diff options
| author | Tom Rini <trini@konsulko.com> | 2018-05-16 10:31:49 -0400 |
|---|---|---|
| committer | Jia Zhang <zhang.jia@linux.alibaba.com> | 2018-05-17 20:36:23 +0800 |
| commit | b7b42cdec7b20be00ea2c344189f5924951d3037 (patch) | |
| tree | f7695361809272d5bd3f7efc89f669649e97f0e8 | |
| parent | f9f181fe5c3bc2322642ccdd688805a4a65588a6 (diff) | |
| download | meta-secure-core-b7b42cdec7b20be00ea2c344189f5924951d3037.tar.gz | |
meta-integrity: init.ima: Switch to using keyctl
Rather than parse /proc/keys directly to find out the ID of the keyring
that we're using, let keyctl do this for us. In order to do that we
need to have /proc available as /proc, so move it around before and
after working with keyctl.
Signed-off-by: Tom Rini <trini@konsulko.com>
| -rwxr-xr-x | meta-integrity/recipes-core/initrdscripts/files/init.ima | 6 | ||||
| -rw-r--r-- | meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb | 2 |
2 files changed, 5 insertions, 3 deletions
diff --git a/meta-integrity/recipes-core/initrdscripts/files/init.ima b/meta-integrity/recipes-core/initrdscripts/files/init.ima index f117717..f11ff13 100755 --- a/meta-integrity/recipes-core/initrdscripts/files/init.ima +++ b/meta-integrity/recipes-core/initrdscripts/files/init.ima | |||
| @@ -95,20 +95,22 @@ fi | |||
| 95 | [ ! -d "$securityfs_dir/ima" ] && | 95 | [ ! -d "$securityfs_dir/ima" ] && |
| 96 | print_info "IMA is not enabled. Exiting ..." && exit 2 | 96 | print_info "IMA is not enabled. Exiting ..." && exit 2 |
| 97 | 97 | ||
| 98 | keyring_id=0x`grep '\skeyring\s*\.ima: ' "${ROOT_DIR}/proc/keys" | awk '{ print $1 }'` | 98 | mount --move ${ROOT_DIR}/proc /proc |
| 99 | 99 | ||
| 100 | # The trusted IMA certificate /etc/keys/x509_evm.der in initramfs was | 100 | # The trusted IMA certificate /etc/keys/x509_evm.der in initramfs was |
| 101 | # automatically loaded by kernel already. Here is the opportunity to load | 101 | # automatically loaded by kernel already. Here is the opportunity to load |
| 102 | # a custom IMA certificate from the real rootfs. | 102 | # a custom IMA certificate from the real rootfs. |
| 103 | for cert in ${ROOT_DIR}/etc/keys/x509_evm*.der; do | 103 | for cert in ${ROOT_DIR}/etc/keys/x509_evm*.der; do |
| 104 | [ ! -s "$cert" ] && continue | 104 | [ ! -s "$cert" ] && continue |
| 105 | name=`basename $cert` | ||
| 105 | 106 | ||
| 106 | if ! evmctl import "$cert" "$keyring_id" >"${ROOT_DIR}/dev/null"; then | 107 | if ! keyctl padd asymmetric "$name" %:.ima < $cert > ${ROOT_DIR}/dev/null; then |
| 107 | print_critical "Unable to load the custom IMA certificate $cert for IMA appraisal" | 108 | print_critical "Unable to load the custom IMA certificate $cert for IMA appraisal" |
| 108 | else | 109 | else |
| 109 | print_verbose "The custom IMA certificate $cert loaded for IMA appraisal" | 110 | print_verbose "The custom IMA certificate $cert loaded for IMA appraisal" |
| 110 | fi | 111 | fi |
| 111 | done | 112 | done |
| 113 | mount --move /proc ${ROOT_DIR}/proc | ||
| 112 | 114 | ||
| 113 | # Attempt to load the default policy. | 115 | # Attempt to load the default policy. |
| 114 | [ ! -s "${IMA_POLICY}" ] && IMA_POLICY="${IMA_POLICY}.default" | 116 | [ ! -s "${IMA_POLICY}" ] && IMA_POLICY="${IMA_POLICY}.default" |
diff --git a/meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb b/meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb index e615e05..b261e9e 100644 --- a/meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb +++ b/meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb | |||
| @@ -34,7 +34,7 @@ RDEPENDS_${PN} += "\ | |||
| 34 | gawk \ | 34 | gawk \ |
| 35 | util-linux-mount \ | 35 | util-linux-mount \ |
| 36 | util-linux-umount \ | 36 | util-linux-umount \ |
| 37 | ima-evm-utils \ | 37 | keyutils \ |
| 38 | ima-policy \ | 38 | ima-policy \ |
| 39 | " | 39 | " |
| 40 | 40 | ||