diff --git a/.gitignore b/.gitignore index 734df2a..d9c649e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/centosimarelease-9.der -SOURCES/ima-evm-utils-1.5.tar.gz +SOURCES/ima-evm-utils-1.6.2.tar.gz SOURCES/redhatimarelease-9.der diff --git a/.ima-evm-utils.metadata b/.ima-evm-utils.metadata index 9c5d0f7..602e810 100644 --- a/.ima-evm-utils.metadata +++ b/.ima-evm-utils.metadata @@ -1,3 +1,3 @@ 61d5a223ff0c79189505abae77e0087c4b2d2b47 SOURCES/centosimarelease-9.der -87b19af821da481a50e820958f75104878442472 SOURCES/ima-evm-utils-1.5.tar.gz +41095bb1d9ddeb166cdfb81338dc5d671f623f1c SOURCES/ima-evm-utils-1.6.2.tar.gz 99e571f9de4188f3b5fdf1f84ff73f6cc4bb6a0e SOURCES/redhatimarelease-9.der diff --git a/SOURCES/ima-add-sigs.sh b/SOURCES/ima-add-sigs.sh index 6777d4b..6be5c48 100755 --- a/SOURCES/ima-add-sigs.sh +++ b/SOURCES/ima-add-sigs.sh @@ -4,7 +4,7 @@ usage() { echo "Add IMA signatures to installed packages." cat <reinstall_threshold package missing IMA signatures. - --ima-cert + --ima_cert With the signing IMA cert path specified, it will also try to verify the added IMA signature. @@ -53,12 +53,35 @@ abort() { exit 1 } +get_system_ima_key() { + source /etc/os-release + local -A name_map=(['Fedora Linux']="fedora" ['Red Hat Enterprise Linux']="redhatimarelease" ['CentOS Stream']='centosimarelease') + local version_id + key_name=${name_map[$NAME]} + version_id=${VERSION_ID/.?/} + + [[ $key_name == fedora ]] && name_suffix=-ima + key_path=/etc/keys/ima/${key_name}-${version_id}${name_suffix}.der + if [[ ! -e $key_path ]]; then + echo "Failed to get system IMA code verification key" + exit 1 + fi + + echo -n "$key_path" +} + # Add IMA signatures from RPM database add_from_rpm_db() { if ! command -v setfattr &>/dev/null; then abort "Please install attr" fi + if [[ -e "$ima_cert" ]]; then + verify_ima_cert=$ima_cert + else + verify_ima_cert=$(get_system_ima_key) + fi + # use "|" as deliminator since it won't be used in a filename or signature while IFS="|" read -r path sig; do # [[ -z "$sig" ]] somehow doesn't work for some files that don't have IMA @@ -72,16 +95,22 @@ add_from_rpm_db() { continue fi + # Skip some files that are created on the fly + if [[ $path == "/usr/share/mime/"* || $path == "/etc/pki/ca-trust/extracted/"* ]]; then + continue + fi + if ! setfattr -n security.ima "$path" -v "0x$sig"; then echo "Failed to add IMA sig for $path" fi - [[ -e "$ima_cert" ]] || continue - # TODO - # don't verify the modified files like /etc? - if ! evmctl ima_verify -k "$ima_cert" "$path" &>/dev/null; then - echo "Failed to verify $path" + if ! evmctl ima_verify -k "$verify_ima_cert" "$path" &>/dev/null; then + setfattr -x security.ima "$path" + # When ima_cert is set, shows the verfication result for users + [[ -e "$ima_cert" ]] && "Failed to verify $path" + continue fi + done < <(rpm -q --queryformat "[%{FILENAMES}|%{FILESIGNATURES}\n]" "$package") } @@ -103,7 +132,7 @@ if [[ -z $reinstall_threshold ]]; then fi fi -unsigned_packages_in_rpm_db=$(rpm -q --queryformat "%{SIGPGP:pgpsig}\n" "$package" | grep "^(none)$" | wc -l) +unsigned_packages_in_rpm_db=$(rpm -q --queryformat "%{SIGPGP:pgpsig}\n" "$package" | grep -c "^(none)$") if [[ $unsigned_packages_in_rpm_db -ge $reinstall_threshold ]]; then add_by_reinstall diff --git a/SOURCES/ima-setup.sh b/SOURCES/ima-setup.sh index 915b61d..4a61a28 100755 --- a/SOURCES/ima-setup.sh +++ b/SOURCES/ima-setup.sh @@ -33,7 +33,7 @@ for _opt in "$@"; do --policy=*) ima_policy_path=${_opt#*=} if [[ ! -e $ima_policy_path ]]; then - echo "$policy_file doesn't exist" + echo "$ima_policy_path doesn't exist" exit 1 fi ;; @@ -61,7 +61,7 @@ if test -f /run/ostree-booted; then echo "You are using OSTree, please enable IMA signatures as part of the OSTree creation process." else echo "Adding IMA signatures to installed package files" - if ! ima-add-sigs; then + if ! ima-add-sigs --reinstall_threshold="$reinstall_threshold"; then echo "Failed to add IMA signatures, abort" exit 1 fi @@ -136,7 +136,7 @@ if ! lsinitrd --mod | grep -q integrity; then dracut -f --kver "$_default_kernel" fi fi - + [[ $(uname -m) == s390x ]] && zipl &> /dev/null fi if ! load_ima_policy "$ima_policy_path"; then diff --git a/SPECS/ima-evm-utils.spec b/SPECS/ima-evm-utils.spec index 80d9b3a..3704345 100644 --- a/SPECS/ima-evm-utils.spec +++ b/SPECS/ima-evm-utils.spec @@ -3,12 +3,12 @@ %global bootstrap 0 %if 0%{bootstrap} -%global compat_soversion 3 +%global compat_soversion 4 %endif Name: ima-evm-utils -Version: 1.5 -Release: 3%{?dist} +Version: 1.6.2 +Release: 2%{?dist} Summary: IMA/EVM support utilities License: GPLv2 Url: http://linux-ima.sourceforge.net/ @@ -27,7 +27,7 @@ Source301: centosimarelease-9.der %if 0%{bootstrap} # compat source and patches -Source10: ima-evm-utils-1.4.tar.gz +Source10: ima-evm-utils-1.5.tar.gz %endif BuildRequires: asciidoc @@ -123,7 +123,7 @@ install -m 644 %{SOURCE300} %{SOURCE301} $RPM_BUILD_ROOT/etc/keys/ima/ %{_bindir}/ima-setup # if you need to bump the soname version, coordinate with dependent packages -%{_libdir}/libimaevm.so.4* +%{_libdir}/libimaevm.so.5* %if 0%{bootstrap} %{_libdir}/libimaevm.so.%{compat_soversion} %{_libdir}/libimaevm.so.%{compat_soversion}.0.0 @@ -138,6 +138,14 @@ install -m 644 %{SOURCE300} %{SOURCE301} $RPM_BUILD_ROOT/etc/keys/ima/ %{_libdir}/libimaevm.so %changelog +* Thu Jul 31 2025 Coiby Xu - 1.6.2-2 +- Verify IMA signature to make sure it's correct (RHEL-105471) +- Drop old libimaevm.so.4 (RHEL-82797) + +* Mon Mar 10 2025 Coiby Xu - 1.6.2-1 +- ima-setup: run zipl after building initramfs for s390x (RHEL-72293) +- update to upstream 1.6.2 (RHEL-82793) + * Wed Nov 13 2024 Coiby Xu - 1.5-3 - Skip unsupported file systems for sample appraisal rule (RHEL-62817)