meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

#!/bin/sh
#
# Loads IMA policy into the kernel.

ima_enabled() {
    if [ "$bootparam_no_ima" = "true" ]; then
        return 1
    fi
}

ima_run() {
    info "Initializing IMA (can be skipped with no_ima boot parameter)."
    if ! grep -w securityfs /proc/mounts >/dev/null; then
        if ! mount -t securityfs securityfs /sys/kernel/security; then
            fatal "Could not mount securityfs."
        fi
    fi
    if [ ! -d /sys/kernel/security/ima ]; then
        fatal "No /sys/kernel/security/ima. Cannot proceed without IMA enabled in the kernel."
    fi

    # Instead of depending on the kernel to load the IMA X.509 certificate,
    # use keyctl. This avoids a bug in certain kernels (https://lkml.org/lkml/2015/9/10/492)
    # where the loaded key was not checked sufficiently. We use keyctl here because it is
    # slightly smaller than evmctl and is needed anyway.
    # (see http://sourceforge.net/p/linux-ima/ima-evm-utils/ci/v0.9/tree/README#l349).
    for kind in ima evm; do
        key=/etc/keys/x509_$kind.der
        if [ -s $key ]; then
            id=$(grep -w -e "\.$kind" /proc/keys | cut -d ' ' -f1 | head -n 1)
            if [ "$id" ]; then
                id=$(printf "%d" 0x$id)
            fi
            if [ -z "$id" ]; then
                id=`keyctl search @u keyring _$kind 2>/dev/null`
                if [ -z "$id" ]; then
	            id=`keyctl newring _$kind @u`
                fi
            fi
            info "Loading $key into $kind keyring $id"
            keyctl padd asymmetric "" $id <$key
        fi
    done

    # In theory, a simple "cat" should be enough. In practice, loading sometimes fails randomly
    # ("[Linux-ima-user] IMA policy loading via cat") and we get better error reporting when
    # checking the write of each line. To minimize the risk of policy loading going wrong we
    # also remove comments and blank lines ourselves.
    if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima-policy >/sys/kernel/security/ima/policy; then
        fatal "Could not load IMA policy."
    fi
}