packages/secpaver
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add example of how to import digest list when using IMA appraise

Browse Source
This commit is contained in:
xuce 2024-11-29 10:14:38 +08:00
parent f6a529361b
commit 4b9f7a0446
2 changed files with 51 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
Add-example-of-how-to-import-digest-list-when-using-.patch Normal file
View File

@ -0,0 +1,35 @@
From ce23f01656f6abbed6c663c2f8d023a23d950180 Mon Sep 17 00:00:00 2001
From: xuce <xuce10@h-partners.com>
Date: Thu, 28 Nov 2024 21:36:23 +0800
Subject: [PATCH] Add example of how to import digest list when using IMA
appraise
Signed-off-by: xuce <xuce10@h-partners.com>
---
secpaver-secconf-1.0.0/secconf/gen/gen_ima | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/secpaver-secconf-1.0.0/secconf/gen/gen_ima b/secpaver-secconf-1.0.0/secconf/gen/gen_ima
index 6436c78..a657614 100644
--- a/secpaver-secconf-1.0.0/secconf/gen/gen_ima
+++ b/secpaver-secconf-1.0.0/secconf/gen/gen_ima
@@ -155,7 +155,15 @@ fi
if [[ ${#common_list[@]} -gt 0 || ${#appraise_list[@]} -gt 0 ]]; then
echo "appraise func=DIGEST_LIST_CHECK appraise_type=imasig|modsig" >> $tmp_policy
- echo "IMA appraise has been successfully enabled!"
+ echo "IMA appraise has been successfully enabled! If you want to run some executable file which appraised by IMA, you need to
+1)generate digest list by gen_digest_lists
+2)sign it with evmctl
+3)import it to /sys/kernel/security/digest_list_data. Correspondingly, if you don't want it to be executed, import it to /sys/kernel/security/digest_list_data_d
+el.
+Here is an example:
+1)gen_digest_lists -t metadata -f compact -i l:policy -o add -p -1 -m immutable -i I:/usr/bin/ls -d ./
+2)evmctl ima_sign --key /path/to/ima.key -a sha256 <DIGEST_LIST_PATH>
+3)echo <DIGEST_LIST_PATH> > /sys/kernel/security/ima/digest_list_data"
fi
if [[ ${#common_list[@]} -gt 0 || ${#measure_list[@]} -gt 0 ]]; then
--
2.33.0

19
secpaver.spec
View File

@ -2,7 +2,7 @@
Name: secpaver
Summary: Security policy development tool
Version: 1.0.2
Release: 12
Release: 13
License: MulanPSL-2.0
URL: https://gitee.com/openeuler/secpaver
Source: https://gitee.com/openeuler/secpaver/repository/archive/%{name}-%{version}.tar.gz
@ -15,7 +15,7 @@ Patch0002: set-default-log-path.patch
Patch0003: support-clang-build.patch
Patch0004: fix-go-build-ref-cldflags.patch
Patch0005: remove-unused-socket.patch
Patch0006: Add-example-of-how-to-import-digest-list-when-using-.patch
%ifarch riscv64 loongarch64
Patch1000: 1000-fix-build-on-riscv64.patch
%endif
@ -47,12 +47,22 @@ Provides: %{name}-plugin = %{version}-%{release}
SELinux plugin for secPaver.
%prep
%autosetup -n %{name}-%{version} -p1
%setup -n %{name}-%{version}
%ifarch loongarch64
rm -rf vendor/golang.org/x/sys
tar -xf %{SOURCE1} -C vendor/golang.org/x/
%endif
unzip %{SOURCE2}
%patch0001 -p1
%patch0002 -p1
%patch0003 -p1
%patch0004 -p1
%patch0005 -p1
%patch0006 -p1
%ifarch riscv64 loongarch64
%patch1000 -p1
%endif
%build
%make_build everything
@ -107,6 +117,9 @@ make test
%systemd_postun_with_restart pavd.service
%changelog
* Thu Nov 28 2024 jinlun <xuce10@h-partners.com> - 1.0.2-13
- Add example of how to import digest list when using IMA appraise
* Mon Nov 25 2024 jinlun <jinlun@huawei.com> - 1.0.2-12
- add sec_conf feature