|
Harald Hoyer |
53404a |
From 479b5cd94f16052cf6ea28d0e8abba2b926fff83 Mon Sep 17 00:00:00 2001
|
|
Harald Hoyer |
53404a |
From: Stefan Berger <stefanb@us.ibm.com>
|
|
Harald Hoyer |
53404a |
Date: Thu, 13 Oct 2016 16:49:43 -0400
|
|
Harald Hoyer |
53404a |
Subject: [PATCH] 98integrity: support validating the IMA policy file signature
|
|
Harald Hoyer |
53404a |
|
|
Harald Hoyer |
53404a |
IMA validates file signatures based on the security.ima xattr. As of
|
|
Harald Hoyer |
53404a |
Linux-4.7, instead of cat'ing the IMA policy into the securityfs policy,
|
|
Harald Hoyer |
53404a |
the IMA policy pathname can be written, allowing the IMA policy file
|
|
Harald Hoyer |
53404a |
signature to be validated.
|
|
Harald Hoyer |
53404a |
|
|
Harald Hoyer |
53404a |
This patch first attempts to write the pathname, but on failure falls
|
|
Harald Hoyer |
53404a |
back to cat'ing the IMA policy contents .
|
|
Harald Hoyer |
53404a |
|
|
Harald Hoyer |
53404a |
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
|
|
Harald Hoyer |
53404a |
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
|
|
Harald Hoyer |
53404a |
---
|
|
Harald Hoyer |
53404a |
modules.d/98integrity/ima-policy-load.sh | 3 ++-
|
|
Harald Hoyer |
53404a |
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
Harald Hoyer |
53404a |
|
|
Harald Hoyer |
53404a |
diff --git a/modules.d/98integrity/ima-policy-load.sh b/modules.d/98integrity/ima-policy-load.sh
|
|
Harald Hoyer |
53404a |
index 0061cff..5460d02 100755
|
|
Harald Hoyer |
53404a |
--- a/modules.d/98integrity/ima-policy-load.sh
|
|
Harald Hoyer |
53404a |
+++ b/modules.d/98integrity/ima-policy-load.sh
|
|
Harald Hoyer |
53404a |
@@ -30,7 +30,8 @@ load_ima_policy()
|
|
Harald Hoyer |
53404a |
# check the existence of the IMA policy file
|
|
Harald Hoyer |
53404a |
[ -f "${IMAPOLICYPATH}" ] && {
|
|
Harald Hoyer |
53404a |
info "Loading the provided IMA custom policy";
|
|
Harald Hoyer |
53404a |
- cat ${IMAPOLICYPATH} > ${IMASECDIR}/policy;
|
|
Harald Hoyer |
53404a |
+ echo -n "${IMAPOLICYPATH}" > ${IMASECDIR}/policy || \
|
|
Harald Hoyer |
53404a |
+ cat "${IMAPOLICYPATH}" > ${IMASECDIR}/policy
|
|
Harald Hoyer |
53404a |
}
|
|
Harald Hoyer |
53404a |
|
|
Harald Hoyer |
53404a |
return 0
|