fix(integrity): shellcheck for modules.d/98integrity

3 years ago · 895dd4eb25
4 changed files with 32 additions and 29 deletions
--- a/modules.d/98integrity/.shchkdir
+++ b/modules.d/98integrity/.shchkdir
--- a/modules.d/98integrity/evm-enable.sh
+++ b/modules.d/98integrity/evm-enable.sh
@ -14,14 +14,15 @@ EVMKEYID=""
				@@ -14,14 +14,15 @@ EVMKEYID=""

 load_evm_key() {
    # read the configuration from the config file
+    # shellcheck disable=SC1090
    [ -f "${EVMCONFIG}" ] \
-        && . ${EVMCONFIG}
+        && . "${EVMCONFIG}"

    # override the EVM key path name from the 'evmkey=' parameter in the kernel
    # command line
-    EVMKEYARG=$(getarg evmkey=)
-    [ $? -eq 0 ] \
-        && EVMKEY=${EVMKEYARG}
+    if EVMKEYARG=$(getarg evmkey=); then
+        EVMKEY=${EVMKEYARG}
+    fi

    # set the default value
    [ -z "${EVMKEY}" ] \
@ -39,14 +40,13 @@ load_evm_key() {
				@@ -39,14 +40,13 @@ load_evm_key() {
    fi

    # read the EVM encrypted key blob
-    KEYBLOB=$(cat ${EVMKEYPATH})
+    KEYBLOB=$(cat "${EVMKEYPATH}")

    # load the EVM encrypted key
-    EVMKEYID=$(keyctl add ${EVMKEYTYPE} ${EVMKEYDESC} "load ${KEYBLOB}" @u)
-    [ $? -eq 0 ] || {
+    if ! EVMKEYID=$(keyctl add ${EVMKEYTYPE} ${EVMKEYDESC} "load ${KEYBLOB}" @u); then
        info "integrity: failed to load the EVM encrypted key: ${EVMKEYDESC}"
        return 1
-    }
+    fi
    return 0
 }

@ -55,9 +55,9 @@ load_evm_x509() {
				@@ -55,9 +55,9 @@ load_evm_x509() {

    # override the EVM key path name from the 'evmx509=' parameter in
    # the kernel command line
-    EVMX509ARG=$(getarg evmx509=)
-    [ $? -eq 0 ] \
-        && EVMX509=${EVMX509ARG}
+    if EVMX509ARG=$(getarg evmx509=); then
+        EVMX509=${EVMX509ARG}
+    fi

    # set the default value
    [ -z "${EVMX509}" ] \
@ -75,8 +75,7 @@ load_evm_x509() {
				@@ -75,8 +75,7 @@ load_evm_x509() {
    fi

    local evm_pubid line
-    line=$(keyctl describe %keyring:.evm)
-    if [ $? -eq 0 ]; then
+    if line=$(keyctl describe %keyring:.evm); then
        # the kernel already setup a trusted .evm keyring so use that one
        evm_pubid=${line%%:*}
    else
@ -89,11 +88,12 @@ load_evm_x509() {
				@@ -89,11 +88,12 @@ load_evm_x509() {
    fi

    # load the EVM public key onto the EVM keyring
-    EVMX509ID=$(evmctl import ${EVMX509PATH} ${evm_pubid})
-    [ $? -eq 0 ] || {
+    # FIXME: EVMX509ID unused?
+    # shellcheck disable=SC2034
+    if ! EVMX509ID=$(evmctl import "${EVMX509PATH}" "${evm_pubid}"); then
        info "integrity: failed to load the EVM X509 cert ${EVMX509PATH}"
        return 1
-    }
+    fi

    if [ "${RD_DEBUG}" = "yes" ]; then
        keyctl show @u
@ -104,7 +104,7 @@ load_evm_x509() {
				@@ -104,7 +104,7 @@ load_evm_x509() {

 unload_evm_key() {
    # unlink the EVM encrypted key
-    keyctl unlink ${EVMKEYID} @u || {
+    keyctl unlink "${EVMKEYID}" @u || {
        info "integrity: failed to unlink the EVM encrypted key: ${EVMKEYDESC}"
        return 1
    }
@ -136,7 +136,7 @@ enable_evm() {
				@@ -136,7 +136,7 @@ enable_evm() {

    # initialize EVM
    info "Enabling EVM"
-    echo 1 > ${EVMSECFILE}
+    echo 1 > "${EVMSECFILE}"

    # unload the EVM encrypted key
    unload_evm_key || return 1
--- a/modules.d/98integrity/ima-keys-load.sh
+++ b/modules.d/98integrity/ima-keys-load.sh
@ -9,14 +9,15 @@ load_x509_keys() {
				@@ -9,14 +9,15 @@ load_x509_keys() {

    # override the default configuration
    if [ -f "${IMACONFIG}" ]; then
-        . ${IMACONFIG}
+        # shellcheck disable=SC1090
+        . "${IMACONFIG}"
    fi

    if [ -z "${IMAKEYSDIR}" ]; then
        IMAKEYSDIR="/etc/keys/ima"
    fi

-    PUBKEY_LIST=$(ls ${NEWROOT}${IMAKEYSDIR}/*)
+    PUBKEY_LIST=$(ls "${NEWROOT}"${IMAKEYSDIR}/*)
    for PUBKEY in ${PUBKEY_LIST}; do
        # check for public key's existence
        if [ ! -f "${PUBKEY}" ]; then
@ -26,14 +27,15 @@ load_x509_keys() {
				@@ -26,14 +27,15 @@ load_x509_keys() {
            continue
        fi

-        X509ID=$(evmctl import ${PUBKEY} ${KEYRING_ID})
-        if [ $? -ne 0 ]; then
+        # FIXME: X509ID unused?
+        # shellcheck disable=SC2034
+        if ! X509ID=$(evmctl import "${PUBKEY}" "${KEYRING_ID}"); then
            info "integrity: IMA x509 cert not loaded on keyring: ${PUBKEY}"
        fi
    done

    if [ "${RD_DEBUG}" = "yes" ]; then
-        keyctl show ${KEYRING_ID}
+        keyctl show "${KEYRING_ID}"
    fi
    return 0
 }
@ -47,8 +49,8 @@ if [ ! -e "${IMASECDIR}" ]; then
				@@ -47,8 +49,8 @@ if [ ! -e "${IMASECDIR}" ]; then
 fi

 # get the IMA keyring id
-line=$(keyctl describe %keyring:.ima)
-if [ $? -eq 0 ]; then
+
+if line=$(keyctl describe %keyring:.ima); then
    _ima_id=${line%%:*}
 else
    _ima_id=$(keyctl search @u keyring _ima)
@ -58,4 +60,4 @@ else
				@@ -58,4 +60,4 @@ else
 fi

 # load the IMA public key(s)
-load_x509_keys ${_ima_id}
+load_x509_keys "${_ima_id}"
--- a/modules.d/98integrity/ima-policy-load.sh
+++ b/modules.d/98integrity/ima-policy-load.sh
@ -20,8 +20,9 @@ load_ima_policy() {
				@@ -20,8 +20,9 @@ load_ima_policy() {
    fi

    # override the default configuration
+    # shellcheck disable=SC1090
    [ -f "${IMACONFIG}" ] \
-        && . ${IMACONFIG}
+        && . "${IMACONFIG}"

    # set the IMA policy path name
    IMAPOLICYPATH="${NEWROOT}${IMAPOLICY}"
@ -29,8 +30,8 @@ load_ima_policy() {
				@@ -29,8 +30,8 @@ load_ima_policy() {
    # check the existence of the IMA policy file
    [ -f "${IMAPOLICYPATH}" ] && {
        info "Loading the provided IMA custom policy"
-        printf '%s' "${IMAPOLICYPATH}" > ${IMASECDIR}/policy \
-            || cat "${IMAPOLICYPATH}" > ${IMASECDIR}/policy
+        printf '%s' "${IMAPOLICYPATH}" > "${IMASECDIR}"/policy \
+            || cat "${IMAPOLICYPATH}" > "${IMASECDIR}"/policy
    }

    return 0