Add example of how to import digest list when using IMA appraise

2024-11-29 10:14:38 +08:00 · 2024-11-29 10:14:38 +08:00 · 4b9f7a0446
commit 4b9f7a0446
parent f6a529361b
2 changed files with 51 additions and 3 deletions
--- a/Add-example-of-how-to-import-digest-list-when-using-.patch
+++ b/Add-example-of-how-to-import-digest-list-when-using-.patch
@ -0,0 +1,35 @@
 From ce23f01656f6abbed6c663c2f8d023a23d950180 Mon Sep 17 00:00:00 2001
 From: xuce <xuce10@h-partners.com>
 Date: Thu, 28 Nov 2024 21:36:23 +0800
 Subject: [PATCH] Add example of how to import digest list when using IMA
 appraise
 Signed-off-by: xuce <xuce10@h-partners.com>
 ---
 secpaver-secconf-1.0.0/secconf/gen/gen_ima | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)
 diff --git a/secpaver-secconf-1.0.0/secconf/gen/gen_ima b/secpaver-secconf-1.0.0/secconf/gen/gen_ima
 index 6436c78..a657614 100644
 --- a/secpaver-secconf-1.0.0/secconf/gen/gen_ima
 +++ b/secpaver-secconf-1.0.0/secconf/gen/gen_ima
@@ -155,7 +155,15 @@ fi
 if [[ ${#common_list[@]} -gt 0 || ${#appraise_list[@]} -gt 0 ]]; then
     echo "appraise func=DIGEST_LIST_CHECK appraise_type=imasig|modsig" >> $tmp_policy
 -    echo "IMA appraise has been successfully enabled!"
 +    echo "IMA appraise has been successfully enabled! If you want to run some executable file which appraised by IMA, you need to 
 +1)generate digest list by gen_digest_lists
 +2)sign it with evmctl
 +3)import it to /sys/kernel/security/digest_list_data. Correspondingly, if you don't want it to be executed, import it to /sys/kernel/security/digest_list_data_d
 +el.
 +Here is an example:
 +1)gen_digest_lists -t metadata -f compact -i l:policy -o add -p -1  -m immutable -i I:/usr/bin/ls -d ./
 +2)evmctl ima_sign --key /path/to/ima.key -a sha256 <DIGEST_LIST_PATH>
 +3)echo <DIGEST_LIST_PATH> > /sys/kernel/security/ima/digest_list_data"
 fi
 if [[ ${#common_list[@]} -gt 0 || ${#measure_list[@]} -gt 0 ]]; then
 -- 
 2.33.0
--- a/secpaver.spec
+++ b/secpaver.spec
@ -2,7 +2,7 @@
 Name: secpaver
 Summary: Security policy development tool
 Version: 1.0.2
-Release: 12
+Release: 13
 License: MulanPSL-2.0
 URL: https://gitee.com/openeuler/secpaver
 Source: https://gitee.com/openeuler/secpaver/repository/archive/%{name}-%{version}.tar.gz
@ -15,7 +15,7 @@ Patch0002: set-default-log-path.patch
 Patch0003: support-clang-build.patch
 Patch0004: fix-go-build-ref-cldflags.patch
 Patch0005: remove-unused-socket.patch
-
+Patch0006: Add-example-of-how-to-import-digest-list-when-using-.patch
 %ifarch riscv64 loongarch64
 Patch1000: 1000-fix-build-on-riscv64.patch
 %endif
@ -47,12 +47,22 @@ Provides: %{name}-plugin = %{version}-%{release}
 SELinux plugin for secPaver.
 %prep
-%autosetup -n %{name}-%{version} -p1
+%setup -n %{name}-%{version}
 %ifarch loongarch64
 rm -rf vendor/golang.org/x/sys
 tar -xf %{SOURCE1} -C vendor/golang.org/x/
 %endif
 unzip %{SOURCE2}
 %patch0001 -p1
 %patch0002 -p1
 %patch0003 -p1
 %patch0004 -p1
 %patch0005 -p1
 %patch0006 -p1
 %ifarch riscv64 loongarch64
 %patch1000 -p1
 %endif
 %build
 %make_build everything
@ -107,6 +117,9 @@ make test
 %systemd_postun_with_restart pavd.service
 %changelog
 * Thu Nov 28 2024 jinlun <xuce10@h-partners.com> - 1.0.2-13
 - Add example of how to import digest list when using IMA appraise
 * Mon Nov 25 2024 jinlun <jinlun@huawei.com> - 1.0.2-12
 - add sec_conf feature