Brad Bishop | 15ae250 | 2019-06-18 21:44:24 -0400 | [diff] [blame^] | 1 | #!/bin/sh |
| 2 | # |
| 3 | # Loads IMA policy into the kernel. |
| 4 | |
| 5 | ima_enabled() { |
| 6 | if [ "$bootparam_no_ima" = "true" ]; then |
| 7 | return 1 |
| 8 | fi |
| 9 | } |
| 10 | |
| 11 | ima_run() { |
| 12 | info "Initializing IMA (can be skipped with no_ima boot parameter)." |
| 13 | if ! grep -w securityfs /proc/mounts >/dev/null; then |
| 14 | if ! mount -t securityfs securityfs /sys/kernel/security; then |
| 15 | fatal "Could not mount securityfs." |
| 16 | fi |
| 17 | fi |
| 18 | if [ ! -d /sys/kernel/security/ima ]; then |
| 19 | fatal "No /sys/kernel/security/ima. Cannot proceed without IMA enabled in the kernel." |
| 20 | fi |
| 21 | |
| 22 | # Instead of depending on the kernel to load the IMA X.509 certificate, |
| 23 | # use keyctl. This avoids a bug in certain kernels (https://lkml.org/lkml/2015/9/10/492) |
| 24 | # where the loaded key was not checked sufficiently. We use keyctl here because it is |
| 25 | # slightly smaller than evmctl and is needed anyway. |
| 26 | # (see http://sourceforge.net/p/linux-ima/ima-evm-utils/ci/v0.9/tree/README#l349). |
| 27 | for kind in ima evm; do |
| 28 | key=/etc/keys/x509_$kind.der |
| 29 | if [ -s $key ]; then |
| 30 | id=$(grep -w -e "\.$kind" /proc/keys | cut -d ' ' -f1 | head -n 1) |
| 31 | if [ "$id" ]; then |
| 32 | id=$(printf "%d" 0x$id) |
| 33 | fi |
| 34 | if [ -z "$id" ]; then |
| 35 | id=`keyctl search @u keyring _$kind 2>/dev/null` |
| 36 | if [ -z "$id" ]; then |
| 37 | id=`keyctl newring _$kind @u` |
| 38 | fi |
| 39 | fi |
| 40 | info "Loading $key into $kind keyring $id" |
| 41 | keyctl padd asymmetric "" $id <$key |
| 42 | fi |
| 43 | done |
| 44 | |
| 45 | # In theory, a simple "cat" should be enough. In practice, loading sometimes fails randomly |
| 46 | # ("[Linux-ima-user] IMA policy loading via cat") and we get better error reporting when |
| 47 | # checking the write of each line. To minimize the risk of policy loading going wrong we |
| 48 | # also remove comments and blank lines ourselves. |
| 49 | if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima-policy >/sys/kernel/security/ima/policy; then |
| 50 | fatal "Could not load IMA policy." |
| 51 | fi |
| 52 | } |