36 lines
1.5 KiB
Diff
36 lines
1.5 KiB
Diff
From ce23f01656f6abbed6c663c2f8d023a23d950180 Mon Sep 17 00:00:00 2001
|
|
From: xuce <xuce10@h-partners.com>
|
|
Date: Thu, 28 Nov 2024 21:36:23 +0800
|
|
Subject: [PATCH] Add example of how to import digest list when using IMA
|
|
appraise
|
|
|
|
Signed-off-by: xuce <xuce10@h-partners.com>
|
|
---
|
|
secpaver-secconf-1.0.0/secconf/gen/gen_ima | 10 +++++++++-
|
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/secpaver-secconf-1.0.0/secconf/gen/gen_ima b/secpaver-secconf-1.0.0/secconf/gen/gen_ima
|
|
index 6436c78..a657614 100644
|
|
--- a/secpaver-secconf-1.0.0/secconf/gen/gen_ima
|
|
+++ b/secpaver-secconf-1.0.0/secconf/gen/gen_ima
|
|
@@ -155,7 +155,15 @@ fi
|
|
|
|
if [[ ${#common_list[@]} -gt 0 || ${#appraise_list[@]} -gt 0 ]]; then
|
|
echo "appraise func=DIGEST_LIST_CHECK appraise_type=imasig|modsig" >> $tmp_policy
|
|
- echo "IMA appraise has been successfully enabled!"
|
|
+ echo "IMA appraise has been successfully enabled! If you want to run some executable file which appraised by IMA, you need to
|
|
+1)generate digest list by gen_digest_lists
|
|
+2)sign it with evmctl
|
|
+3)import it to /sys/kernel/security/digest_list_data. Correspondingly, if you don't want it to be executed, import it to /sys/kernel/security/digest_list_data_d
|
|
+el.
|
|
+Here is an example:
|
|
+1)gen_digest_lists -t metadata -f compact -i l:policy -o add -p -1 -m immutable -i I:/usr/bin/ls -d ./
|
|
+2)evmctl ima_sign --key /path/to/ima.key -a sha256 <DIGEST_LIST_PATH>
|
|
+3)echo <DIGEST_LIST_PATH> > /sys/kernel/security/ima/digest_list_data"
|
|
fi
|
|
|
|
if [[ ${#common_list[@]} -gt 0 || ${#measure_list[@]} -gt 0 ]]; then
|
|
--
|
|
2.33.0
|
|
|