ima-setup: Allow users to specify custom reinstall_threshold

Resolves: https://issues.redhat.com/browse/RHEL-33751 Conflict: None Upstream Status: https://src.fedoraproject.org/rpms/ima-evm-utils.git commit 141a74d96ab3cdee1b0d2cf6a0cba19337920e02 Author: Coiby Xu <coxu@redhat.com> Date: Tue May 28 09:54:19 2024 +0800 ima-setup: Allow users to specify custom reinstall_threshold Some users may use custom built packages and we are not sure about the number of this type of packages. So make reinstall_threshold configurable. Suggested-by: Marko Myllynen <myllynen@redhat.com> Signed-off-by: Coiby Xu <coxu@redhat.com>
2024-06-08 03:11:20 +08:00 · 2024-06-08 03:11:20 +08:00 · eff6110deb
commit eff6110deb
parent 6760dcea53
2 changed files with 38 additions and 15 deletions
--- a/ima-add-sigs.sh
+++ b/ima-add-sigs.sh
@ -1,7 +1,7 @@
 #!/bin/bash
 #
 # This script add IMA signatures to installed RPM package files
-# Usage: add_ima_sigs.sh [[ALL|PACKAGE_NAME] IMA_CERT_PATH]
+# Usage: add_ima_sigs.sh [--package=PACKAGE_NAME|ALL] [--ima-cert=IMA_CERT_PATH] [--reinstall_threshold=NUM]
 #
 # By default, it will add IMA sigantures to all installed package files. Or you
 # can provide a package name to only add IMA signature for files of specicifed
@ -12,13 +12,26 @@
 # With the signing IMA cert path specified, it will also try to verify
 # the added IMA signature.

-if [[ -z "$1" || $1 == ALL ]]; then
-	package="--all"
-else
-	package=$1
-fi
+for _opt in "$@"; do
+	case "$_opt" in
+	--reinstall_threshold=*)
+		reinstall_threshold=${_opt#*=}
+		;;
+	--package=*)
+		package=${_opt#*=}
+		;;
+	--ima_cert=*)
+		ima_cert=${_opt#*=}
+		;;
+	*)
+		usage
+		;;
+	esac
+done

-ima_cert=$2
+if [[ -z $package ]] || [[ $package == ALL ]]; then
+	package="--all"
+fi

 abort() {
 	echo "$1"
@ -63,14 +76,16 @@ add_by_reinstall() {
 	dnf reinstall "$package" -yq >/dev/null
 }

-if [[ $package == "--all" ]]; then
-	reinstall_threshold=20
-else
-	if ! rpm -q --quiet $package; then
-		dnf install "$package" -yq >/dev/null
-		exit 0
+if [[ -z $reinstall_threshold ]]; then
+	if [[ $package == "--all" ]]; then
+		reinstall_threshold=20
+	else
+		if ! rpm -q --quiet $package; then
+			dnf install "$package" -yq >/dev/null
+			exit 0
+		fi
+		reinstall_threshold=1
 	fi
-	reinstall_threshold=1
 fi

 unsigned_packages_in_rpm_db=$(rpm -q --queryformat "%{SIGPGP:pgpsig}\n" $package | grep "^(none)$" | wc -l)
--- a/ima-setup.sh
+++ b/ima-setup.sh
@ -8,13 +8,18 @@ IMA_POLICY_SYSFS=/sys/kernel/security/ima/policy
 usage() {
 	echo "Set up IMA."
 	cat <<EOF
-usage: $0 --policy=IMA_POLICY_PATH
+usage: $0 --policy=IMA_POLICY_PATH [--reinstall_threshold=NUM]

       --policy
       The path of IMA policy to be loaded. Sample polices are inside
       /usr/share/ima/policies or you can use your own IMA policy
       The path of IMA policy to be loaded.  Sample polices are inside
       /usr/share/ima/policies or you can use your own IMA policy
+
+       --reinstall_threshold
+       When there are >reinstall_threshold packages in the RPM DB missing IMA signatures, reinstalling the packages to add IMA signatures to the packages.
+       By default, IMA sigatures will be obtained from the RPM DB. However the RPM DB may not have the signatures. Dectect this case by checking if there are >reinstall_threshold package missing IMA signatures.
+
 EOF
 	exit 1
 }
@ -28,6 +33,9 @@ for _opt in "$@"; do
 			exit 1
 		fi
 		;;
+	--reinstall_threshold=*)
+		reinstall_threshold=${_opt#*=}
+		;;
 	*)
 		usage
 		;;