dracut/modules.d/98integrity/ima-policy-load.sh

#!/bin/sh

# Licensed under the GPLv2
#
# Copyright (C) 2011 Politecnico di Torino, Italy
#                    TORSEC group -- http://security.polito.it
# Roberto Sassu <roberto.sassu@polito.it>

IMASECDIR="${SECURITYFSDIR}/ima"
IMACONFIG="${NEWROOT}/etc/sysconfig/ima"
IMAPOLICY="/etc/sysconfig/ima-policy"

load_ima_policy()
{
    # check kernel support for IMA
    if [ ! -e "${IMASECDIR}" ]; then
        if [ "${RD_DEBUG}" = "yes" ]; then
            info "integrity: IMA kernel support is disabled"
        fi
        return 0
    fi

    # override the default configuration
    [ -f "${IMACONFIG}" ] && \
        . ${IMACONFIG}

    # set the IMA policy path name
    IMAPOLICYPATH="${NEWROOT}${IMAPOLICY}"

    # check the existence of the IMA policy file
    [ -f "${IMAPOLICYPATH}" ] && {
        info "Loading the provided IMA custom policy";
        printf '%s' "${IMAPOLICYPATH}" > ${IMASECDIR}/policy || \
            cat "${IMAPOLICYPATH}" > ${IMASECDIR}/policy
    }

    return 0
}

load_ima_policy
dracut: added new module integrity This module initializes the EVM software and permits to load a custom IMA policy. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Acked-by: Gianluca Ramunno <ramunno@polito.it> 14 years ago			`#!/bin/sh`

			`# Licensed under the GPLv2`
			`#`
			`# Copyright (C) 2011 Politecnico di Torino, Italy`
			`# TORSEC group -- http://security.polito.it`
			`# Roberto Sassu <roberto.sassu@polito.it>`

			`IMASECDIR="${SECURITYFSDIR}/ima"`
			`IMACONFIG="${NEWROOT}/etc/sysconfig/ima"`
			`IMAPOLICY="/etc/sysconfig/ima-policy"`

			`load_ima_policy()`
			`{`
			`# check kernel support for IMA`
			`if [ ! -e "${IMASECDIR}" ]; then`
			`if [ "${RD_DEBUG}" = "yes" ]; then`
			`info "integrity: IMA kernel support is disabled"`
			`fi`
			`return 0`
			`fi`

			`# override the default configuration`
			`[ -f "${IMACONFIG}" ] && \`
			`. ${IMACONFIG}`

			`# set the IMA policy path name`
			`IMAPOLICYPATH="${NEWROOT}${IMAPOLICY}"`

			`# check the existence of the IMA policy file`
			`[ -f "${IMAPOLICYPATH}" ] && {`
			`info "Loading the provided IMA custom policy";`
integrity/ima-policy-load.sh: s/echo -n/printf 8 years ago			`printf '%s' "${IMAPOLICYPATH}" > ${IMASECDIR}/policy \|\| \`
98integrity: support validating the IMA policy file signature IMA validates file signatures based on the security.ima xattr. As of Linux-4.7, instead of cat'ing the IMA policy into the securityfs policy, the IMA policy pathname can be written, allowing the IMA policy file signature to be validated. This patch first attempts to write the pathname, but on failure falls back to cat'ing the IMA policy contents . Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 8 years ago			`cat "${IMAPOLICYPATH}" > ${IMASECDIR}/policy`
dracut: added new module integrity This module initializes the EVM software and permits to load a custom IMA policy. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Acked-by: Gianluca Ramunno <ramunno@polito.it> 14 years ago			`}`

			`return 0`
			`}`

			`load_ima_policy`