34 lines
1.4 KiB
Diff
34 lines
1.4 KiB
Diff
From dc3260fb393cdf1163fc8b8b3e3532ead800a686 Mon Sep 17 00:00:00 2001
|
|
From: xucee <xuce10@h-partners.com>
|
|
Date: Thu, 28 Nov 2024 21:01:12 +0800
|
|
Subject: Add example of how to import digest list when using IMA
|
|
appraise
|
|
|
|
---
|
|
secconf/gen/gen_ima | 9 ++++++++-
|
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/secconf/gen/gen_ima b/secconf/gen/gen_ima
|
|
index 6436c78..0657cdf 100644
|
|
--- a/secconf/gen/gen_ima
|
|
+++ b/secconf/gen/gen_ima
|
|
@@ -155,7 +155,14 @@ fi
|
|
|
|
if [[ ${#common_list[@]} -gt 0 || ${#appraise_list[@]} -gt 0 ]]; then
|
|
echo "appraise func=DIGEST_LIST_CHECK appraise_type=imasig|modsig" >> $tmp_policy
|
|
- echo "IMA appraise has been successfully enabled!"
|
|
+ echo "IMA appraise has been successfully enabled! If you want to run some executable file which appraised by IMA, you need to
|
|
+1)generate digest list by gen_digest_lists
|
|
+2)sign it with evmctl
|
|
+3)import it to /sys/kernel/security/digest_list_data. Correspondingly, if you don't want it to be executed, import it to /sys/kernel/security/digest_list_data_del.
|
|
+Here is an example:
|
|
+1)gen_digest_lists -t metadata -f compact -i l:policy -o add -p -1 -m immutable -i I:/usr/bin/ls -d ./
|
|
+2)evmctl ima_sign --key /path/to/ima.key -a sha256 <DIGEST_LIST_PATH>
|
|
+3)echo <DIGEST_LIST_PATH> > /sys/kernel/security/ima/digest_list_data"
|
|
fi
|
|
|
|
if [[ ${#common_list[@]} -gt 0 || ${#measure_list[@]} -gt 0 ]]; then
|
|
--
|
|
2.33.0
|
|
|