diff options
author | Tom Rini <trini@konsulko.com> | 2018-05-16 10:31:49 -0400 |
---|---|---|
committer | Jia Zhang <zhang.jia@linux.alibaba.com> | 2018-05-17 20:36:23 +0800 |
commit | b7b42cdec7b20be00ea2c344189f5924951d3037 (patch) | |
tree | f7695361809272d5bd3f7efc89f669649e97f0e8 | |
parent | f9f181fe5c3bc2322642ccdd688805a4a65588a6 (diff) | |
download | meta-secure-core-b7b42cdec7b20be00ea2c344189f5924951d3037.tar.gz |
meta-integrity: init.ima: Switch to using keyctl
Rather than parse /proc/keys directly to find out the ID of the keyring
that we're using, let keyctl do this for us. In order to do that we
need to have /proc available as /proc, so move it around before and
after working with keyctl.
Signed-off-by: Tom Rini <trini@konsulko.com>
-rwxr-xr-x | meta-integrity/recipes-core/initrdscripts/files/init.ima | 6 | ||||
-rw-r--r-- | meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb | 2 |
2 files changed, 5 insertions, 3 deletions
diff --git a/meta-integrity/recipes-core/initrdscripts/files/init.ima b/meta-integrity/recipes-core/initrdscripts/files/init.ima index f117717..f11ff13 100755 --- a/meta-integrity/recipes-core/initrdscripts/files/init.ima +++ b/meta-integrity/recipes-core/initrdscripts/files/init.ima | |||
@@ -95,20 +95,22 @@ fi | |||
95 | [ ! -d "$securityfs_dir/ima" ] && | 95 | [ ! -d "$securityfs_dir/ima" ] && |
96 | print_info "IMA is not enabled. Exiting ..." && exit 2 | 96 | print_info "IMA is not enabled. Exiting ..." && exit 2 |
97 | 97 | ||
98 | keyring_id=0x`grep '\skeyring\s*\.ima: ' "${ROOT_DIR}/proc/keys" | awk '{ print $1 }'` | 98 | mount --move ${ROOT_DIR}/proc /proc |
99 | 99 | ||
100 | # The trusted IMA certificate /etc/keys/x509_evm.der in initramfs was | 100 | # The trusted IMA certificate /etc/keys/x509_evm.der in initramfs was |
101 | # automatically loaded by kernel already. Here is the opportunity to load | 101 | # automatically loaded by kernel already. Here is the opportunity to load |
102 | # a custom IMA certificate from the real rootfs. | 102 | # a custom IMA certificate from the real rootfs. |
103 | for cert in ${ROOT_DIR}/etc/keys/x509_evm*.der; do | 103 | for cert in ${ROOT_DIR}/etc/keys/x509_evm*.der; do |
104 | [ ! -s "$cert" ] && continue | 104 | [ ! -s "$cert" ] && continue |
105 | name=`basename $cert` | ||
105 | 106 | ||
106 | if ! evmctl import "$cert" "$keyring_id" >"${ROOT_DIR}/dev/null"; then | 107 | if ! keyctl padd asymmetric "$name" %:.ima < $cert > ${ROOT_DIR}/dev/null; then |
107 | print_critical "Unable to load the custom IMA certificate $cert for IMA appraisal" | 108 | print_critical "Unable to load the custom IMA certificate $cert for IMA appraisal" |
108 | else | 109 | else |
109 | print_verbose "The custom IMA certificate $cert loaded for IMA appraisal" | 110 | print_verbose "The custom IMA certificate $cert loaded for IMA appraisal" |
110 | fi | 111 | fi |
111 | done | 112 | done |
113 | mount --move /proc ${ROOT_DIR}/proc | ||
112 | 114 | ||
113 | # Attempt to load the default policy. | 115 | # Attempt to load the default policy. |
114 | [ ! -s "${IMA_POLICY}" ] && IMA_POLICY="${IMA_POLICY}.default" | 116 | [ ! -s "${IMA_POLICY}" ] && IMA_POLICY="${IMA_POLICY}.default" |
diff --git a/meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb b/meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb index e615e05..b261e9e 100644 --- a/meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb +++ b/meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb | |||
@@ -34,7 +34,7 @@ RDEPENDS_${PN} += "\ | |||
34 | gawk \ | 34 | gawk \ |
35 | util-linux-mount \ | 35 | util-linux-mount \ |
36 | util-linux-umount \ | 36 | util-linux-umount \ |
37 | ima-evm-utils \ | 37 | keyutils \ |
38 | ima-policy \ | 38 | ima-policy \ |
39 | " | 39 | " |
40 | 40 | ||