1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
#!/bin/sh
SECURITYFSDIR="/sys/kernel/security"
IMASECDIR="${SECURITYFSDIR}/ima"
IMACONFIG="${NEWROOT}/etc/sysconfig/ima"
load_x509_keys()
{
KEYRING_ID=$1
# override the default configuration
if [ -f "${IMACONFIG}" ]; then
. ${IMACONFIG}
fi
if [ -z "${IMAKEYDIR}" ]; then
IMAKEYSDIR="/etc/keys/ima"
fi
PUBKEY_LIST=`ls ${NEWROOT}${IMAKEYSDIR}/*`
for PUBKEY in ${PUBKEY_LIST}; do
# check for public key's existence
if [ ! -f "${PUBKEY}" ]; then
if [ "${RD_DEBUG}" = "yes" ]; then
info "integrity: IMA x509 cert file not found: ${PUBKEY}"
fi
continue
fi
X509ID=$(evmctl import ${PUBKEY} ${KEYRING_ID})
if [ $? -ne 0 ]; then
info "integrity: IMA x509 cert not loaded on keyring: ${PUBKEY}"
fi
done
if [ "${RD_DEBUG}" = "yes" ]; then
keyctl show ${KEYRING_ID}
fi
return 0
}
# check kernel support for IMA
if [ ! -e "${IMASECDIR}" ]; then
if [ "${RD_DEBUG}" = "yes" ]; then
info "integrity: IMA kernel support is disabled"
fi
return 0
fi
# get the IMA keyring id
line=$(keyctl describe %keyring:.ima)
if [ $? -eq 0 ]; then
_ima_id=${line%%:*}
else
_ima_id=`keyctl search @u keyring _ima`
if [ -z "${_ima_id}" ]; then
_ima_id=`keyctl newring _ima @u`
fi
fi
# load the IMA public key(s)
load_x509_keys ${_ima_id}
|
