From 648ff1277255620e257ea6757d67deb00076329a Mon Sep 17 00:00:00 2001 From: xuce Date: Thu, 5 Dec 2024 20:21:50 +0800 Subject: [PATCH] fix some bugs and extend the ima_check to check gen_ima --- extend-the-ima_check-to-check-gen_ima.patch | 266 +++++++++++++ fix-some-bugs.patch | 348 ++++++++++++++++++ ...nux-type-when-perform-new-configurat.patch | 2 +- secpaver.spec | 11 +- 4 files changed, 624 insertions(+), 3 deletions(-) create mode 100644 extend-the-ima_check-to-check-gen_ima.patch create mode 100644 fix-some-bugs.patch diff --git a/extend-the-ima_check-to-check-gen_ima.patch b/extend-the-ima_check-to-check-gen_ima.patch new file mode 100644 index 0000000..2abb999 --- /dev/null +++ b/extend-the-ima_check-to-check-gen_ima.patch @@ -0,0 +1,266 @@ +From f8c9d50ea39ef01eb7452371d18784f08f95f167 Mon Sep 17 00:00:00 2001 +From: xuce +Date: Thu, 5 Dec 2024 20:18:29 +0800 +Subject: [PATCH] extend the check_ima to check gen_ima + +Signed-off-by: xuce +--- + .../secconf/check/check_ima | 181 +++++++++++++++++- + secpaver-secconf-1.0.0/secconf/gen/gen_ima | 10 +- + .../secconf/gen/gen_secure_boot | 2 +- + 3 files changed, 184 insertions(+), 9 deletions(-) + +diff --git a/secpaver-secconf-1.0.0/secconf/check/check_ima b/secpaver-secconf-1.0.0/secconf/check/check_ima +index cb5de0d..613d75e 100644 +--- a/secpaver-secconf-1.0.0/secconf/check/check_ima ++++ b/secpaver-secconf-1.0.0/secconf/check/check_ima +@@ -1,9 +1,7 @@ + ima_comm() + { + {{with .IMA}} +-{{ if and (eq (len .MeasureList) 0) (eq (len .AppraiseList) 0) }} +-echo "IMA is not enabled!" +-{{else}} ++ + if [ ! -d /etc/ima/ ]; then + echo "The /etc/ima/ directory does not exist. Please confirm whether IMA is supported." + return 1 +@@ -12,7 +10,184 @@ if [[ "$(getenforce)" == "Disabled" ]]; then + echo "IMA requires selinux to protect specific files. Please make sure selinux is enabled!" + return 1 + fi ++ ++measure_list=() ++appraise_list=() ++common_list=() ++ ++{{range .AppraiseList}} ++appraise_list+=({{.}}) + {{end}} ++ ++{{range .MeasureList}} ++measure_list+=({{.}}) ++{{end}} ++ ++if [ -d /sys/firmware/efi ]; then ++ grub_path=/boot/efi/EFI/openeuler/grub.cfg ++else ++ grub_path=/boot/grub2/grub.cfg ++fi ++ ++appraise_param=("ima_appraise=enforce" "ima_appraise_digest_list=digest-nometadata") ++measure_param=("ima_digest_list_pcr=11" "ima_template=ima-ng") ++measure_type=ima_measure_bprm_t ++appraise_type=ima_appraise_bprm_t ++all_type=ima_all_bprm_t ++needReboot=false ++needConfigure=false ++ ++check_exist_kernel_param() ++{ ++ for param in "${@}"; do ++ cmdline_contains_param=$(grep -q "${param}" /proc/cmdline && echo "true" || echo "false") ++ grub_contains_param=$(grep "/vmlinuz-$(uname -r)" "${grub_path}" | grep -q "${param}" && echo "true" || echo "false") ++ if [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "false" ]]; then ++ needReboot=true ++ needConfigure=true ++ elif [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "false" ]]; then ++ needConfigure=true ++ elif [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "true" ]]; then ++ needReboot=true ++ fi ++ done ++} ++ ++check_absent_kernel_param() ++{ ++ for param in "${@}"; do ++ cmdline_contains_param=$(grep -q "${param}" /proc/cmdline && echo "true" || echo "false") ++ grub_contains_param=$(grep "/vmlinuz-$(uname -r)" "${grub_path}" | grep -q "${param}" && echo "true" || echo "false") ++ if [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "true" ]]; then ++ needReboot=true ++ needConfigure=true ++ elif [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "false" ]]; then ++ needReboot=true ++ elif [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "true" ]]; then ++ needConfigure=true ++ fi ++ done ++} ++ ++if [[ ${#appraise_list[@]} -eq 0 && ${#measure_list[@]} -eq 0 ]]; then ++ check_absent_kernel_param "${appraise_param[@]}" ++ check_absent_kernel_param "${measure_param[@]}" ++elif [[ ${#appraise_list[@]} -gt 0 && ${#measure_list[@]} -gt 0 ]]; then ++ check_exist_kernel_param "${appraise_param[@]}" ++ check_exist_kernel_param "${measure_param[@]}" ++elif [[ ${#appraise_list[@]} -gt 0 ]]; then ++ check_absent_kernel_param "${measure_param[@]}" ++ check_exist_kernel_param "${appraise_param[@]}" ++else ++ check_absent_kernel_param "${appraise_param[@]}" ++ check_exist_kernel_param "${measure_param[@]}" ++fi ++ ++if [[ "$needReboot" == "true" && "$needConfigure" == "true" ]]; then ++ echo "The current IMA related startup parameters are not configured correctly. Please execute the configuration script and then restart to take effect." ++ return 0 ++elif [[ "$needReboot" == "true" && "$needConfigure" == "false" ]]; then ++ echo "The current IMA related startup parameters have been successfully configured. It needs to restart to take effect." ++ return 0 ++elif [[ "$needReboot" == "false" && "$needConfigure" == "true" ]]; then ++ echo "The current IMA related start up parameters are valid. But they will become invalid after restarting. It needs to execute configuration script to configure." ++else ++ echo "The current IMA related start up parameters are valid and configured correctly!" ++fi ++ ++if [[ ${#appraise_list[@]} -eq 0 && ${#measure_list[@]} -eq 0 ]]; then ++ echo "IMA check completed!" ++ return 0 ++fi ++ ++needSetSelinuxType=false ++check_selinux_type() ++{ ++ SELINUX_LABEL=$(ls -Z "$2" | awk '{print $1}' | awk -F: '{print $3}') ++ if [[ $SELINUX_LABEL != "$1" ]]; then ++ needSetSelinuxType=true ++ fi ++} ++ ++unique() { ++ echo "$@" | tr ' ' '\n' | sort -u | tr '\n' ' ' ++} ++ ++common_elements() { ++ comm -12 <(printf "%s\n" $1 | sort) <(printf "%s\n" $2 | sort) ++} ++ ++remove_common() { ++ grep -Fvxf <(printf "%s\n" $2) <(printf "%s\n" $1) ++} ++ ++unique_appraise_list=($(unique "${appraise_list[@]}")) ++unique_measure_list=($(unique "${measure_list[@]}")) ++common_list=($(common_elements "${unique_appraise_list[*]}" "${unique_measure_list[*]}")) ++appraise_list=($(remove_common "${unique_appraise_list[*]}" "${common_list[*]}")) ++measure_list=($(remove_common "${unique_measure_list[*]}" "${common_list[*]}")) ++ ++ ++for measure_file in "${measure_list[@]}"; do ++ check_selinux_type $measure_type $measure_file ++done ++ ++for appraise_file in "${appraise_list[@]}"; do ++ check_selinux_type $appraise_type $appraise_file ++done ++ ++for common_file in "${common_list[@]}"; do ++ check_selinux_type $all_type $common_file ++done ++ ++if [[ $needSetSelinuxType == "true" ]]; then ++ echo "The selinux type of the target files is not configured correctly. Please execute the configuration script to set it." ++ return 0 ++else ++ echo "The selinux type of the target files is configured correctly!" ++fi ++ ++ima_policy=/sys/kernel/security/ima/policy ++ ++if [ -z "$(cat $ima_policy)" ]; then ++ echo "IMA policy is not configured. Please execute the configuration script to configure it." ++ return 0 ++fi ++ ++needConfigurePolicy=false ++check_ima_policy(){ ++ if ! grep -Fxq "$1" "$ima_policy"; then ++ needConfigurePolicy=true ++ fi ++} ++ ++if [[ ${#common_list[@]} -gt 0 || ${#appraise_list[@]} -gt 0 ]]; then ++ check_ima_policy "appraise func=DIGEST_LIST_CHECK appraise_type=imasig|modsig" ++fi ++if [[ ${#common_list[@]} -gt 0 || ${#measure_list[@]} -gt 0 ]]; then ++ check_ima_policy "measure func=DIGEST_LIST_CHECK" ++fi ++ ++if [[ ${#common_list[@]} -gt 0 ]]; then ++ check_ima_policy "appraise func=BPRM_CHECK obj_type=${all_type}" ++ check_ima_policy "measure func=BPRM_CHECK obj_type=${all_type}" ++fi ++ ++if [[ ${#measure_list[@]} -gt 0 ]]; then ++ check_ima_policy "measure func=BPRM_CHECK obj_type=${measure_type}" ++fi ++ ++if [[ ${#appraise_list[@]} -gt 0 ]]; then ++ check_ima_policy "appraise func=BPRM_CHECK obj_type=${appraise_type}" ++fi ++ ++if [[ "needConfigurePolicy" == "true" ]]; then ++ echo "IMA policy is not configured correctly! Please restart and execute the configuration script to configure it." ++ return 0 ++else ++ echo "IMA policy are configured correctly! IMA has been successfully enabled!" ++fi ++ + echo "IMA check completed!" + {{end}} + } +diff --git a/secpaver-secconf-1.0.0/secconf/gen/gen_ima b/secpaver-secconf-1.0.0/secconf/gen/gen_ima +index d40dce6..87d51bc 100644 +--- a/secpaver-secconf-1.0.0/secconf/gen/gen_ima ++++ b/secpaver-secconf-1.0.0/secconf/gen/gen_ima +@@ -32,7 +32,7 @@ rm_kernel_param() + { + for param in "${@}"; do + cmdline_contains_param=$(grep -q "${param}" /proc/cmdline && echo "true" || echo "false") +- grub_contains_param=$(grep -q "${param}" "${grub_path}" && echo "true" || echo "false") ++ grub_contains_param=$(grep "/vmlinuz-$(uname -r)" "${grub_path}" | grep -q "${param}" && echo "true" || echo "false") + if [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "true" ]]; then + sed -i "s/ \<${param}\>//g" ${grub_path} + needReboot=true +@@ -48,12 +48,12 @@ set_kernel_param() + { + for param in "${@}"; do + cmdline_contains_param=$(grep -q "${param}" /proc/cmdline && echo "true" || echo "false") +- grub_contains_param=$(grep -q "${param}" "${grub_path}" && echo "true" || echo "false") ++ grub_contains_param=$(grep "/vmlinuz-$(uname -r)" "${grub_path}" | grep -q "${param}" && echo "true" || echo "false") + if [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "false" ]]; then +- sed -i "/vmlinuz/ s/$/ ${param}/" "${grub_path}" ++ sed -i "/vmlinuz-$(uname -r)/ s/$/ ${param}/" "${grub_path}" + needReboot=true + elif [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "false" ]]; then +- sed -i "/vmlinuz/ s/$/ ${param}/" "${grub_path}" ++ sed -i "/vmlinuz-$(uname -r)/ s/$/ ${param}/" "${grub_path}" + elif [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "true" ]]; then + needReboot=true + fi +@@ -109,7 +109,7 @@ else + fi + + if [[ $needReboot == "true" ]]; then +- echo "IMA startup parameters have been configured! It will take effect by rebooting" ++ echo "IMA startup parameters have been configured! It will take effect by rebooting." + return 0 + fi + +diff --git a/secpaver-secconf-1.0.0/secconf/gen/gen_secure_boot b/secpaver-secconf-1.0.0/secconf/gen/gen_secure_boot +index 4decd48..5b338f5 100644 +--- a/secpaver-secconf-1.0.0/secconf/gen/gen_secure_boot ++++ b/secpaver-secconf-1.0.0/secconf/gen/gen_secure_boot +@@ -39,7 +39,7 @@ secure_boot_comm() + get_usr_input "Whether to enable the secure boot anti-rollback?【Y/N】" + if [ $? -eq 1 ]; then + mokutil --set-sbat-policy latest +- echo "The anti-rollback function has been set and will take effect after restarting." ++ echo "The anti-rollback function has been enabled and will take effect after enabling the secure boot." + fi + {{ else }} + get_usr_input "Whether to disable the secure boot anti-rollback【Y/N】" +-- +2.33.0 + diff --git a/fix-some-bugs.patch b/fix-some-bugs.patch new file mode 100644 index 0000000..0bdb286 --- /dev/null +++ b/fix-some-bugs.patch @@ -0,0 +1,348 @@ +From 6a718ad84811fe43a69f7aaf546db6dd077998f2 Mon Sep 17 00:00:00 2001 +From: xuce +Date: Mon, 9 Dec 2024 20:47:05 +0800 +Subject: [PATCH] fix some bugs + +Signed-off-by: xuce +--- + .../secconf/check/check_dim | 8 +- + .../secconf/check/check_secure_boot | 36 ++++++-- + secpaver-secconf-1.0.0/secconf/dim.go | 6 +- + secpaver-secconf-1.0.0/secconf/gen/gen_dim | 19 +++-- + secpaver-secconf-1.0.0/secconf/gen/gen_ima | 4 +- + .../secconf/gen/gen_secure_boot | 10 +-- + secpaver-secconf-1.0.0/secconf/gen_comm.sh | 85 +++++++++++-------- + 7 files changed, 107 insertions(+), 61 deletions(-) + +diff --git a/secpaver-secconf-1.0.0/secconf/check/check_dim b/secpaver-secconf-1.0.0/secconf/check/check_dim +index 3c392fa..bfad32d 100644 +--- a/secpaver-secconf-1.0.0/secconf/check/check_dim ++++ b/secpaver-secconf-1.0.0/secconf/check/check_dim +@@ -23,6 +23,10 @@ dim_comm() + return 1 + fi + elif [ "{{.}}" == "kernel" ]; then ++ if [ ! -f /etc/dim/digest_list/kernel.hash ]; then ++ echo "Error! The policy file doesn't match the configuration file!" ++ return 1 ++ fi + grep "measure obj=KERNEL_TEXT" /etc/dim/policy &> /dev/null + if [ $? -ne 0 ]; then + echo "Error! The policy file doesn't match the configuration file!" +@@ -55,9 +59,9 @@ dim_comm() + echo "Environment doesn't support tpm, measure_pcr configuration is invalid!" + fi + {{end}}{{ if .Signature }} +- get_usr_input "openssl is about to installed?【Y/N】" ++ check_rpm_package openssl + if [ $? -eq 1 ]; then +- yum install -y openssl || exit 1 ++ return 1 + fi + echo "Checking whether the certificate is configured..." + if [ -f /etc/keys/x509_dim.der ]; then +diff --git a/secpaver-secconf-1.0.0/secconf/check/check_secure_boot b/secpaver-secconf-1.0.0/secconf/check/check_secure_boot +index 905c2e0..22d5590 100644 +--- a/secpaver-secconf-1.0.0/secconf/check/check_secure_boot ++++ b/secpaver-secconf-1.0.0/secconf/check/check_secure_boot +@@ -5,15 +5,15 @@ secure_boot_comm() + get_usr_input "The current system doesn't support secure boot!" + return 1 + fi +- get_usr_input "Pesign is about to be installed?【Y/N】" ++ check_rpm_package pesign + if [ $? -eq 1 ]; then +- yum install -y pesign || exit 1 ++ return 1 + fi +- get_usr_input "Mokutil is about to be installed?【Y/N】" ++ check_rpm_package mokutil + if [ $? -eq 1 ]; then +- yum install -y mokutil || exit 1 ++ return 1 + fi +- if [ ! -f /boot/efi/EFI/secure_boot.der ]; then ++ if [ ! -s /boot/efi/EFI/secure_boot.der ]; then + get_usr_input "Secure Boot certificate of openeuler is about to be downloaded?【Y/N】" + if [ $? -eq 1 ]; then + wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate &> /dev/null +@@ -34,6 +34,32 @@ secure_boot_comm() + return 1 + fi + done ++ if [ -s /boot/vmlinuz-"$(uname -r)" ]; then ++ check_rpm_package gzip ++ if [ $? -eq 1 ]; then ++ return 1 ++ fi ++ if [ $(arch) == "aarch64" ]; then ++ cp -ar /boot/vmlinuz-"$(uname -r)" ./vmlinuz-"$(uname -r)".gz ++ gzip -df vmlinuz-"$(uname -r)".gz ++ if [ $? -ne 0 ]; then ++ echo "failed to gzip vmlinuz, stop check" ++ rm -f vmlinuz-"$(uname -r)".gz ++ return 1 ++ fi ++ else ++ cp -ar /boot/vmlinuz-"$(uname -r)" ./vmlinuz-"$(uname -r)" ++ fi ++ pesigcheck -i vmlinuz-"$(uname -r)" -n 0 -c /boot/efi/EFI/secure_boot.der ++ if [ $? -ne 0 ]; then ++ echo "$vmlinuz-"$(uname -r)" signature verification failed!" ++ else ++ echo "The kernel of the current version has been verified" ++ fi ++ rm -f vmlinuz-"$(uname -r)" ++ else ++ echo "The vmlinuz was not found, please check the signature manually" ++ fi + + mokutil --db | grep "Issuer: CN=CA, OU=Infra, O=openEuler, L=ShenZhen, ST=GuangDong, C=CN" + if [ $? -ne 0 ]; then +diff --git a/secpaver-secconf-1.0.0/secconf/dim.go b/secpaver-secconf-1.0.0/secconf/dim.go +index 220abde..a37915b 100644 +--- a/secpaver-secconf-1.0.0/secconf/dim.go ++++ b/secpaver-secconf-1.0.0/secconf/dim.go +@@ -15,12 +15,12 @@ type Dim struct { + DimIsEnable bool `default:"false" yaml:"enable"` + MeasureList []string `yaml:"measure_list"` + BaselineIsEnable bool `default:"false" yaml:"auto_baseline"` +- MeasureLogCapacity uint64 `default:"100000" yaml:"log_cap"` ++ MeasureLogCapacity uint32 `default:"100000" yaml:"log_cap"` + MeasureHash string `default:"sha256" yaml:"hash"` + CorePcr uint16 `default:"0" yaml:"core_pcr"` + MonitorPcr uint16 `default:"0" yaml:"monitor_pcr"` +- MeasureSchedule uint64 `default:"0" yaml:"schedule"` +- MeasureInterval uint64 `default:"0" yaml:"interval"` ++ MeasureSchedule uint32 `default:"0" yaml:"schedule"` ++ MeasureInterval uint32 `default:"0" yaml:"interval"` + Signature bool `default:"false" yaml:"signature"` + } + +diff --git a/secpaver-secconf-1.0.0/secconf/gen/gen_dim b/secpaver-secconf-1.0.0/secconf/gen/gen_dim +index b310eaf..9174a92 100644 +--- a/secpaver-secconf-1.0.0/secconf/gen/gen_dim ++++ b/secpaver-secconf-1.0.0/secconf/gen/gen_dim +@@ -1,9 +1,9 @@ + dim_comm() + { + {{ with .Dim }}{{if .DimIsEnable}} +- get_usr_input "dim is about to install?【Y/N】" ++ check_rpm_package dim + if [ $? -eq 1 ]; then +- yum install -y dim || exit 1 ++ return 1 + fi + get_usr_input "New static baseline file and policy will be created at /etc/dim?【Y/N】" + if [ $? -eq 1 ]; then +@@ -19,14 +19,15 @@ dim_comm() + return 1 + fi + +- get_usr_input "dim_tools is about to install?【Y/N】" ++ check_rpm_package dim_tools + if [ $? -eq 1 ]; then +- yum install -y dim_tools || exit 1 ++ return 1 + fi ++ dimHash={{.MeasureHash}} + {{range .MeasureList}} + if [ -f "{{.}}" ] ; then + echo "Establishing static baseline:" {{.}} +- dim_gen_baseline {{.}} -o /etc/dim/digest_list/$(basename {{.}}).hash ++ dim_gen_baseline {{.}} -o /etc/dim/digest_list/$(basename {{.}}).hash -a $dimHash + if [ $? -ne 0 ]; then + echo "Error! Static baseline establishment failed" {{.}} + return 1 +@@ -34,7 +35,7 @@ dim_comm() + echo "measure obj=BPRM_TEXT path={{.}}" >> /etc/dim/policy + elif [ "{{.}}" == "kernel" ]; then + echo "measure obj=KERNEL_TEXT" >> /etc/dim/policy +- dim_gen_baseline -k "$(uname -r)" -o /etc/dim/digest_list/test.hash /boot/vmlinuz-6* ++ dim_gen_baseline -k "$(uname -r)" -o /etc/dim/digest_list/kernel.hash /boot/vmlinuz-6* -a $dimHash + if [ $? -ne 0 ]; then + echo "Kernel static baseline establishment failed" + return 1 +@@ -48,7 +49,7 @@ dim_comm() + xz -d -k $moduleFilePath + moduleFilePath=${moduleFilePath%.*} + fi +- dim_gen_baseline $moduleFilePath -o /etc/dim/digest_list/$module.hash ++ dim_gen_baseline $moduleFilePath -o /etc/dim/digest_list/$module.hash -a $dimHash + if [ $? -ne 0 ]; then + echo "Static baseline establishment failed" {{.}} + return 1 +@@ -73,9 +74,9 @@ dim_comm() + return 1 + fi + {{if .Signature}} +- get_usr_input "openssl is about to install?【Y/N】" ++ check_rpm_package openssl + if [ $? -eq 1 ]; then +- yum install -y openssl || exit 1 ++ return 1 + fi + get_usr_input "Generate keys and certificates automatically?【Y/N】" + if [ $? -eq 1 ]; then +diff --git a/secpaver-secconf-1.0.0/secconf/gen/gen_ima b/secpaver-secconf-1.0.0/secconf/gen/gen_ima +index a657614..4fe15bb 100644 +--- a/secpaver-secconf-1.0.0/secconf/gen/gen_ima ++++ b/secpaver-secconf-1.0.0/secconf/gen/gen_ima +@@ -16,9 +16,9 @@ measure_list+=({{.}}) + needReboot=false + packages=("ima-evm-utils" "digest-list-tools") + for pkg in "${packages[@]}"; do +- get_usr_input "${pkg} is about to installed?【Y/N】" ++ check_rpm_package ${pkg} + if [ $? -eq 1 ]; then +- yum install -y ${pkg} || exit 1 ++ return 1 + fi + done + +diff --git a/secpaver-secconf-1.0.0/secconf/gen/gen_secure_boot b/secpaver-secconf-1.0.0/secconf/gen/gen_secure_boot +index 4decd48..a1e0d36 100644 +--- a/secpaver-secconf-1.0.0/secconf/gen/gen_secure_boot ++++ b/secpaver-secconf-1.0.0/secconf/gen/gen_secure_boot +@@ -3,26 +3,26 @@ secure_boot_comm() + {{ with .SecureBoot }} + {{if .SecureBootIsEnable}} + if [ ! -d /sys/firmware/efi ]; then +- get_usr_input "Error! The current environment does not support secure boot." ++ get_usr_input "The current environment does not support secure boot." + return 1 + fi +- get_usr_input "mokutil is about to install?【Y/N】" ++ check_rpm_package mokutil + if [ $? -eq 1 ]; then +- yum install -y mokutil || exit 1 ++ return 1 + fi + mokutil --sb | grep enabled + if [ $? -ne 0 ]; then + mokutil --db | grep "Issuer: CN=CA, OU=Infra, O=openEuler, L=ShenZhen, ST=GuangDong, C=CN" + if [ $? -ne 0 ]; then + echo "Secure boot certificate is not saved in DB!" +- if [ -f /boot/efi/EFI/secure_boot.der ]; then ++ if [ -s /boot/efi/EFI/secure_boot.der ]; then + echo "The file already exists. Please restart and import the file to the BIOS." + else + get_usr_input "Download the openeuler secure boot certificate right now?【Y/N】" + if [ $? -eq 1 ]; then + wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate + if [ $? -ne 0 ]; then +- echo "Error! Certificate downloaded failed. Please obtain the certificate manually!" ++ echo "Certificate downloaded failed. Please obtain the certificate manually!" + return 1 + fi + echo "The certificate download is successful. Please restart later and enter the bios, then import the certificate into the DB!" +diff --git a/secpaver-secconf-1.0.0/secconf/gen_comm.sh b/secpaver-secconf-1.0.0/secconf/gen_comm.sh +index f28dba7..ec19cf5 100644 +--- a/secpaver-secconf-1.0.0/secconf/gen_comm.sh ++++ b/secpaver-secconf-1.0.0/secconf/gen_comm.sh +@@ -1,52 +1,67 @@ + set_skip_usr_input=0 + set_reboot=0 + ++check_rpm_package() ++{ ++ rpm -q $1 &> /dev/null ++ if [ $? -ne 0 ]; then ++ get_usr_input "$1 is about to install?【Y/N】" ++ if [ $? -eq 1 ]; then ++ yum install -y $1 || exit 1 ++ else ++ echo "The $1 does not exit, skip." ++ return 1 ++ fi ++ fi ++ return 0 ++} ++ + get_usr_input() + { +- echo $1 +- if [ $set_skip_usr_input -eq 0 ]; then +- read -r userInput +- else +- userInput=Y +- fi ++ echo $1 ++ if [ $set_skip_usr_input -eq 0 ]; then ++ read -r userInput ++ else ++ userInput=Y ++ fi + +- if [ "$userInput" != 'Y' ] && [ "$userInput" != 'y' ]; then +- return 0 +- else +- return 1 +- fi ++ if [ "$userInput" != 'Y' ] && [ "$userInput" != 'y' ]; then ++ return 0 ++ else ++ return 1 ++ fi + } + + usage() + { +- echo "Usage: $(basename $0) [OPTION]" +- echo " -s, --skip 设置跳过询问" +- echo " -r, --run 正常执行" +- echo " -h, --help 显示帮助信息" ++ echo "Usage: $(basename $0) [OPTION]" ++ echo " -s, --skip 设置跳过询问" ++ echo " -r, --run 正常执行" ++ echo " -h, --help 显示帮助信息" + } + + while true + do +- case "$1" in +- -s|--skip) +- set_skip_usr_input=1 +-{{range .ShellFuns}} {{.}} ++ case "$1" in ++ -s|--skip) ++ set_skip_usr_input=1 ++{{range .ShellFuns}} {{.}} + {{ end }} +- exit 0 +- ;; +- -r|--run) +-{{range .ShellFuns}} {{.}} ++ exit 0 ++ ;; ++ -r|--run) ++{{range .ShellFuns}} {{.}} + {{ end }} +- exit 0 +- ;; +- -h|--help) +- usage +- exit $? +- ;; +- *) +- echo -e "Need Correct Arguments!\n" +- usage +- exit $LA_ERR +- ;; +- esac ++ exit 0 ++ ;; ++ -h|--help) ++ usage ++ exit $? ++ ;; ++ *) ++ echo -e "Need Correct Arguments!\n" ++ usage ++ exit $LA_ERR ++ ;; ++ esac + done +-- +2.33.0 + diff --git a/restore-ima-selinux-type-when-perform-new-configurat.patch b/restore-ima-selinux-type-when-perform-new-configurat.patch index b783c71..0cc21d0 100644 --- a/restore-ima-selinux-type-when-perform-new-configurat.patch +++ b/restore-ima-selinux-type-when-perform-new-configurat.patch @@ -19,7 +19,7 @@ index a657614..d40dce6 100644 -packages=("ima-evm-utils" "digest-list-tools") +packages=("ima-evm-utils" "digest-list-tools" "selinux-policy" "selinux-policy-targeted" "policycoreutils") for pkg in "${packages[@]}"; do - get_usr_input "${pkg} is about to installed?【Y/N】" + check_rpm_package ${pkg} if [ $? -eq 1 ]; then @@ -33,14 +33,14 @@ rm_kernel_param() for param in "${@}"; do diff --git a/secpaver.spec b/secpaver.spec index 2fac158..134296f 100755 --- a/secpaver.spec +++ b/secpaver.spec @@ -2,7 +2,7 @@ Name: secpaver Summary: Security policy development tool Version: 1.0.2 -Release: 14 +Release: 15 License: MulanPSL-2.0 URL: https://gitee.com/openeuler/secpaver Source: https://gitee.com/openeuler/secpaver/repository/archive/%{name}-%{version}.tar.gz @@ -16,7 +16,9 @@ Patch0003: support-clang-build.patch Patch0004: fix-go-build-ref-cldflags.patch Patch0005: remove-unused-socket.patch Patch0006: Add-example-of-how-to-import-digest-list-when-using-.patch -Patch0007: restore-ima-selinux-type-when-perform-new-configurat.patch +Patch0007: fix-some-bugs.patch +Patch0008: restore-ima-selinux-type-when-perform-new-configurat.patch +Patch0009: extend-the-ima_check-to-check-gen_ima.patch %ifarch riscv64 loongarch64 Patch1000: 1000-fix-build-on-riscv64.patch %endif @@ -61,6 +63,8 @@ unzip %{SOURCE2} %patch0005 -p1 %patch0006 -p1 %patch0007 -p1 +%patch0008 -p1 +%patch0009 -p1 %ifarch riscv64 loongarch64 %patch1000 -p1 %endif @@ -119,6 +123,9 @@ make test %systemd_postun_with_restart pavd.service %changelog +* Mon Dec 9 2024 xuce - 1.0.2-15 +- fix some bugs and extend the check_ima to check gen_ima + * Mon Dec 2 2024 xuce - 1.0.2-14 - restore ima selinux type when perform new configuration -- Gitee