1#!/bin/sh
2#
3# Loads IMA policy into the kernel.
4
5force_ima=@@FORCE_IMA@@
6
7ima_enabled() {
8    if [ "$force_ima" = "true" ]; then
9        return 0
10    elif [ "$bootparam_no_ima" = "true" ]; then
11        return 1
12    else
13        return 0
14    fi
15}
16
17ima_run() {
18    info "Initializing IMA (can be skipped with no_ima boot parameter)."
19    if ! grep -w securityfs /proc/mounts >/dev/null; then
20        if ! mount -t securityfs securityfs /sys/kernel/security; then
21            fatal "Could not mount securityfs."
22        fi
23    fi
24    if [ ! -d /sys/kernel/security/ima ]; then
25        fatal "No /sys/kernel/security/ima. Cannot proceed without IMA enabled in the kernel."
26    fi
27
28    # Instead of depending on the kernel to load the IMA X.509 certificate,
29    # use keyctl. This avoids a bug in certain kernels (https://lkml.org/lkml/2015/9/10/492)
30    # where the loaded key was not checked sufficiently. We use keyctl here because it is
31    # slightly smaller than evmctl and is needed anyway.
32    # (see http://sourceforge.net/p/linux-ima/ima-evm-utils/ci/v0.9/tree/README#l349).
33    for kind in ima evm; do
34        key=/etc/keys/x509_$kind.der
35        if [ -s $key ]; then
36            id=$(grep -w -e "\.$kind" /proc/keys | cut -d ' ' -f1 | head -n 1)
37            if [ "$id" ]; then
38                id=$(printf "%d" 0x$id)
39            fi
40            if [ -z "$id" ]; then
41                id=`keyctl search @u keyring _$kind 2>/dev/null`
42                if [ -z "$id" ]; then
43	            id=`keyctl newring _$kind @u`
44                fi
45            fi
46            info "Loading $key into $kind keyring $id"
47            keyctl padd asymmetric "" $id <$key
48        fi
49    done
50
51    # In theory, a simple "cat" should be enough. In practice, loading sometimes fails randomly
52    # ("[Linux-ima-user] IMA policy loading via cat") and we get better error reporting when
53    # checking the write of each line. To minimize the risk of policy loading going wrong we
54    # also remove comments and blank lines ourselves.
55    if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima/ima-policy >/sys/kernel/security/ima/policy; then
56        fatal "Could not load IMA policy."
57    fi
58}
59