From eff6110deb12dab4e4f2df5838bbb845cd420472 Mon Sep 17 00:00:00 2001
From: Coiby Xu <coxu@redhat.com>
Date: Sat, 8 Jun 2024 03:11:20 +0800
Subject: [PATCH] ima-setup: Allow users to specify custom reinstall_threshold

Resolves: https://issues.redhat.com/browse/RHEL-33751
Conflict: None

Upstream Status: https://src.fedoraproject.org/rpms/ima-evm-utils.git

commit 141a74d96ab3cdee1b0d2cf6a0cba19337920e02
Author: Coiby Xu <coxu@redhat.com>
Date:   Tue May 28 09:54:19 2024 +0800

    ima-setup: Allow users to specify custom reinstall_threshold

    Some users may use custom built packages and we are not sure about the
    number of this type of packages. So make reinstall_threshold
    configurable.

    Suggested-by: Marko Myllynen <myllynen@redhat.com>

Signed-off-by: Coiby Xu <coxu@redhat.com>
---
 ima-add-sigs.sh | 43 +++++++++++++++++++++++++++++--------------
 ima-setup.sh    | 10 +++++++++-
 2 files changed, 38 insertions(+), 15 deletions(-)

diff --git a/ima-add-sigs.sh b/ima-add-sigs.sh
index eadd629..4321ace 100755
--- a/ima-add-sigs.sh
+++ b/ima-add-sigs.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 #
 # This script add IMA signatures to installed RPM package files
-# Usage: add_ima_sigs.sh [[ALL|PACKAGE_NAME] IMA_CERT_PATH]
+# Usage: add_ima_sigs.sh [--package=PACKAGE_NAME|ALL] [--ima-cert=IMA_CERT_PATH] [--reinstall_threshold=NUM]
 #
 # By default, it will add IMA sigantures to all installed package files. Or you
 # can provide a package name to only add IMA signature for files of specicifed
@@ -12,13 +12,26 @@
 # With the signing IMA cert path specified, it will also try to verify
 # the added IMA signature.
 
-if [[ -z "$1" || $1 == ALL ]]; then
-	package="--all"
-else
-	package=$1
-fi
+for _opt in "$@"; do
+	case "$_opt" in
+	--reinstall_threshold=*)
+		reinstall_threshold=${_opt#*=}
+		;;
+	--package=*)
+		package=${_opt#*=}
+		;;
+	--ima_cert=*)
+		ima_cert=${_opt#*=}
+		;;
+	*)
+		usage
+		;;
+	esac
+done
 
-ima_cert=$2
+if [[ -z $package ]] || [[ $package == ALL ]]; then
+	package="--all"
+fi
 
 abort() {
 	echo "$1"
@@ -63,14 +76,16 @@ add_by_reinstall() {
 	dnf reinstall "$package" -yq >/dev/null
 }
 
-if [[ $package == "--all" ]]; then
-	reinstall_threshold=20
-else
-	if ! rpm -q --quiet $package; then
-		dnf install "$package" -yq >/dev/null
-		exit 0
+if [[ -z $reinstall_threshold ]]; then
+	if [[ $package == "--all" ]]; then
+		reinstall_threshold=20
+	else
+		if ! rpm -q --quiet $package; then
+			dnf install "$package" -yq >/dev/null
+			exit 0
+		fi
+		reinstall_threshold=1
 	fi
-	reinstall_threshold=1
 fi
 
 unsigned_packages_in_rpm_db=$(rpm -q --queryformat "%{SIGPGP:pgpsig}\n" $package | grep "^(none)$" | wc -l)
diff --git a/ima-setup.sh b/ima-setup.sh
index 6816d7d..34dd33d 100755
--- a/ima-setup.sh
+++ b/ima-setup.sh
@@ -8,13 +8,18 @@ IMA_POLICY_SYSFS=/sys/kernel/security/ima/policy
 usage() {
 	echo "Set up IMA."
 	cat <<EOF
-usage: $0 --policy=IMA_POLICY_PATH
+usage: $0 --policy=IMA_POLICY_PATH [--reinstall_threshold=NUM]
 
        --policy
        The path of IMA policy to be loaded. Sample polices are inside
        /usr/share/ima/policies or you can use your own IMA policy
        The path of IMA policy to be loaded.  Sample polices are inside
        /usr/share/ima/policies or you can use your own IMA policy
+
+       --reinstall_threshold
+       When there are >reinstall_threshold packages in the RPM DB missing IMA signatures, reinstalling the packages to add IMA signatures to the packages.
+       By default, IMA sigatures will be obtained from the RPM DB. However the RPM DB may not have the signatures. Dectect this case by checking if there are >reinstall_threshold package missing IMA signatures.
+
 EOF
 	exit 1
 }
@@ -28,6 +33,9 @@ for _opt in "$@"; do
 			exit 1
 		fi
 		;;
+	--reinstall_threshold=*)
+		reinstall_threshold=${_opt#*=}
+		;;
 	*)
 		usage
 		;;