6760dcea53
Resolves: https://issues.redhat.com/browse/RHEL-33751 Conflict: Upstream has -libs subpackage Upstream Status: https://src.fedoraproject.org/rpms/ima-evm-utils.git commit 8980421a049c776e2b77e534793aafb925b3ad48 Author: Coiby Xu <coiby.xu@gmail.com> Date: Mon May 6 17:48:52 2024 +0800 Add some IMA setup tools Some IMA setup tools are added to ease IMA setup which will do the following tasks, - add IMA signatures to installed packages files - load IMA keys and policy - enable the dracut integrity module to load IMA keys and policy automatically Two IMA polices as suggested by Stefan Berger are also provided which will be signed automatically with other package files. Thanks to Marko Myllynen for coming up with the idea to have a tool similar to fips-mode-setup. And thanks to Mimi Zohar and Stefan Berger for providing the feedback! Signed-off-by: Coiby Xu <coxu@redhat.com> Signed-off-by: Coiby Xu <coxu@redhat.com>
119 lines
2.6 KiB
Bash
Executable File
119 lines
2.6 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# This script helps set up IMA.
|
|
#
|
|
IMA_SYSTEMD_POLICY=/etc/ima/ima-policy
|
|
IMA_POLICY_SYSFS=/sys/kernel/security/ima/policy
|
|
|
|
usage() {
|
|
echo "Set up IMA."
|
|
cat <<EOF
|
|
usage: $0 --policy=IMA_POLICY_PATH
|
|
|
|
--policy
|
|
The path of IMA policy to be loaded. Sample polices are inside
|
|
/usr/share/ima/policies or you can use your own IMA policy
|
|
The path of IMA policy to be loaded. Sample polices are inside
|
|
/usr/share/ima/policies or you can use your own IMA policy
|
|
EOF
|
|
exit 1
|
|
}
|
|
|
|
for _opt in "$@"; do
|
|
case "$_opt" in
|
|
--policy=*)
|
|
ima_policy_path=${_opt#*=}
|
|
if [[ ! -e $ima_policy_path ]]; then
|
|
echo "$policy_file doesn't exist"
|
|
exit 1
|
|
fi
|
|
;;
|
|
*)
|
|
usage
|
|
;;
|
|
esac
|
|
done
|
|
|
|
if [[ $# -eq 0 ]]; then
|
|
usage
|
|
fi
|
|
|
|
# Add IMA signatures
|
|
if test -f /run/ostree-booted; then
|
|
echo "You are using OSTree, please enable IMA signatures as part of the OSTree creation process."
|
|
else
|
|
echo "Adding IMA signatures to installed package files"
|
|
if ! ima-add-sigs; then
|
|
echo "Failed to add IMA signatures, abort"
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
load_ima_keys() {
|
|
local _key_loaded
|
|
|
|
if line=$(keyctl describe %keyring:.ima); then
|
|
_ima_id=${line%%:*}
|
|
else
|
|
echo "Failed to get ID of the .ima keyring"
|
|
exit 1
|
|
fi
|
|
|
|
for i in /etc/keys/ima/*; do
|
|
if [ ! -f "${i}" ]; then
|
|
echo "No IMA key exist"
|
|
exit 1
|
|
fi
|
|
|
|
if ! evmctl import "${i}" "${_ima_id}" &>/dev/null; then
|
|
echo "Failed to load IMA key ${i}"
|
|
else
|
|
_key_loaded=yes
|
|
fi
|
|
done
|
|
|
|
if [[ $_key_loaded != yes ]]; then
|
|
echo "No IMA key loaded"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
load_ima_policy() {
|
|
local ima_policy_path
|
|
|
|
ima_policy_path=$1
|
|
|
|
if ! test -f "$ima_policy_path"; then
|
|
echo "$ima_policy_path doesn't exist"
|
|
return 1
|
|
fi
|
|
if ! echo "$ima_policy_path" >"$IMA_POLICY_SYSFS"; then
|
|
echo "$ima_policy_path can't be loaded"
|
|
return 1
|
|
fi
|
|
# Let systemd load the IMA policy which will load LSM rules first so IMA
|
|
# policy containing rules like "appraise obj_type=ifconfig_exec_t" can be
|
|
# loaded
|
|
[[ -e /etc/ima ]] || mkdir -p /etc/ima/
|
|
if ! cp --preserve=xattr "$ima_policy_path" "$IMA_SYSTEMD_POLICY"; then
|
|
echo "Failed to copy $ima_policy_path to $IMA_SYSTEMD_POLICY"
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
echo "Loading IMA keys"
|
|
load_ima_keys
|
|
|
|
# Include the dracut integrity module to load the IMA keys and policy
|
|
# automatically when there is a system reboot
|
|
if ! lsinitrd --mod | grep -q integrity; then
|
|
cp --preserve=xattr /usr/share/ima/dracut-98-integrity.conf /etc/dracut.conf.d/98-integrity.conf
|
|
echo "Rebuilding the initramfs of kernel-$(uname -r) to include the dracut integrity module"
|
|
dracut -f
|
|
fi
|
|
|
|
if ! load_ima_policy "$ima_policy_path"; then
|
|
echo "Failed to load IMA policy $ima_policy_path!"
|
|
exit 1
|
|
fi
|