From 4b9f7a044646dacff5fca3f6d4509a67ed37f409 Mon Sep 17 00:00:00 2001 From: xuce Date: Fri, 29 Nov 2024 10:14:38 +0800 Subject: [PATCH] Add example of how to import digest list when using IMA appraise --- ...ow-to-import-digest-list-when-using-.patch | 35 +++++++++++++++++++ secpaver.spec | 19 ++++++++-- 2 files changed, 51 insertions(+), 3 deletions(-) create mode 100644 Add-example-of-how-to-import-digest-list-when-using-.patch diff --git a/Add-example-of-how-to-import-digest-list-when-using-.patch b/Add-example-of-how-to-import-digest-list-when-using-.patch new file mode 100644 index 0000000..3488130 --- /dev/null +++ b/Add-example-of-how-to-import-digest-list-when-using-.patch @@ -0,0 +1,35 @@ +From ce23f01656f6abbed6c663c2f8d023a23d950180 Mon Sep 17 00:00:00 2001 +From: xuce +Date: Thu, 28 Nov 2024 21:36:23 +0800 +Subject: [PATCH] Add example of how to import digest list when using IMA + appraise + +Signed-off-by: xuce +--- + secpaver-secconf-1.0.0/secconf/gen/gen_ima | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/secpaver-secconf-1.0.0/secconf/gen/gen_ima b/secpaver-secconf-1.0.0/secconf/gen/gen_ima +index 6436c78..a657614 100644 +--- a/secpaver-secconf-1.0.0/secconf/gen/gen_ima ++++ b/secpaver-secconf-1.0.0/secconf/gen/gen_ima +@@ -155,7 +155,15 @@ fi + + if [[ ${#common_list[@]} -gt 0 || ${#appraise_list[@]} -gt 0 ]]; then + echo "appraise func=DIGEST_LIST_CHECK appraise_type=imasig|modsig" >> $tmp_policy +- echo "IMA appraise has been successfully enabled!" ++ echo "IMA appraise has been successfully enabled! If you want to run some executable file which appraised by IMA, you need to ++1)generate digest list by gen_digest_lists ++2)sign it with evmctl ++3)import it to /sys/kernel/security/digest_list_data. Correspondingly, if you don't want it to be executed, import it to /sys/kernel/security/digest_list_data_d ++el. ++Here is an example: ++1)gen_digest_lists -t metadata -f compact -i l:policy -o add -p -1 -m immutable -i I:/usr/bin/ls -d ./ ++2)evmctl ima_sign --key /path/to/ima.key -a sha256 ++3)echo > /sys/kernel/security/ima/digest_list_data" + fi + + if [[ ${#common_list[@]} -gt 0 || ${#measure_list[@]} -gt 0 ]]; then +-- +2.33.0 + diff --git a/secpaver.spec b/secpaver.spec index 9ddc867..04975ad 100755 --- a/secpaver.spec +++ b/secpaver.spec @@ -2,7 +2,7 @@ Name: secpaver Summary: Security policy development tool Version: 1.0.2 -Release: 12 +Release: 13 License: MulanPSL-2.0 URL: https://gitee.com/openeuler/secpaver Source: https://gitee.com/openeuler/secpaver/repository/archive/%{name}-%{version}.tar.gz @@ -15,7 +15,7 @@ Patch0002: set-default-log-path.patch Patch0003: support-clang-build.patch Patch0004: fix-go-build-ref-cldflags.patch Patch0005: remove-unused-socket.patch - +Patch0006: Add-example-of-how-to-import-digest-list-when-using-.patch %ifarch riscv64 loongarch64 Patch1000: 1000-fix-build-on-riscv64.patch %endif @@ -47,12 +47,22 @@ Provides: %{name}-plugin = %{version}-%{release} SELinux plugin for secPaver. %prep -%autosetup -n %{name}-%{version} -p1 +%setup -n %{name}-%{version} %ifarch loongarch64 rm -rf vendor/golang.org/x/sys tar -xf %{SOURCE1} -C vendor/golang.org/x/ %endif unzip %{SOURCE2} +%patch0001 -p1 +%patch0002 -p1 +%patch0003 -p1 +%patch0004 -p1 +%patch0005 -p1 +%patch0006 -p1 +%ifarch riscv64 loongarch64 +%patch1000 -p1 +%endif + %build %make_build everything @@ -107,6 +117,9 @@ make test %systemd_postun_with_restart pavd.service %changelog +* Thu Nov 28 2024 jinlun - 1.0.2-13 +- Add example of how to import digest list when using IMA appraise + * Mon Nov 25 2024 jinlun - 1.0.2-12 - add sec_conf feature -- Gitee