From 8796348da7764c8a6bae05b5bb9a00a76182ee93 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 14 May 2025 19:03:05 +0000 Subject: [PATCH] import UBI ima-evm-utils-1.6.2-1.el10 --- .gitignore | 5 +- .ima-evm-utils.metadata | 2 - ...-not-observing-the-hashalgo-argument.patch | 38 --- SOURCES/annocheck-opt-flag.patch | 19 -- SOURCES/covscan-memory-leaks.patch | 45 --- SOURCES/docbook-xsl-path.patch | 12 - SOURCES/libimaevm-keydesc-import.patch | 37 --- SPECS/ima-evm-utils.spec | 208 ------------ dracut-98-integrity.conf | 1 + ima-add-sigs.sh | 112 +++++++ ima-evm-utils.spec | 312 ++++++++++++++++++ ima-setup.sh | 145 ++++++++ ...-01-appraise-executable-and-lib-signatures | 28 ++ policy-02-keylime-remote-attestation | 37 +++ policy_list | 2 + sources | 3 + 16 files changed, 643 insertions(+), 363 deletions(-) delete mode 100644 .ima-evm-utils.metadata delete mode 100644 SOURCES/0001-Fix-sign_hash-not-observing-the-hashalgo-argument.patch delete mode 100644 SOURCES/annocheck-opt-flag.patch delete mode 100644 SOURCES/covscan-memory-leaks.patch delete mode 100644 SOURCES/docbook-xsl-path.patch delete mode 100644 SOURCES/libimaevm-keydesc-import.patch delete mode 100644 SPECS/ima-evm-utils.spec create mode 100644 dracut-98-integrity.conf create mode 100755 ima-add-sigs.sh create mode 100644 ima-evm-utils.spec create mode 100755 ima-setup.sh create mode 100644 policy-01-appraise-executable-and-lib-signatures create mode 100644 policy-02-keylime-remote-attestation create mode 100644 policy_list create mode 100644 sources diff --git a/.gitignore b/.gitignore index 632761a..bbea896 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ -SOURCES/ima-evm-utils-1.1.tar.gz -SOURCES/ima-evm-utils-1.3.2.tar.gz +centosimarelease-10.der +ima-evm-utils-1.6.2.tar.gz +redhatimarelease-10.der diff --git a/.ima-evm-utils.metadata b/.ima-evm-utils.metadata deleted file mode 100644 index e6ea46f..0000000 --- a/.ima-evm-utils.metadata +++ /dev/null @@ -1,2 +0,0 @@ -58705b3544ae6e650042374dba535c0b3837b8fc SOURCES/ima-evm-utils-1.1.tar.gz -034d163533ae5f9c06001b375ec7e5a1b09a3853 SOURCES/ima-evm-utils-1.3.2.tar.gz diff --git a/SOURCES/0001-Fix-sign_hash-not-observing-the-hashalgo-argument.patch b/SOURCES/0001-Fix-sign_hash-not-observing-the-hashalgo-argument.patch deleted file mode 100644 index 663ddc6..0000000 --- a/SOURCES/0001-Fix-sign_hash-not-observing-the-hashalgo-argument.patch +++ /dev/null @@ -1,38 +0,0 @@ -From ea10a33d26572eebde59565179f622b6fb240d04 Mon Sep 17 00:00:00 2001 -From: Patrick Uiterwijk -Date: Wed, 6 Jan 2021 10:43:34 +0100 -Subject: [PATCH] Fix sign_hash not observing the hashalgo argument - -This fixes sign_hash not using the correct algorithm for creating the -signature, by ensuring it uses the passed in variable value. - -Signed-off-by: Patrick Uiterwijk ---- - src/libimaevm.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/libimaevm.c b/src/libimaevm.c -index fa6c27858d0f..72d5e67f6fdd 100644 ---- a/src/libimaevm.c -+++ b/src/libimaevm.c -@@ -916,7 +916,7 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash, - return -1; - } - -- log_info("hash(%s): ", imaevm_params.hash_algo); -+ log_info("hash(%s): ", algo); - log_dump(hash, size); - - pkey = read_priv_pkey(keyfile, imaevm_params.keypass); -@@ -942,7 +942,7 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash, - if (!EVP_PKEY_sign_init(ctx)) - goto err; - st = "EVP_get_digestbyname"; -- if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo))) -+ if (!(md = EVP_get_digestbyname(algo))) - goto err; - st = "EVP_PKEY_CTX_set_signature_md"; - if (!EVP_PKEY_CTX_set_signature_md(ctx, md)) --- -2.29.2 - diff --git a/SOURCES/annocheck-opt-flag.patch b/SOURCES/annocheck-opt-flag.patch deleted file mode 100644 index 2ddf993..0000000 --- a/SOURCES/annocheck-opt-flag.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff --git a/configure.ac b/configure.ac -index 6822f39..34e4a81 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -36,9 +36,9 @@ AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not found. You n - #debug support - yes for a while - PKG_ARG_ENABLE(debug, "yes", DEBUG, [Enable Debug support]) - if test $pkg_cv_enable_debug = yes; then -- CFLAGS="$CFLAGS -g -O1 -Wall -Wstrict-prototypes -pipe" -+ CFLAGS="$CFLAGS -g -O2 -Wall -Wstrict-prototypes -pipe" - else -- CFLAGS="$CFLAGS -Wall -Wstrict-prototypes -pipe -fomit-frame-pointer" -+ CFLAGS="$CFLAGS -O2 -Wall -Wstrict-prototypes -pipe -fomit-frame-pointer" - fi - - # for gcov --- -2.14.4 - diff --git a/SOURCES/covscan-memory-leaks.patch b/SOURCES/covscan-memory-leaks.patch deleted file mode 100644 index 25d6950..0000000 --- a/SOURCES/covscan-memory-leaks.patch +++ /dev/null @@ -1,45 +0,0 @@ -diff --git a/src/evmctl.c b/src/evmctl.c -index 2ffee78..b80a1c9 100644 ---- a/src/evmctl.c -+++ b/src/evmctl.c -@@ -1716,7 +1716,7 @@ static char *get_password(void) - - if (tcsetattr(fileno(stdin), TCSANOW, &tmp_flags) != 0) { - perror("tcsetattr"); -- return NULL; -+ goto get_pwd_err; - } - - printf("PEM password: "); -@@ -1725,10 +1725,14 @@ static char *get_password(void) - /* restore terminal */ - if (tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) { - perror("tcsetattr"); -- return NULL; -+ goto get_pwd_err; - } - -+ free(password); - return pwd; -+get_pwd_err: -+ free(password); -+ return NULL; - } - - int main(int argc, char *argv[]) -diff --git a/src/libimaevm.c b/src/libimaevm.c -index 6fa0ed4..39582f2 100644 ---- a/src/libimaevm.c -+++ b/src/libimaevm.c -@@ -466,6 +466,8 @@ void init_public_keys(const char *keyfiles) - entry->next = public_keys; - public_keys = entry; - } -+ -+ free(tmp_keyfiles); - } - - int verify_hash_v2(const char *file, const unsigned char *hash, int size, --- -2.14.4 - diff --git a/SOURCES/docbook-xsl-path.patch b/SOURCES/docbook-xsl-path.patch deleted file mode 100644 index e4ee8e5..0000000 --- a/SOURCES/docbook-xsl-path.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -urNp ima-evm-utils-1.0-orig/Makefile.am ima-evm-utils-1.0/Makefile.am ---- ima-evm-utils-1.0-orig/Makefile.am 2015-07-30 15:28:53.000000000 -0300 -+++ ima-evm-utils-1.0/Makefile.am 2017-11-20 16:20:04.245591165 -0200 -@@ -24,7 +24,7 @@ rpm: $(tarname) - rpmbuild -ba --nodeps $(SPEC) - - # requires asciidoc, xslproc, docbook-xsl --MANPAGE_DOCBOOK_XSL = /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl -+MANPAGE_DOCBOOK_XSL = /usr/share/sgml/docbook/xsl-stylesheets/manpages/docbook.xsl - - evmctl.1.html: README - @asciidoc -o $@ $< diff --git a/SOURCES/libimaevm-keydesc-import.patch b/SOURCES/libimaevm-keydesc-import.patch deleted file mode 100644 index fb20ebc..0000000 --- a/SOURCES/libimaevm-keydesc-import.patch +++ /dev/null @@ -1,37 +0,0 @@ -diff --git a/src/libimaevm.c b/src/libimaevm.c -index 6fa0ed4..b6f9b9f 100644 ---- a/src/libimaevm.c -+++ b/src/libimaevm.c -@@ -672,12 +672,11 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len - memcpy(keyid, sha1 + 12, 8); - log_debug("keyid: "); - log_debug_dump(keyid, 8); -+ id = __be64_to_cpup((__be64 *) keyid); -+ sprintf(str, "%llX", (unsigned long long)id); - -- if (params.verbose > LOG_INFO) { -- id = __be64_to_cpup((__be64 *) keyid); -- sprintf(str, "%llX", (unsigned long long)id); -+ if (params.verbose > LOG_INFO) - log_info("keyid-v1: %s\n", str); -- } - } - - void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key) -@@ -694,11 +693,10 @@ void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key) - memcpy(keyid, sha1 + 16, 4); - log_debug("keyid: "); - log_debug_dump(keyid, 4); -+ sprintf(str, "%x", __be32_to_cpup(keyid)); - -- if (params.verbose > LOG_INFO) { -- sprintf(str, "%x", __be32_to_cpup(keyid)); -+ if (params.verbose > LOG_INFO) - log_info("keyid: %s\n", str); -- } - - free(pkey); - } --- -2.19.1 - diff --git a/SPECS/ima-evm-utils.spec b/SPECS/ima-evm-utils.spec deleted file mode 100644 index af59d3b..0000000 --- a/SPECS/ima-evm-utils.spec +++ /dev/null @@ -1,208 +0,0 @@ -%global compat_soversion 0 - -Name: ima-evm-utils -Version: 1.3.2 -Release: 12%{?dist} -Summary: IMA/EVM support utilities -License: GPLv2 -Url: http://linux-ima.sourceforge.net/ -Source: http://sourceforge.net/projects/linux-ima/files/ima-evm-utils/%{name}-%{version}.tar.gz -Source10: ima-evm-utils-1.1.tar.gz - -Patch0: 0001-Fix-sign_hash-not-observing-the-hashalgo-argument.patch -# compat patches -Patch1: docbook-xsl-path.patch -Patch2: covscan-memory-leaks.patch -Patch3: annocheck-opt-flag.patch -Patch4: libimaevm-keydesc-import.patch - -BuildRequires: asciidoc -BuildRequires: autoconf -BuildRequires: automake -BuildRequires: gcc -BuildRequires: keyutils-libs-devel -BuildRequires: libtool -BuildRequires: libxslt -BuildRequires: openssl-devel -BuildRequires: tpm2-tss-devel -# compat requirement -BuildRequires: libattr-devel - -#Requires: tpm2-tss - -%description -The Trusted Computing Group(TCG) run-time Integrity Measurement Architecture -(IMA) maintains a list of hash values of executables and other sensitive -system files, as they are read or executed. These are stored in the file -systems extended attributes. The Extended Verification Module (EVM) prevents -unauthorized changes to these extended attributes on the file system. -ima-evm-utils is used to prepare the file system for these extended attributes. - -%package devel -Summary: Development files for %{name} -Requires: %{name} = %{version}-%{release} - -%description devel -This package provides the header files for %{name} - -%package -n %{name}%{compat_soversion} -Summary: Compatibility package of %{name} - -%description -n %{name}%{compat_soversion} -This package provides the libimaevm.so.%{compat_soversion} relative to %{name}-1.1 - -%prep -%setup -q -%patch0 -p1 -mkdir compat/ -tar -zxf %{SOURCE10} --strip-components=1 -C compat/ -cd compat/ -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 - -%build -# build compat version of the package -pushd compat/ -autoreconf -vif -%configure --disable-static -%make_build -popd - -autoreconf -vif -%configure --disable-static -%make_build - -%install -%make_install -find %{buildroot}%{_libdir} -type f -name "*.la" -print -delete -# install compat libs -pushd compat/src/.libs/ -install -p libimaevm.so.%{compat_soversion}.0.0 %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}.0.0 -ln -s -f %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}.0.0 %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion} -popd - -%ldconfig_scriptlets - -%files -%license COPYING -%doc NEWS README AUTHORS -%{_bindir}/* -# if you need to bump the soname version, coordinate with dependent packages -%{_libdir}/libimaevm.so.2 -%{_libdir}/libimaevm.so.2.0.0 -%{_mandir}/man1/* - -%files devel -%{_pkgdocdir}/*.sh -%{_includedir}/* -%{_libdir}/libimaevm.so - -%files -n %{name}%{compat_soversion} -%{_libdir}/libimaevm.so.%{compat_soversion} -%{_libdir}/libimaevm.so.%{compat_soversion}.0.0 - -%changelog -* Thu Feb 18 2021 Bruno Meneguele - 1.3.2-12 -- Add compat subpackage for keeping the API stability in userspace - -* Mon Jan 25 2021 Bruno Meneguele - 1.3.2-11 -- Bump release number for yet another rebuild - -* Mon Jan 25 2021 Bruno Meneguele - 1.3.2-10 -- Add patch for fixing hash algorithm used through libimaevm - -* Fri Jan 15 2021 Bruno Meneguele - 1.3.2-9 -- Add tpm2-tss as a runtime dependency - -* Sun Jan 10 2021 Michal Domonkos - 1.3.2-8 -- Bump release number for yet another couple of rebuilds - -* Wed Jan 06 2021 Bruno Meneguele - 1.3.2-4 -- Bump release number for yet another build for solving wrong target usage - -* Wed Jan 06 2021 Bruno Meneguele - 1.3.2-3 -- Bump release number for another build, handling build issues - -* Tue Dec 01 2020 Bruno Meneguele - 1.3.2-2 -- Bump release number for forcing a new build - -* Mon Nov 09 2020 Bruno Meneguele - 1.3.2-1 -- Rebase to upstream v1.3.2 version -- Sync specfile with Fedora's version - -* Thu Mar 28 2019 Bruno E. O. Meneguele - 1.1-5 -- Add patch to correctly handle key description on keyring during importation - -* Mon Oct 29 2018 Bruno E. O. Meneguele - 1.1-4 -- Solve a single memory leak not handled by the last patch - -* Thu Oct 25 2018 Bruno E. O. Meneguele - 1.1-3 -- Solve memory leaks pointed by covscan tool -- Add optimization flag O2 during compilation to satisfy annocheck tool - -* Fri Mar 02 2018 Bruno E. O. Meneguele - 1.1-2 -- Remove libtool files -- Run ldconfig scriptlets after un/installing -- Add -devel subpackage to handle include files and examples -- Disable any static file in the package - -* Fri Feb 16 2018 Bruno E. O. Meneguele - 1.1-1 -- New upstream release -- Support for OpenSSL 1.1 was added directly to the source code in upstream, - thus removing specific patch for it -- Docbook xsl stylesheet updated to a local path - -* Wed Feb 07 2018 Fedora Release Engineering - 1.0-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Fri Feb 02 2018 Igor Gnatenko - 1.0-4 -- Switch to %%ldconfig_scriptlets - -* Fri Dec 01 2017 Bruno E. O. Meneguele - 1.0-3 -- Add OpenSSL 1.1 API support for the package, avoiding the need of - compat-openssl10-devel package - -* Mon Nov 20 2017 Bruno E. O. Meneguele - 1.0-2 -- Adjusted docbook xsl path to match the correct stylesheet -- Remove only *.la files, considering there aren't any *.a files - -* Tue Sep 05 2017 Bruno E. O. Meneguele - 1.0-1 -- New upstream release -- Add OpenSSL 1.0 compatibility package, due to issues with OpenSSL 1.1 -- Remove libtool files -- Run ldconfig after un/installation to update *.so files -- Add -devel subpackage to handle include files and examples - -* Wed Aug 02 2017 Fedora Release Engineering - 0.9-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Wed Jul 26 2017 Fedora Release Engineering - 0.9-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Fri Feb 10 2017 Fedora Release Engineering - 0.9-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Thu Feb 04 2016 Fedora Release Engineering - 0.9-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Tue Jan 26 2016 Lubomir Rintel - 0.9-3 -- Fix FTBFS - -* Wed Jun 17 2015 Fedora Release Engineering - 0.9-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Fri Oct 31 2014 Avesh Agarwal - 0.9-1 -- New upstream release -- Applied a patch to fix man page issues. -- Updated spec file - -* Sat Aug 16 2014 Fedora Release Engineering - 0.6-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Sat Jun 07 2014 Fedora Release Engineering - 0.6-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Tue Aug 27 2013 Vivek Goyal - 0.6-1 -- Initial package diff --git a/dracut-98-integrity.conf b/dracut-98-integrity.conf new file mode 100644 index 0000000..0996b9a --- /dev/null +++ b/dracut-98-integrity.conf @@ -0,0 +1 @@ +add_dracutmodules+=" integrity " diff --git a/ima-add-sigs.sh b/ima-add-sigs.sh new file mode 100755 index 0000000..6777d4b --- /dev/null +++ b/ima-add-sigs.sh @@ -0,0 +1,112 @@ +#!/bin/bash +# +# This script add IMA signatures to installed RPM package files +usage() { + echo "Add IMA signatures to installed packages." + cat <reinstall_threshold (=20 by default) packages in the RPM + DB missing IMA signatures, reinstalling the packages to add IMA + signatures to the packages. By default, IMA sigatures will be obtained + from the RPM DB. However the RPM DB may not have the signatures. Dectect + this case by checking if there are >reinstall_threshold package missing + IMA signatures. + + --ima-cert + With the signing IMA cert path specified, it will also try to verify the + added IMA signature. + +EOF + exit 1 +} + +for _opt in "$@"; do + case "$_opt" in + --reinstall_threshold=*) + reinstall_threshold=${_opt#*=} + ;; + --package=*) + package=${_opt#*=} + ;; + --ima_cert=*) + ima_cert=${_opt#*=} + ;; + *) + [[ -n $1 ]] && usage + ;; + esac +done + +if [[ -z $package ]] || [[ $package == ALL ]]; then + package="--all" +fi + +abort() { + echo "$1" + exit 1 +} + +# Add IMA signatures from RPM database +add_from_rpm_db() { + if ! command -v setfattr &>/dev/null; then + abort "Please install attr" + fi + + # use "|" as deliminator since it won't be used in a filename or signature + while IFS="|" read -r path sig; do + # [[ -z "$sig" ]] somehow doesn't work for some files that don't have IMA + # signatures. This may be a issue of rpm + if [[ "$sig" != "0"* ]]; then + continue + fi + + # Skip directory, soft links, non-existent files and vfat fs + if [[ -d "$path" || -L "$path" || ! -f "$path" || "$path" == "/boot/efi/EFI/"* ]]; then + continue + fi + + if ! setfattr -n security.ima "$path" -v "0x$sig"; then + echo "Failed to add IMA sig for $path" + fi + + [[ -e "$ima_cert" ]] || continue + # TODO + # don't verify the modified files like /etc? + if ! evmctl ima_verify -k "$ima_cert" "$path" &>/dev/null; then + echo "Failed to verify $path" + fi + done < <(rpm -q --queryformat "[%{FILENAMES}|%{FILESIGNATURES}\n]" "$package") +} + +# Add IMA signatures by reinstalling all packages +add_by_reinstall() { + [[ $package == "--all" ]] && package='*' + dnf reinstall "$package" -yq >/dev/null +} + +if [[ -z $reinstall_threshold ]]; then + if [[ $package == "--all" ]]; then + reinstall_threshold=20 + else + if ! rpm -q --quiet "$package"; then + dnf install "$package" -yq >/dev/null + exit 0 + fi + reinstall_threshold=1 + fi +fi + +unsigned_packages_in_rpm_db=$(rpm -q --queryformat "%{SIGPGP:pgpsig}\n" "$package" | grep "^(none)$" | wc -l) + +if [[ $unsigned_packages_in_rpm_db -ge $reinstall_threshold ]]; then + add_by_reinstall +else + add_from_rpm_db +fi diff --git a/ima-evm-utils.spec b/ima-evm-utils.spec new file mode 100644 index 0000000..94d5a38 --- /dev/null +++ b/ima-evm-utils.spec @@ -0,0 +1,312 @@ +# If the soname gets bumped we need to ship a compat library to be able +# to bootstrap and rebuild rpm else we end up with chicken and egg problem. +%global bootstrap 0 + +%if 0%{bootstrap} +%global compat_soversion 4 +%endif + +Name: ima-evm-utils +Version: 1.6.2 +Release: 1%{?dist} +Summary: IMA/EVM support utilities +License: GPLv2 +Url: http://linux-ima.sourceforge.net/ +Source0: https://github.com/mimizohar/ima-evm-utils/releases/download/v%{version}/%{name}-%{version}.tar.gz + +# IMA setup tools +Source2: dracut-98-integrity.conf +Source3: ima-add-sigs.sh +Source4: ima-setup.sh +Source100: policy-01-appraise-executable-and-lib-signatures +Source101: policy-02-keylime-remote-attestation +Source200: policy_list +Source300: redhatimarelease-10.der +Source301: centosimarelease-10.der + + +%if 0%{bootstrap} +# compat source and patches +Source10: ima-evm-utils-1.5.tar.gz +%endif + +BuildRequires: asciidoc +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: gcc +BuildRequires: keyutils-libs-devel +BuildRequires: libtool +BuildRequires: libxslt +BuildRequires: make +BuildRequires: openssl-devel +BuildRequires: tpm2-tss-devel +Requires: keyutils +Requires: attr + +%description +The Trusted Computing Group(TCG) run-time Integrity Measurement Architecture +(IMA) maintains a list of hash values of executables and other sensitive +system files, as they are read or executed. These are stored in the file +systems extended attributes. The Extended Verification Module (EVM) prevents +unauthorized changes to these extended attributes on the file system. +ima-evm-utils is used to prepare the file system for these extended attributes. + +%package devel +Summary: Development files for %{name} +Requires: %{name} = %{version}-%{release} + +%description devel +This package provides the header files for %{name} + +%prep +%setup -q + +%if 0%{bootstrap} +mkdir compat/ +pushd compat/ +tar -zxf %{SOURCE10} --strip-components=1 +popd +%endif + +%build +autoreconf -vif +%configure --disable-static --disable-engine +%make_build + +%if 0%{bootstrap} +pushd compat/ +autoreconf -vif +%configure --disable-static --disable-engine +%make_build +popd +%endif + +%install +%make_install +find %{buildroot} -type f -name "*.la" -delete + +%if 0%{bootstrap} +pushd compat/src/.libs/ +install -p libimaevm.so.%{compat_soversion}.0.0 %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}.0.0 +ln -s -f %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}.0.0 %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion} +popd +%endif + +%ldconfig_scriptlets + +# IMA setup tools +install -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_datadir}/ima/dracut-98-integrity.conf + +mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/ima/policies +while IFS= read -r policy_file +do + install -m 644 %{_sourcedir}/policy-"$policy_file" $RPM_BUILD_ROOT%{_datadir}/ima/policies/"$policy_file" +done < %{SOURCE200} + +install -D %{SOURCE3} $RPM_BUILD_ROOT%{_bindir}/ima-add-sigs +install -D %{SOURCE4} $RPM_BUILD_ROOT%{_bindir}/ima-setup + +# IMA code-signing certs +install -d -m 755 $RPM_BUILD_ROOT/etc/keys/ima +install -m 644 %{SOURCE300} %{SOURCE301} $RPM_BUILD_ROOT/etc/keys/ima/ + +%files +%license COPYING +%doc NEWS README AUTHORS +%{_bindir}/evmctl +%{_mandir}/man1/evmctl* + +# IMA setup tools +%{_datadir}/ima/policies +%{_datadir}/ima/dracut-98-integrity.conf +%{_bindir}/ima-add-sigs +%{_bindir}/ima-setup + +# if you need to bump the soname version, coordinate with dependent packages +%{_libdir}/libimaevm.so.5* +%if 0%{bootstrap} +%{_libdir}/libimaevm.so.%{compat_soversion} +%{_libdir}/libimaevm.so.%{compat_soversion}.0.0 +%endif + +# IMA code-signing certs +/etc/keys/ima/*.der + +%files devel +%{_pkgdocdir}/*.sh +%{_includedir}/imaevm.h +%{_libdir}/libimaevm.so + +%changelog +* Wed Jan 15 2025 Coiby Xu - 1.6.2-1 +- Disable compat lib (RHEL-65376) + +* Fri Nov 15 2024 Coiby Xu - 1.6.2-0.1 +- Update to upstream 1.6 (RHEL-65376) + +* Fri Nov 08 2024 Coiby Xu - 1.5-7 +- add some IMA setup tools (RHEL-34778) + +* Tue Oct 29 2024 Troy Dawson - 1.5-6 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 + +* Mon Jun 24 2024 Troy Dawson - 1.5-5 +- Bump release for June 2024 mass rebuild + +* Wed Jan 24 2024 Fedora Release Engineering - 1.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sat Jan 20 2024 Fedora Release Engineering - 1.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Thu Jul 20 2023 Fedora Release Engineering - 1.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu Jun 08 2023 Peter Robinson - 1.5-1 +- Disable bootstrap + +* Wed Jun 07 2023 Peter Robinson - 1.5-0.1 +- Update to 1.5 +- Streamline bootstrap process a little +- Bootstrap mode +- Update download URL + +* Thu Jan 19 2023 Fedora Release Engineering - 1.4-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Thu Jul 21 2022 Fedora Release Engineering - 1.4-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jan 20 2022 Fedora Release Engineering - 1.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Thu Jan 20 2022 Björn Esser - 1.4-4 +- Build without compat bootstrap sub package + +* Thu Jan 20 2022 Björn Esser - 1.4-3 +- Build with compat bootstrap sub package + +* Tue Jan 18 2022 Peter Robinson - 1.4-2 +- Add compat bootstrap sub package + +* Mon Nov 08 2021 Peter Robinson - 1.4-1 +- Update to 1.4 + +* Tue Sep 14 2021 Sahana Prasad - 1.3.2-4 +- Rebuilt with OpenSSL 3.0.0 + +* Thu Jul 22 2021 Fedora Release Engineering - 1.3.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Tue Jan 26 2021 Fedora Release Engineering - 1.3.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Oct 28 2020 Bruno Meneguele - 1.3.2-1 +- Rebase to new upstream v1.3.2 minor release + +* Tue Aug 11 2020 Bruno Meneguele - 1.3.1-1 +- Rebase to new upstream v1.3.1 minor release + +* Tue Jul 28 2020 Fedora Release Engineering - 1.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Sun Jul 26 2020 Peter Robinson - 1.3-2 +- Fix devel deps + +* Sun Jul 26 2020 Peter Robinson - 1.3-1 +- Update to 1.3 +- Use tpm2-tss instead of tss2 +- Minor spec cleanups + +* Mon Jul 13 2020 Tom Stellard - 1.2.1-4 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Wed Jan 29 2020 Fedora Release Engineering - 1.2.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Jul 31 2019 Bruno E. O. Meneguele - 1.2.1-2 +- Add pull request to correct lib soname version, wich was bumped to 1.0.0 + +* Wed Jul 31 2019 Bruno E. O. Meneguele - 1.2.1-1 +- Rebase to upstream v1.2.1 +- Remove both patches that were already solved in upstream version +- Add runtime dependency of tss2 to retrieve PCR bank data from TPM2.0 + +* Thu Jul 25 2019 Fedora Release Engineering - 1.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Feb 01 2019 Fedora Release Engineering - 1.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jul 20 2018 Bruno E. O. Meneguele - 1.1-4 +- Add patch to remove dependency from libattr-devel package + +* Fri Jul 13 2018 Fedora Release Engineering - 1.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Mar 02 2018 Bruno E. O. Meneguele - 1.1-2 +- Remove libtool files +- Run ldconfig scriptlets after un/installing +- Add -devel subpackage to handle include files and examples +- Disable any static file in the package + +* Fri Feb 16 2018 Bruno E. O. Meneguele - 1.1-1 +- New upstream release +- Support for OpenSSL 1.1 was added directly to the source code in upstream, + thus removing specific patch for it +- Docbook xsl stylesheet updated to a local path + +* Wed Feb 07 2018 Fedora Release Engineering - 1.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Feb 02 2018 Igor Gnatenko - 1.0-4 +- Switch to %%ldconfig_scriptlets + +* Fri Dec 01 2017 Bruno E. O. Meneguele - 1.0-3 +- Add OpenSSL 1.1 API support for the package, avoiding the need of + compat-openssl10-devel package + +* Mon Nov 20 2017 Bruno E. O. Meneguele - 1.0-2 +- Adjusted docbook xsl path to match the correct stylesheet +- Remove only *.la files, considering there aren't any *.a files + +* Tue Sep 05 2017 Bruno E. O. Meneguele - 1.0-1 +- New upstream release +- Add OpenSSL 1.0 compatibility package, due to issues with OpenSSL 1.1 +- Remove libtool files +- Run ldconfig after un/installation to update *.so files +- Add -devel subpackage to handle include files and examples + +* Wed Aug 02 2017 Fedora Release Engineering - 0.9-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 0.9-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 0.9-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Feb 04 2016 Fedora Release Engineering - 0.9-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Jan 26 2016 Lubomir Rintel - 0.9-3 +- Fix FTBFS + +* Wed Jun 17 2015 Fedora Release Engineering - 0.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Fri Oct 31 2014 Avesh Agarwal - 0.9-1 +- New upstream release +- Applied a patch to fix man page issues. +- Updated spec file + +* Sat Aug 16 2014 Fedora Release Engineering - 0.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 0.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue Aug 27 2013 Vivek Goyal - 0.6-1 +- Initial package diff --git a/ima-setup.sh b/ima-setup.sh new file mode 100755 index 0000000..915b61d --- /dev/null +++ b/ima-setup.sh @@ -0,0 +1,145 @@ +#!/bin/bash +# +# This script helps set up IMA. +# +IMA_SYSTEMD_POLICY=/etc/ima/ima-policy +IMA_POLICY_SYSFS=/sys/kernel/security/ima/policy + +usage() { + echo "Set up IMA." + cat <reinstall_threshold packages in the RPM DB missing IMA + signatures, reinstalling the packages to add IMA signatures to the + packages. By default, IMA sigatures will be obtained from the RPM DB. + However the RPM DB may not have the signatures. Dectect this case by + checking if there are >reinstall_threshold package missing IMA + signatures. + +EOF + exit 1 +} + +for _opt in "$@"; do + case "$_opt" in + --policy=*) + ima_policy_path=${_opt#*=} + if [[ ! -e $ima_policy_path ]]; then + echo "$policy_file doesn't exist" + exit 1 + fi + ;; + --reinstall_threshold=*) + reinstall_threshold=${_opt#*=} + ;; + *) + usage + ;; + esac +done + +if [[ $# -eq 0 ]]; then + usage +fi + +echo "Installing prerequisite package rpm-plugin-ima" +if ! dnf install rpm-plugin-ima -yq; then + echo "Failed to install rpm-plugin-ima, abort" + exit 1 +fi + +# Add IMA signatures +if test -f /run/ostree-booted; then + echo "You are using OSTree, please enable IMA signatures as part of the OSTree creation process." +else + echo "Adding IMA signatures to installed package files" + if ! ima-add-sigs; then + echo "Failed to add IMA signatures, abort" + exit 1 + fi +fi + +load_ima_keys() { + local _key_loaded + + if line=$(keyctl describe %keyring:.ima); then + _ima_id=${line%%:*} + else + echo "Failed to get ID of the .ima keyring" + exit 1 + fi + + for i in /etc/keys/ima/*; do + if [ ! -f "${i}" ]; then + echo "No IMA key exist" + exit 1 + fi + + if ! evmctl import "${i}" "${_ima_id}" &>/dev/null; then + echo "Failed to load IMA key ${i}" + else + _key_loaded=yes + fi + done + + if [[ $_key_loaded != yes ]]; then + echo "No IMA key loaded" + exit 1 + fi +} + +load_ima_policy() { + local ima_policy_path + + ima_policy_path=$1 + + if ! test -f "$ima_policy_path"; then + echo "$ima_policy_path doesn't exist" + return 1 + fi + if ! echo "$ima_policy_path" >"$IMA_POLICY_SYSFS"; then + echo "$ima_policy_path can't be loaded" + return 1 + fi + # Let systemd load the IMA policy which will load LSM rules first so IMA + # policy containing rules like "appraise obj_type=ifconfig_exec_t" can be + # loaded + [[ -e /etc/ima ]] || mkdir -p /etc/ima/ + if ! cp --preserve=xattr "$ima_policy_path" "$IMA_SYSTEMD_POLICY"; then + echo "Failed to copy $ima_policy_path to $IMA_SYSTEMD_POLICY" + return 1 + fi +} + +echo "Loading IMA keys" +load_ima_keys + +# Include the dracut integrity module to load the IMA keys and policy +# automatically when there is a system reboot +if ! lsinitrd --mod | grep -q integrity; then + cp --preserve=xattr /usr/share/ima/dracut-98-integrity.conf /etc/dracut.conf.d/98-integrity.conf + echo "Rebuilding the initramfs of kernel-$(uname -r) to include the dracut integrity module" + dracut -f + + if command -v grubby >/dev/null; then + _default_kernel=$(grubby --default-kernel | sed -En "s/.*vmlinuz-(.*)/\1/p") + if [[ $_default_kernel != $(uname -r) ]]; then + echo "Current kernel is not the default kernel ($_default_kernel), include dracut integrity for it as well" + dracut -f --kver "$_default_kernel" + fi + fi + +fi + +if ! load_ima_policy "$ima_policy_path"; then + echo "Failed to load IMA policy $ima_policy_path!" + exit 1 +fi diff --git a/policy-01-appraise-executable-and-lib-signatures b/policy-01-appraise-executable-and-lib-signatures new file mode 100644 index 0000000..53feed5 --- /dev/null +++ b/policy-01-appraise-executable-and-lib-signatures @@ -0,0 +1,28 @@ +# Skip some unsupported filesystems +# This list of the filesystems can be found on +# https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy +# PROC_SUPER_MAGIC +dont_appraise fsmagic=0x9fa0 +# SYSFS_MAGIC +dont_appraise fsmagic=0x62656572 +# DEBUGFS_MAGIC +dont_appraise fsmagic=0x64626720 +# TMPFS_MAGIC +dont_appraise fsmagic=0x01021994 +# RAMFS_MAGIC +dont_appraise fsmagic=0x858458f6 +# DEVPTS_SUPER_MAGIC +dont_appraise fsmagic=0x1cd1 +# BINFMTFS_MAGIC +dont_appraise fsmagic=0x42494e4d +# SECURITYFS_MAGIC +dont_appraise fsmagic=0x73636673 +# SELINUX_MAGIC +dont_appraise fsmagic=0xf97cff8c +# CGROUP_SUPER_MAGIC +dont_appraise fsmagic=0x27e0eb +# NSFS_MAGIC +dont_appraise fsmagic=0x6e736673 + +appraise func=MMAP_CHECK mask=MAY_EXEC appraise_type=imasig +appraise func=BPRM_CHECK appraise_type=imasig diff --git a/policy-02-keylime-remote-attestation b/policy-02-keylime-remote-attestation new file mode 100644 index 0000000..5210734 --- /dev/null +++ b/policy-02-keylime-remote-attestation @@ -0,0 +1,37 @@ +# PROC_SUPER_MAGIC +dont_measure fsmagic=0x9fa0 +# SYSFS_MAGIC +dont_measure fsmagic=0x62656572 +# DEBUGFS_MAGIC +dont_measure fsmagic=0x64626720 +# TMPFS_MAGIC +dont_measure fsmagic=0x01021994 +# DEVPTS_SUPER_MAGIC +dont_measure fsmagic=0x1cd1 +# BINFMTFS_MAGIC +dont_measure fsmagic=0x42494e4d +# SECURITYFS_MAGIC +dont_measure fsmagic=0x73636673 +# SELINUX_MAGIC +dont_measure fsmagic=0xf97cff8c +# SMACK_MAGIC +dont_measure fsmagic=0x43415d53 +# CGROUP_SUPER_MAGIC +dont_measure fsmagic=0x27e0eb +# CGROUP2_SUPER_MAGIC +dont_measure fsmagic=0x63677270 +# NSFS_MAGIC +dont_measure fsmagic=0x6e736673 +# EFIVARFS_MAGIC +dont_measure fsmagic=0xde5e81e4 +# OVERLAYFS_MAGIC +# when containers are used we almost always want to ignore them +dont_measure fsmagic=0x794c7630 + + +# Measure and log keys loaded onto the .ima keyring +measure func=KEY_CHECK keyrings=.ima +# Measure and log executables +measure func=BPRM_CHECK +# Measure and log shared libraries +measure func=FILE_MMAP mask=MAY_EXEC diff --git a/policy_list b/policy_list new file mode 100644 index 0000000..af81a74 --- /dev/null +++ b/policy_list @@ -0,0 +1,2 @@ +01-appraise-executable-and-lib-signatures +02-keylime-remote-attestation diff --git a/sources b/sources new file mode 100644 index 0000000..e70d527 --- /dev/null +++ b/sources @@ -0,0 +1,3 @@ +SHA512 (centosimarelease-10.der) = 8ee9a0107a7fe12078c1a82e4accbecca4d1246eadc60692880b5c2e6617c2ace27114d79ec6cc5fef11296fa11765145fcfbd8e2092fa96c56b13af925e5444 +SHA512 (ima-evm-utils-1.6.2.tar.gz) = dfd82ba7c48c14fd31d687214a2b0cfcf269bdea42d4a0ebc872a72205f880c509ed5c5cd55dec7e94444e6f3bdc3c071ec6c2e3eba1e6579edb8ef11aa158a1 +SHA512 (redhatimarelease-10.der) = 910b39fe16c2d8675c45c360797e6fb4a61d423b2c45a5a49aabc29a21b8dca44d50772353c3b4e557af25a2253d2ad2a2a3825a07cab556fd4eb154013c90de