c6399f9ca8
- support validating the IMA policy file signature, needed since Kernel 4.7 * Adds 0552-98integrity-support-validating-the-IMA-policy-file-s.patch - IMA: improve support for evm key loading (bsc#1077359, fate#323906) - FIPS: Adjust dependencies to work for cryptsetup 2.0 (bsc#1077070) - Added a few more patch annotations OBS-URL: https://build.opensuse.org/request/show/569449 OBS-URL: https://build.opensuse.org/package/show/Base:System/dracut?expand=0&rev=334
37 lines
1.4 KiB
Diff
37 lines
1.4 KiB
Diff
From d31e03d34cc743c6538f532704ec7fc3bc75a03d Mon Sep 17 00:00:00 2001
|
|
From: Stefan Berger <stefanb@us.ibm.com>
|
|
Date: Thu, 13 Oct 2016 16:49:43 -0400
|
|
Subject: [PATCH] 98integrity: support validating the IMA policy file signature
|
|
|
|
IMA validates file signatures based on the security.ima xattr. As of
|
|
Linux-4.7, instead of cat'ing the IMA policy into the securityfs policy,
|
|
the IMA policy pathname can be written, allowing the IMA policy file
|
|
signature to be validated.
|
|
|
|
This patch first attempts to write the pathname, but on failure falls
|
|
back to cat'ing the IMA policy contents .
|
|
|
|
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
|
|
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
|
|
---
|
|
modules.d/98integrity/ima-policy-load.sh | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/modules.d/98integrity/ima-policy-load.sh b/modules.d/98integrity/ima-policy-load.sh
|
|
index 0061cfff..5460d025 100755
|
|
--- a/modules.d/98integrity/ima-policy-load.sh
|
|
+++ b/modules.d/98integrity/ima-policy-load.sh
|
|
@@ -30,7 +30,8 @@ load_ima_policy()
|
|
# check the existence of the IMA policy file
|
|
[ -f "${IMAPOLICYPATH}" ] && {
|
|
info "Loading the provided IMA custom policy";
|
|
- cat ${IMAPOLICYPATH} > ${IMASECDIR}/policy;
|
|
+ echo -n "${IMAPOLICYPATH}" > ${IMASECDIR}/policy || \
|
|
+ cat "${IMAPOLICYPATH}" > ${IMASECDIR}/policy
|
|
}
|
|
|
|
return 0
|
|
--
|
|
2.13.6
|
|
|