages in the RPM DB missing IMA
signatures, reinstalling the packages to add IMA signatures to the
packages. By default, IMA sigatures will be obtained from the RPM DB.
However the RPM DB may not have the signatures. Dectect this case by
checking if there are >reinstall_threshold package missing IMA
signatures.
EOF
exit 1
}
for _opt in "$@"; do
case "$_opt" in
--policy=*)
ima_policy_path=${_opt#*=}
if [[ ! -e $ima_policy_path ]]; then
echo "$policy_file doesn't exist"
exit 1
fi
;;
--reinstall_threshold=*)
reinstall_threshold=${_opt#*=}
;;
*)
usage
;;
esac
done
if [[ $# -eq 0 ]]; then
usage
fi
echo "Installing prerequisite package rpm-plugin-ima"
if ! dnf install rpm-plugin-ima -yq; then
echo "Failed to install rpm-plugin-ima, abort"
exit 1
fi
# Add IMA signatures
if test -f /run/ostree-booted; then
echo "You are using OSTree, please enable IMA signatures as part of the OSTree creation process."
else
echo "Adding IMA signatures to installed package files"
if ! ima-add-sigs; then
echo "Failed to add IMA signatures, abort"
exit 1
fi
fi
load_ima_keys() {
local _key_loaded
if line=$(keyctl describe %keyring:.ima); then
_ima_id=${line%%:*}
else
echo "Failed to get ID of the .ima keyring"
exit 1
fi
for i in /etc/keys/ima/*; do
if [ ! -f "${i}" ]; then
echo "No IMA key exist"
exit 1
fi
if ! evmctl import "${i}" "${_ima_id}" &>/dev/null; then
echo "Failed to load IMA key ${i}"
else
_key_loaded=yes
fi
done
if [[ $_key_loaded != yes ]]; then
echo "No IMA key loaded"
exit 1
fi
}
load_ima_policy() {
local ima_policy_path
ima_policy_path=$1
if ! test -f "$ima_policy_path"; then
echo "$ima_policy_path doesn't exist"
return 1
fi
if ! echo "$ima_policy_path" >"$IMA_POLICY_SYSFS"; then
echo "$ima_policy_path can't be loaded"
return 1
fi
# Let systemd load the IMA policy which will load LSM rules first so IMA
# policy containing rules like "appraise obj_type=ifconfig_exec_t" can be
# loaded
[[ -e /etc/ima ]] || mkdir -p /etc/ima/
if ! cp --preserve=xattr "$ima_policy_path" "$IMA_SYSTEMD_POLICY"; then
echo "Failed to copy $ima_policy_path to $IMA_SYSTEMD_POLICY"
return 1
fi
}
echo "Loading IMA keys"
load_ima_keys
# Include the dracut integrity module to load the IMA keys and policy
# automatically when there is a system reboot
if ! lsinitrd --mod | grep -q integrity; then
cp --preserve=xattr /usr/share/ima/dracut-98-integrity.conf /etc/dracut.conf.d/98-integrity.conf
echo "Rebuilding the initramfs of kernel-$(uname -r) to include the dracut integrity module"
dracut -f
if command -v grubby >/dev/null; then
_default_kernel=$(grubby --default-kernel | sed -En "s/.*vmlinuz-(.*)/\1/p")
if [[ $_default_kernel != $(uname -r) ]]; then
echo "Current kernel is not the default kernel ($_default_kernel), include dracut integrity for it as well"
dracut -f --kver "$_default_kernel"
fi
fi
fi
if ! load_ima_policy "$ima_policy_path"; then
echo "Failed to load IMA policy $ima_policy_path!"
exit 1
fi

28
policy-01-appraise-executable-and-lib-signatures Normal file
View File

@ -0,0 +1,28 @@
# Skip some unsupported filesystems
# This list of the filesystems can be found on
# https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy
# PROC_SUPER_MAGIC
dont_appraise fsmagic=0x9fa0
# SYSFS_MAGIC
dont_appraise fsmagic=0x62656572
# DEBUGFS_MAGIC
dont_appraise fsmagic=0x64626720
# TMPFS_MAGIC
dont_appraise fsmagic=0x01021994
# RAMFS_MAGIC
dont_appraise fsmagic=0x858458f6
# DEVPTS_SUPER_MAGIC
dont_appraise fsmagic=0x1cd1
# BINFMTFS_MAGIC
dont_appraise fsmagic=0x42494e4d
# SECURITYFS_MAGIC
dont_appraise fsmagic=0x73636673
# SELINUX_MAGIC
dont_appraise fsmagic=0xf97cff8c
# CGROUP_SUPER_MAGIC
dont_appraise fsmagic=0x27e0eb
# NSFS_MAGIC
dont_appraise fsmagic=0x6e736673
appraise func=MMAP_CHECK mask=MAY_EXEC appraise_type=imasig
appraise func=BPRM_CHECK appraise_type=imasig

37
policy-02-keylime-remote-attestation Normal file
View File

@ -0,0 +1,37 @@
# PROC_SUPER_MAGIC
dont_measure fsmagic=0x9fa0
# SYSFS_MAGIC
dont_measure fsmagic=0x62656572
# DEBUGFS_MAGIC
dont_measure fsmagic=0x64626720
# TMPFS_MAGIC
dont_measure fsmagic=0x01021994
# DEVPTS_SUPER_MAGIC
dont_measure fsmagic=0x1cd1
# BINFMTFS_MAGIC
dont_measure fsmagic=0x42494e4d
# SECURITYFS_MAGIC
dont_measure fsmagic=0x73636673
# SELINUX_MAGIC
dont_measure fsmagic=0xf97cff8c
# SMACK_MAGIC
dont_measure fsmagic=0x43415d53
# CGROUP_SUPER_MAGIC
dont_measure fsmagic=0x27e0eb
# CGROUP2_SUPER_MAGIC
dont_measure fsmagic=0x63677270
# NSFS_MAGIC
dont_measure fsmagic=0x6e736673
# EFIVARFS_MAGIC
dont_measure fsmagic=0xde5e81e4
# OVERLAYFS_MAGIC
# when containers are used we almost always want to ignore them
dont_measure fsmagic=0x794c7630
# Measure and log keys loaded onto the .ima keyring
measure func=KEY_CHECK keyrings=.ima
# Measure and log executables
measure func=BPRM_CHECK
# Measure and log shared libraries
measure func=FILE_MMAP mask=MAY_EXEC

2
policy_list Normal file
View File

@ -0,0 +1,2 @@
01-appraise-executable-and-lib-signatures
02-keylime-remote-attestation

3
sources Normal file
View File

@ -0,0 +1,3 @@
SHA512 (centosimarelease-10.der) = 8ee9a0107a7fe12078c1a82e4accbecca4d1246eadc60692880b5c2e6617c2ace27114d79ec6cc5fef11296fa11765145fcfbd8e2092fa96c56b13af925e5444
SHA512 (ima-evm-utils-1.6.2.tar.gz) = dfd82ba7c48c14fd31d687214a2b0cfcf269bdea42d4a0ebc872a72205f880c509ed5c5cd55dec7e94444e6f3bdc3c071ec6c2e3eba1e6579edb8ef11aa158a1
SHA512 (redhatimarelease-10.der) = 910b39fe16c2d8675c45c360797e6fb4a61d423b2c45a5a49aabc29a21b8dca44d50772353c3b4e557af25a2253d2ad2a2a3825a07cab556fd4eb154013c90de