diff --git a/Add-example-of-how-to-import-digest-list-when-using-.patch b/Add-example-of-how-to-import-digest-list-when-using-.patch index 34881307a3c10744a39cd0f7485f8e37c6e4a0b0..b4dc8725f23ff953d52fc8d4a241c7371d5407fe 100644 --- a/Add-example-of-how-to-import-digest-list-when-using-.patch +++ b/Add-example-of-how-to-import-digest-list-when-using-.patch @@ -1,19 +1,18 @@ -From ce23f01656f6abbed6c663c2f8d023a23d950180 Mon Sep 17 00:00:00 2001 -From: xuce -Date: Thu, 28 Nov 2024 21:36:23 +0800 -Subject: [PATCH] Add example of how to import digest list when using IMA +From dc3260fb393cdf1163fc8b8b3e3532ead800a686 Mon Sep 17 00:00:00 2001 +From: xucee +Date: Thu, 28 Nov 2024 21:01:12 +0800 +Subject: Add example of how to import digest list when using IMA appraise -Signed-off-by: xuce --- - secpaver-secconf-1.0.0/secconf/gen/gen_ima | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) + secconf/gen/gen_ima | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) -diff --git a/secpaver-secconf-1.0.0/secconf/gen/gen_ima b/secpaver-secconf-1.0.0/secconf/gen/gen_ima -index 6436c78..a657614 100644 ---- a/secpaver-secconf-1.0.0/secconf/gen/gen_ima -+++ b/secpaver-secconf-1.0.0/secconf/gen/gen_ima -@@ -155,7 +155,15 @@ fi +diff --git a/secconf/gen/gen_ima b/secconf/gen/gen_ima +index 6436c78..0657cdf 100644 +--- a/secconf/gen/gen_ima ++++ b/secconf/gen/gen_ima +@@ -155,7 +155,14 @@ fi if [[ ${#common_list[@]} -gt 0 || ${#appraise_list[@]} -gt 0 ]]; then echo "appraise func=DIGEST_LIST_CHECK appraise_type=imasig|modsig" >> $tmp_policy @@ -21,8 +20,7 @@ index 6436c78..a657614 100644 + echo "IMA appraise has been successfully enabled! If you want to run some executable file which appraised by IMA, you need to +1)generate digest list by gen_digest_lists +2)sign it with evmctl -+3)import it to /sys/kernel/security/digest_list_data. Correspondingly, if you don't want it to be executed, import it to /sys/kernel/security/digest_list_data_d -+el. ++3)import it to /sys/kernel/security/digest_list_data. Correspondingly, if you don't want it to be executed, import it to /sys/kernel/security/digest_list_data_del. +Here is an example: +1)gen_digest_lists -t metadata -f compact -i l:policy -o add -p -1 -m immutable -i I:/usr/bin/ls -d ./ +2)evmctl ima_sign --key /path/to/ima.key -a sha256 diff --git a/add-the-wget-timeout-mechanism-and-optimize-the-dim-.patch b/add-the-wget-timeout-mechanism-and-optimize-the-dim-.patch new file mode 100644 index 0000000000000000000000000000000000000000..2ce6862ae8b4f79c252fd7db873955b8d03228b9 --- /dev/null +++ b/add-the-wget-timeout-mechanism-and-optimize-the-dim-.patch @@ -0,0 +1,107 @@ +From 59722538bfc1c500ba6124aca3533ff6811c6616 Mon Sep 17 00:00:00 2001 +From: jinlun +Date: Thu, 5 Dec 2024 20:27:36 +0800 +Subject: add the wget timeout mechanism and optimize the dim + check the modsign script is optimized. + +--- + secconf/check/check_dim | 3 ++- + secconf/check/check_modsign | 4 ++-- + secconf/check/check_secure_boot | 2 +- + secconf/gen/gen_modsign | 4 ++-- + secconf/gen/gen_secure_boot | 2 +- + 5 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/secconf/check/check_dim b/secconf/check/check_dim +index bfad32d..0166a97 100644 +--- a/secconf/check/check_dim ++++ b/secconf/check/check_dim +@@ -82,7 +82,7 @@ dim_comm() + else + echo "Skip the baseline file consistency check." + fi +-{{end}}{{ if .BaselineIsEnable }} ++{{end}} + echo "Checking whether the DIM kernel module is loaded" + lsmod | grep dim_monitor &> /dev/null + if [ $? -eq 0 ]; then +@@ -98,6 +98,7 @@ dim_comm() + echo "Error! dim_core is not loaded!" + return 1 + fi ++{{ if .BaselineIsEnable }} + echo "Checking if baseline is configured..." + cat /sys/kernel/security/dim/monitor_ascii_runtime_measurements | wc -l | grep 2 &> /dev/null + if [ $? -ne 0 ]; then +diff --git a/secconf/check/check_modsign b/secconf/check/check_modsign +index 99d7a00..143d319 100644 +--- a/secconf/check/check_modsign ++++ b/secconf/check/check_modsign +@@ -7,7 +7,7 @@ modsign_comm() + grub_path="/boot/efi/EFI/openEuler/grub.cfg" + fi + {{ if .Enable }} +- grep sig_enforce $grub_path &> /dev/null ++ grep "vmlinuz-$(uname -r) .*sig_enforce" $grub_path &> /dev/null + if [ $? -eq 0 ]; then + echo "Kernel Module Signature Verification has been configured." + fi +@@ -18,7 +18,7 @@ modsign_comm() + echo "Kernel Module Signature Verification hasn't benn activated. Please restart to activate!" + fi + {{ else }} +- grep sig_enforce $grub_path &> /dev/null ++ grep "vmlinuz-$(uname -r) .*sig_enforce" $grub_path &> /dev/null + if [ $? -eq 0 ]; then + echo "Kernel Module Signature Verification is not disable." + fi +diff --git a/secconf/check/check_secure_boot b/secconf/check/check_secure_boot +index 22d5590..587deaf 100644 +--- a/secconf/check/check_secure_boot ++++ b/secconf/check/check_secure_boot +@@ -16,7 +16,7 @@ secure_boot_comm() + if [ ! -s /boot/efi/EFI/secure_boot.der ]; then + get_usr_input "Secure Boot certificate of openeuler is about to be downloaded?【Y/N】" + if [ $? -eq 1 ]; then +- wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate &> /dev/null ++ wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate --timeout=30 --tries=3 &> /dev/null + if [ $? -ne 0 ]; then + echo "Secure Boot cerificate download failed,Please obtain the certificate in other ways" + return 1 +diff --git a/secconf/gen/gen_modsign b/secconf/gen/gen_modsign +index 2917ea1..dc20ee3 100644 +--- a/secconf/gen/gen_modsign ++++ b/secconf/gen/gen_modsign +@@ -6,14 +6,14 @@ modsign_comm() + else + grub_path="/boot/efi/EFI/openEuler/grub.cfg" + fi +- grep sig_enforce $grub_path &> /dev/null ++ grep "vmlinuz-$(uname -r) .*sig_enforce" $grub_path &> /dev/null + {{ if .Enable }} + if [ $? -eq 0 ]; then + echo "Kernel module verification has been set and does not need to be set again." + else + get_usr_input "Check whether the grub.cfg file is modified to enable forcible signature verification in the kernel.【Y/N】" + if [ $? -eq 1 ]; then +- sed -i '/vmlinuz/s/$/ module\.sig_enforce/' $grub_path ++ sed -i "/vmlinuz-$(uname -r)/ s/$/ module\.sig_enforce/" "${grub_path}" + if [ $? -eq 0 ]; then + echo "The kernel module verification is successful when the OS is started. The verification takes effect after the OS is restarted." + else +diff --git a/secconf/gen/gen_secure_boot b/secconf/gen/gen_secure_boot +index 9ace5e0..bd78d7e 100644 +--- a/secconf/gen/gen_secure_boot ++++ b/secconf/gen/gen_secure_boot +@@ -20,7 +20,7 @@ secure_boot_comm() + else + get_usr_input "Download the openeuler secure boot certificate right now?【Y/N】" + if [ $? -eq 1 ]; then +- wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate ++ wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate --timeout=30 --tries=3 &> /dev/null + if [ $? -ne 0 ]; then + echo "Certificate downloaded failed. Please obtain the certificate manually!" + return 1 +-- +2.33.0 + diff --git a/extend-check_ima-to-check-whether-gen_ima-is-right.patch b/extend-check_ima-to-check-whether-gen_ima-is-right.patch new file mode 100644 index 0000000000000000000000000000000000000000..789a999bb93cd4b1f94b447968981ed03e43e3b5 --- /dev/null +++ b/extend-check_ima-to-check-whether-gen_ima-is-right.patch @@ -0,0 +1,265 @@ +From 3287a6ffcf77ac5d328994610dc40e267e800ba2 Mon Sep 17 00:00:00 2001 +From: xucee +Date: Thu, 5 Dec 2024 16:15:19 +0800 +Subject: extend check_ima to check whether gen_ima is right. + +--- + secconf/check/check_ima | 181 +++++++++++++++++++++++++++++++++++- + secconf/gen/gen_ima | 10 +- + secconf/gen/gen_secure_boot | 2 +- + 3 files changed, 184 insertions(+), 9 deletions(-) + +diff --git a/secconf/check/check_ima b/secconf/check/check_ima +index cb5de0d..613d75e 100644 +--- a/secconf/check/check_ima ++++ b/secconf/check/check_ima +@@ -1,9 +1,7 @@ + ima_comm() + { + {{with .IMA}} +-{{ if and (eq (len .MeasureList) 0) (eq (len .AppraiseList) 0) }} +-echo "IMA is not enabled!" +-{{else}} ++ + if [ ! -d /etc/ima/ ]; then + echo "The /etc/ima/ directory does not exist. Please confirm whether IMA is supported." + return 1 +@@ -12,7 +10,184 @@ if [[ "$(getenforce)" == "Disabled" ]]; then + echo "IMA requires selinux to protect specific files. Please make sure selinux is enabled!" + return 1 + fi ++ ++measure_list=() ++appraise_list=() ++common_list=() ++ ++{{range .AppraiseList}} ++appraise_list+=({{.}}) + {{end}} ++ ++{{range .MeasureList}} ++measure_list+=({{.}}) ++{{end}} ++ ++if [ -d /sys/firmware/efi ]; then ++ grub_path=/boot/efi/EFI/openeuler/grub.cfg ++else ++ grub_path=/boot/grub2/grub.cfg ++fi ++ ++appraise_param=("ima_appraise=enforce" "ima_appraise_digest_list=digest-nometadata") ++measure_param=("ima_digest_list_pcr=11" "ima_template=ima-ng") ++measure_type=ima_measure_bprm_t ++appraise_type=ima_appraise_bprm_t ++all_type=ima_all_bprm_t ++needReboot=false ++needConfigure=false ++ ++check_exist_kernel_param() ++{ ++ for param in "${@}"; do ++ cmdline_contains_param=$(grep -q "${param}" /proc/cmdline && echo "true" || echo "false") ++ grub_contains_param=$(grep "/vmlinuz-$(uname -r)" "${grub_path}" | grep -q "${param}" && echo "true" || echo "false") ++ if [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "false" ]]; then ++ needReboot=true ++ needConfigure=true ++ elif [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "false" ]]; then ++ needConfigure=true ++ elif [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "true" ]]; then ++ needReboot=true ++ fi ++ done ++} ++ ++check_absent_kernel_param() ++{ ++ for param in "${@}"; do ++ cmdline_contains_param=$(grep -q "${param}" /proc/cmdline && echo "true" || echo "false") ++ grub_contains_param=$(grep "/vmlinuz-$(uname -r)" "${grub_path}" | grep -q "${param}" && echo "true" || echo "false") ++ if [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "true" ]]; then ++ needReboot=true ++ needConfigure=true ++ elif [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "false" ]]; then ++ needReboot=true ++ elif [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "true" ]]; then ++ needConfigure=true ++ fi ++ done ++} ++ ++if [[ ${#appraise_list[@]} -eq 0 && ${#measure_list[@]} -eq 0 ]]; then ++ check_absent_kernel_param "${appraise_param[@]}" ++ check_absent_kernel_param "${measure_param[@]}" ++elif [[ ${#appraise_list[@]} -gt 0 && ${#measure_list[@]} -gt 0 ]]; then ++ check_exist_kernel_param "${appraise_param[@]}" ++ check_exist_kernel_param "${measure_param[@]}" ++elif [[ ${#appraise_list[@]} -gt 0 ]]; then ++ check_absent_kernel_param "${measure_param[@]}" ++ check_exist_kernel_param "${appraise_param[@]}" ++else ++ check_absent_kernel_param "${appraise_param[@]}" ++ check_exist_kernel_param "${measure_param[@]}" ++fi ++ ++if [[ "$needReboot" == "true" && "$needConfigure" == "true" ]]; then ++ echo "The current IMA related startup parameters are not configured correctly. Please execute the configuration script and then restart to take effect." ++ return 0 ++elif [[ "$needReboot" == "true" && "$needConfigure" == "false" ]]; then ++ echo "The current IMA related startup parameters have been successfully configured. It needs to restart to take effect." ++ return 0 ++elif [[ "$needReboot" == "false" && "$needConfigure" == "true" ]]; then ++ echo "The current IMA related start up parameters are valid. But they will become invalid after restarting. It needs to execute configuration script to configure." ++else ++ echo "The current IMA related start up parameters are valid and configured correctly!" ++fi ++ ++if [[ ${#appraise_list[@]} -eq 0 && ${#measure_list[@]} -eq 0 ]]; then ++ echo "IMA check completed!" ++ return 0 ++fi ++ ++needSetSelinuxType=false ++check_selinux_type() ++{ ++ SELINUX_LABEL=$(ls -Z "$2" | awk '{print $1}' | awk -F: '{print $3}') ++ if [[ $SELINUX_LABEL != "$1" ]]; then ++ needSetSelinuxType=true ++ fi ++} ++ ++unique() { ++ echo "$@" | tr ' ' '\n' | sort -u | tr '\n' ' ' ++} ++ ++common_elements() { ++ comm -12 <(printf "%s\n" $1 | sort) <(printf "%s\n" $2 | sort) ++} ++ ++remove_common() { ++ grep -Fvxf <(printf "%s\n" $2) <(printf "%s\n" $1) ++} ++ ++unique_appraise_list=($(unique "${appraise_list[@]}")) ++unique_measure_list=($(unique "${measure_list[@]}")) ++common_list=($(common_elements "${unique_appraise_list[*]}" "${unique_measure_list[*]}")) ++appraise_list=($(remove_common "${unique_appraise_list[*]}" "${common_list[*]}")) ++measure_list=($(remove_common "${unique_measure_list[*]}" "${common_list[*]}")) ++ ++ ++for measure_file in "${measure_list[@]}"; do ++ check_selinux_type $measure_type $measure_file ++done ++ ++for appraise_file in "${appraise_list[@]}"; do ++ check_selinux_type $appraise_type $appraise_file ++done ++ ++for common_file in "${common_list[@]}"; do ++ check_selinux_type $all_type $common_file ++done ++ ++if [[ $needSetSelinuxType == "true" ]]; then ++ echo "The selinux type of the target files is not configured correctly. Please execute the configuration script to set it." ++ return 0 ++else ++ echo "The selinux type of the target files is configured correctly!" ++fi ++ ++ima_policy=/sys/kernel/security/ima/policy ++ ++if [ -z "$(cat $ima_policy)" ]; then ++ echo "IMA policy is not configured. Please execute the configuration script to configure it." ++ return 0 ++fi ++ ++needConfigurePolicy=false ++check_ima_policy(){ ++ if ! grep -Fxq "$1" "$ima_policy"; then ++ needConfigurePolicy=true ++ fi ++} ++ ++if [[ ${#common_list[@]} -gt 0 || ${#appraise_list[@]} -gt 0 ]]; then ++ check_ima_policy "appraise func=DIGEST_LIST_CHECK appraise_type=imasig|modsig" ++fi ++if [[ ${#common_list[@]} -gt 0 || ${#measure_list[@]} -gt 0 ]]; then ++ check_ima_policy "measure func=DIGEST_LIST_CHECK" ++fi ++ ++if [[ ${#common_list[@]} -gt 0 ]]; then ++ check_ima_policy "appraise func=BPRM_CHECK obj_type=${all_type}" ++ check_ima_policy "measure func=BPRM_CHECK obj_type=${all_type}" ++fi ++ ++if [[ ${#measure_list[@]} -gt 0 ]]; then ++ check_ima_policy "measure func=BPRM_CHECK obj_type=${measure_type}" ++fi ++ ++if [[ ${#appraise_list[@]} -gt 0 ]]; then ++ check_ima_policy "appraise func=BPRM_CHECK obj_type=${appraise_type}" ++fi ++ ++if [[ "needConfigurePolicy" == "true" ]]; then ++ echo "IMA policy is not configured correctly! Please restart and execute the configuration script to configure it." ++ return 0 ++else ++ echo "IMA policy are configured correctly! IMA has been successfully enabled!" ++fi ++ + echo "IMA check completed!" + {{end}} + } +diff --git a/secconf/gen/gen_ima b/secconf/gen/gen_ima +index 28edbf3..e0cc3c4 100644 +--- a/secconf/gen/gen_ima ++++ b/secconf/gen/gen_ima +@@ -32,7 +32,7 @@ rm_kernel_param() + { + for param in "${@}"; do + cmdline_contains_param=$(grep -q "${param}" /proc/cmdline && echo "true" || echo "false") +- grub_contains_param=$(grep -q "${param}" "${grub_path}" && echo "true" || echo "false") ++ grub_contains_param=$(grep "/vmlinuz-$(uname -r)" "${grub_path}" | grep -q "${param}" && echo "true" || echo "false") + if [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "true" ]]; then + sed -i "s/ \<${param}\>//g" ${grub_path} + needReboot=true +@@ -48,12 +48,12 @@ set_kernel_param() + { + for param in "${@}"; do + cmdline_contains_param=$(grep -q "${param}" /proc/cmdline && echo "true" || echo "false") +- grub_contains_param=$(grep -q "${param}" "${grub_path}" && echo "true" || echo "false") ++ grub_contains_param=$(grep "/vmlinuz-$(uname -r)" "${grub_path}" | grep -q "${param}" && echo "true" || echo "false") + if [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "false" ]]; then +- sed -i "/vmlinuz/ s/$/ ${param}/" "${grub_path}" ++ sed -i "/vmlinuz-$(uname -r)/ s/$/ ${param}/" "${grub_path}" + needReboot=true + elif [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "false" ]]; then +- sed -i "/vmlinuz/ s/$/ ${param}/" "${grub_path}" ++ sed -i "/vmlinuz-$(uname -r)/ s/$/ ${param}/" "${grub_path}" + elif [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "true" ]]; then + needReboot=true + fi +@@ -109,7 +109,7 @@ else + fi + + if [[ $needReboot == "true" ]]; then +- echo "IMA startup parameters have been configured! It will take effect by rebooting" ++ echo "IMA startup parameters have been configured! It will take effect by rebooting." + return 0 + fi + +diff --git a/secconf/gen/gen_secure_boot b/secconf/gen/gen_secure_boot +index a1e0d36..9ace5e0 100644 +--- a/secconf/gen/gen_secure_boot ++++ b/secconf/gen/gen_secure_boot +@@ -39,7 +39,7 @@ secure_boot_comm() + get_usr_input "Whether to enable the secure boot anti-rollback?【Y/N】" + if [ $? -eq 1 ]; then + mokutil --set-sbat-policy latest +- echo "The anti-rollback function has been set and will take effect after restarting." ++ echo "The anti-rollback function has been enabled and will take effect after enabling the secure boot." + fi + {{ else }} + get_usr_input "Whether to disable the secure boot anti-rollback【Y/N】" +-- +2.33.0 + diff --git a/fix-some-bugs.patch b/fix-some-bugs.patch new file mode 100644 index 0000000000000000000000000000000000000000..35103b8007e46884b975ef737dca1ac2e7af7937 --- /dev/null +++ b/fix-some-bugs.patch @@ -0,0 +1,347 @@ +From aa072b84261eec2f4c1faaf1f8ba177313fa0e37 Mon Sep 17 00:00:00 2001 +From: jinlun +Date: Thu, 28 Nov 2024 14:05:53 +0800 +Subject: fix some bugs + +--- + secconf/check/check_dim | 8 +++- + secconf/check/check_secure_boot | 36 ++++++++++++-- + secconf/dim.go | 6 +-- + secconf/gen/gen_dim | 19 ++++---- + secconf/gen/gen_ima | 4 +- + secconf/gen/gen_secure_boot | 10 ++-- + secconf/gen_comm.sh | 85 +++++++++++++++++++-------------- + 7 files changed, 107 insertions(+), 61 deletions(-) + +diff --git a/secconf/check/check_dim b/secconf/check/check_dim +index 3c392fa..bfad32d 100644 +--- a/secconf/check/check_dim ++++ b/secconf/check/check_dim +@@ -23,6 +23,10 @@ dim_comm() + return 1 + fi + elif [ "{{.}}" == "kernel" ]; then ++ if [ ! -f /etc/dim/digest_list/kernel.hash ]; then ++ echo "Error! The policy file doesn't match the configuration file!" ++ return 1 ++ fi + grep "measure obj=KERNEL_TEXT" /etc/dim/policy &> /dev/null + if [ $? -ne 0 ]; then + echo "Error! The policy file doesn't match the configuration file!" +@@ -55,9 +59,9 @@ dim_comm() + echo "Environment doesn't support tpm, measure_pcr configuration is invalid!" + fi + {{end}}{{ if .Signature }} +- get_usr_input "openssl is about to installed?【Y/N】" ++ check_rpm_package openssl + if [ $? -eq 1 ]; then +- yum install -y openssl || exit 1 ++ return 1 + fi + echo "Checking whether the certificate is configured..." + if [ -f /etc/keys/x509_dim.der ]; then +diff --git a/secconf/check/check_secure_boot b/secconf/check/check_secure_boot +index 905c2e0..22d5590 100644 +--- a/secconf/check/check_secure_boot ++++ b/secconf/check/check_secure_boot +@@ -5,15 +5,15 @@ secure_boot_comm() + get_usr_input "The current system doesn't support secure boot!" + return 1 + fi +- get_usr_input "Pesign is about to be installed?【Y/N】" ++ check_rpm_package pesign + if [ $? -eq 1 ]; then +- yum install -y pesign || exit 1 ++ return 1 + fi +- get_usr_input "Mokutil is about to be installed?【Y/N】" ++ check_rpm_package mokutil + if [ $? -eq 1 ]; then +- yum install -y mokutil || exit 1 ++ return 1 + fi +- if [ ! -f /boot/efi/EFI/secure_boot.der ]; then ++ if [ ! -s /boot/efi/EFI/secure_boot.der ]; then + get_usr_input "Secure Boot certificate of openeuler is about to be downloaded?【Y/N】" + if [ $? -eq 1 ]; then + wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate &> /dev/null +@@ -34,6 +34,32 @@ secure_boot_comm() + return 1 + fi + done ++ if [ -s /boot/vmlinuz-"$(uname -r)" ]; then ++ check_rpm_package gzip ++ if [ $? -eq 1 ]; then ++ return 1 ++ fi ++ if [ $(arch) == "aarch64" ]; then ++ cp -ar /boot/vmlinuz-"$(uname -r)" ./vmlinuz-"$(uname -r)".gz ++ gzip -df vmlinuz-"$(uname -r)".gz ++ if [ $? -ne 0 ]; then ++ echo "failed to gzip vmlinuz, stop check" ++ rm -f vmlinuz-"$(uname -r)".gz ++ return 1 ++ fi ++ else ++ cp -ar /boot/vmlinuz-"$(uname -r)" ./vmlinuz-"$(uname -r)" ++ fi ++ pesigcheck -i vmlinuz-"$(uname -r)" -n 0 -c /boot/efi/EFI/secure_boot.der ++ if [ $? -ne 0 ]; then ++ echo "$vmlinuz-"$(uname -r)" signature verification failed!" ++ else ++ echo "The kernel of the current version has been verified" ++ fi ++ rm -f vmlinuz-"$(uname -r)" ++ else ++ echo "The vmlinuz was not found, please check the signature manually" ++ fi + + mokutil --db | grep "Issuer: CN=CA, OU=Infra, O=openEuler, L=ShenZhen, ST=GuangDong, C=CN" + if [ $? -ne 0 ]; then +diff --git a/secconf/dim.go b/secconf/dim.go +index 220abde..a37915b 100644 +--- a/secconf/dim.go ++++ b/secconf/dim.go +@@ -15,12 +15,12 @@ type Dim struct { + DimIsEnable bool `default:"false" yaml:"enable"` + MeasureList []string `yaml:"measure_list"` + BaselineIsEnable bool `default:"false" yaml:"auto_baseline"` +- MeasureLogCapacity uint64 `default:"100000" yaml:"log_cap"` ++ MeasureLogCapacity uint32 `default:"100000" yaml:"log_cap"` + MeasureHash string `default:"sha256" yaml:"hash"` + CorePcr uint16 `default:"0" yaml:"core_pcr"` + MonitorPcr uint16 `default:"0" yaml:"monitor_pcr"` +- MeasureSchedule uint64 `default:"0" yaml:"schedule"` +- MeasureInterval uint64 `default:"0" yaml:"interval"` ++ MeasureSchedule uint32 `default:"0" yaml:"schedule"` ++ MeasureInterval uint32 `default:"0" yaml:"interval"` + Signature bool `default:"false" yaml:"signature"` + } + +diff --git a/secconf/gen/gen_dim b/secconf/gen/gen_dim +index b310eaf..9174a92 100644 +--- a/secconf/gen/gen_dim ++++ b/secconf/gen/gen_dim +@@ -1,9 +1,9 @@ + dim_comm() + { + {{ with .Dim }}{{if .DimIsEnable}} +- get_usr_input "dim is about to install?【Y/N】" ++ check_rpm_package dim + if [ $? -eq 1 ]; then +- yum install -y dim || exit 1 ++ return 1 + fi + get_usr_input "New static baseline file and policy will be created at /etc/dim?【Y/N】" + if [ $? -eq 1 ]; then +@@ -19,14 +19,15 @@ dim_comm() + return 1 + fi + +- get_usr_input "dim_tools is about to install?【Y/N】" ++ check_rpm_package dim_tools + if [ $? -eq 1 ]; then +- yum install -y dim_tools || exit 1 ++ return 1 + fi ++ dimHash={{.MeasureHash}} + {{range .MeasureList}} + if [ -f "{{.}}" ] ; then + echo "Establishing static baseline:" {{.}} +- dim_gen_baseline {{.}} -o /etc/dim/digest_list/$(basename {{.}}).hash ++ dim_gen_baseline {{.}} -o /etc/dim/digest_list/$(basename {{.}}).hash -a $dimHash + if [ $? -ne 0 ]; then + echo "Error! Static baseline establishment failed" {{.}} + return 1 +@@ -34,7 +35,7 @@ dim_comm() + echo "measure obj=BPRM_TEXT path={{.}}" >> /etc/dim/policy + elif [ "{{.}}" == "kernel" ]; then + echo "measure obj=KERNEL_TEXT" >> /etc/dim/policy +- dim_gen_baseline -k "$(uname -r)" -o /etc/dim/digest_list/test.hash /boot/vmlinuz-6* ++ dim_gen_baseline -k "$(uname -r)" -o /etc/dim/digest_list/kernel.hash /boot/vmlinuz-6* -a $dimHash + if [ $? -ne 0 ]; then + echo "Kernel static baseline establishment failed" + return 1 +@@ -48,7 +49,7 @@ dim_comm() + xz -d -k $moduleFilePath + moduleFilePath=${moduleFilePath%.*} + fi +- dim_gen_baseline $moduleFilePath -o /etc/dim/digest_list/$module.hash ++ dim_gen_baseline $moduleFilePath -o /etc/dim/digest_list/$module.hash -a $dimHash + if [ $? -ne 0 ]; then + echo "Static baseline establishment failed" {{.}} + return 1 +@@ -73,9 +74,9 @@ dim_comm() + return 1 + fi + {{if .Signature}} +- get_usr_input "openssl is about to install?【Y/N】" ++ check_rpm_package openssl + if [ $? -eq 1 ]; then +- yum install -y openssl || exit 1 ++ return 1 + fi + get_usr_input "Generate keys and certificates automatically?【Y/N】" + if [ $? -eq 1 ]; then +diff --git a/secconf/gen/gen_ima b/secconf/gen/gen_ima +index 0657cdf..84d1b4b 100644 +--- a/secconf/gen/gen_ima ++++ b/secconf/gen/gen_ima +@@ -16,9 +16,9 @@ measure_list+=({{.}}) + needReboot=false + packages=("ima-evm-utils" "digest-list-tools") + for pkg in "${packages[@]}"; do +- get_usr_input "${pkg} is about to installed?【Y/N】" ++ check_rpm_package ${pkg} + if [ $? -eq 1 ]; then +- yum install -y ${pkg} || exit 1 ++ return 1 + fi + done + +diff --git a/secconf/gen/gen_secure_boot b/secconf/gen/gen_secure_boot +index 4decd48..a1e0d36 100644 +--- a/secconf/gen/gen_secure_boot ++++ b/secconf/gen/gen_secure_boot +@@ -3,26 +3,26 @@ secure_boot_comm() + {{ with .SecureBoot }} + {{if .SecureBootIsEnable}} + if [ ! -d /sys/firmware/efi ]; then +- get_usr_input "Error! The current environment does not support secure boot." ++ get_usr_input "The current environment does not support secure boot." + return 1 + fi +- get_usr_input "mokutil is about to install?【Y/N】" ++ check_rpm_package mokutil + if [ $? -eq 1 ]; then +- yum install -y mokutil || exit 1 ++ return 1 + fi + mokutil --sb | grep enabled + if [ $? -ne 0 ]; then + mokutil --db | grep "Issuer: CN=CA, OU=Infra, O=openEuler, L=ShenZhen, ST=GuangDong, C=CN" + if [ $? -ne 0 ]; then + echo "Secure boot certificate is not saved in DB!" +- if [ -f /boot/efi/EFI/secure_boot.der ]; then ++ if [ -s /boot/efi/EFI/secure_boot.der ]; then + echo "The file already exists. Please restart and import the file to the BIOS." + else + get_usr_input "Download the openeuler secure boot certificate right now?【Y/N】" + if [ $? -eq 1 ]; then + wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate + if [ $? -ne 0 ]; then +- echo "Error! Certificate downloaded failed. Please obtain the certificate manually!" ++ echo "Certificate downloaded failed. Please obtain the certificate manually!" + return 1 + fi + echo "The certificate download is successful. Please restart later and enter the bios, then import the certificate into the DB!" +diff --git a/secconf/gen_comm.sh b/secconf/gen_comm.sh +index f28dba7..ec19cf5 100644 +--- a/secconf/gen_comm.sh ++++ b/secconf/gen_comm.sh +@@ -1,52 +1,67 @@ + set_skip_usr_input=0 + set_reboot=0 + ++check_rpm_package() ++{ ++ rpm -q $1 &> /dev/null ++ if [ $? -ne 0 ]; then ++ get_usr_input "$1 is about to install?【Y/N】" ++ if [ $? -eq 1 ]; then ++ yum install -y $1 || exit 1 ++ else ++ echo "The $1 does not exit, skip." ++ return 1 ++ fi ++ fi ++ return 0 ++} ++ + get_usr_input() + { +- echo $1 +- if [ $set_skip_usr_input -eq 0 ]; then +- read -r userInput +- else +- userInput=Y +- fi ++ echo $1 ++ if [ $set_skip_usr_input -eq 0 ]; then ++ read -r userInput ++ else ++ userInput=Y ++ fi + +- if [ "$userInput" != 'Y' ] && [ "$userInput" != 'y' ]; then +- return 0 +- else +- return 1 +- fi ++ if [ "$userInput" != 'Y' ] && [ "$userInput" != 'y' ]; then ++ return 0 ++ else ++ return 1 ++ fi + } + + usage() + { +- echo "Usage: $(basename $0) [OPTION]" +- echo " -s, --skip 设置跳过询问" +- echo " -r, --run 正常执行" +- echo " -h, --help 显示帮助信息" ++ echo "Usage: $(basename $0) [OPTION]" ++ echo " -s, --skip 设置跳过询问" ++ echo " -r, --run 正常执行" ++ echo " -h, --help 显示帮助信息" + } + + while true + do +- case "$1" in +- -s|--skip) +- set_skip_usr_input=1 +-{{range .ShellFuns}} {{.}} ++ case "$1" in ++ -s|--skip) ++ set_skip_usr_input=1 ++{{range .ShellFuns}} {{.}} + {{ end }} +- exit 0 +- ;; +- -r|--run) +-{{range .ShellFuns}} {{.}} ++ exit 0 ++ ;; ++ -r|--run) ++{{range .ShellFuns}} {{.}} + {{ end }} +- exit 0 +- ;; +- -h|--help) +- usage +- exit $? +- ;; +- *) +- echo -e "Need Correct Arguments!\n" +- usage +- exit $LA_ERR +- ;; +- esac ++ exit 0 ++ ;; ++ -h|--help) ++ usage ++ exit $? ++ ;; ++ *) ++ echo -e "Need Correct Arguments!\n" ++ usage ++ exit $LA_ERR ++ ;; ++ esac + done +-- +2.33.0 + diff --git a/restore-ima-selinux-type-when-perform-new-configurat.patch b/restore-ima-selinux-type-when-perform-new-configurat.patch index b783c71d8c9de4377c7043dfb252e3abb35a0a57..ade42f0b441522ba92ec51c031330e1cb59f740f 100644 --- a/restore-ima-selinux-type-when-perform-new-configurat.patch +++ b/restore-ima-selinux-type-when-perform-new-configurat.patch @@ -1,17 +1,17 @@ -From 7adb0853596e1ec546ef33aba26b69e31a695041 Mon Sep 17 00:00:00 2001 -From: xuce -Date: Mon, 2 Dec 2024 16:16:40 +0800 -Subject: [PATCH] restore ima selinux type when perform new configuration +From c608b278f93fabdb44b41e0ad921e1f34c17fc2b Mon Sep 17 00:00:00 2001 +From: xucee +Date: Mon, 2 Dec 2024 15:30:25 +0800 +Subject: restore ima selinux type when perform new ima + configuration -Signed-off-by: xuce --- - secpaver-secconf-1.0.0/secconf/gen/gen_ima | 73 ++++++++++++---------- + secconf/gen/gen_ima | 73 +++++++++++++++++++++++++-------------------- 1 file changed, 40 insertions(+), 33 deletions(-) -diff --git a/secpaver-secconf-1.0.0/secconf/gen/gen_ima b/secpaver-secconf-1.0.0/secconf/gen/gen_ima -index a657614..d40dce6 100644 ---- a/secpaver-secconf-1.0.0/secconf/gen/gen_ima -+++ b/secpaver-secconf-1.0.0/secconf/gen/gen_ima +diff --git a/secconf/gen/gen_ima b/secconf/gen/gen_ima +index 84d1b4b..28edbf3 100644 +--- a/secconf/gen/gen_ima ++++ b/secconf/gen/gen_ima @@ -14,7 +14,7 @@ measure_list+=({{.}}) {{end}} @@ -19,7 +19,7 @@ index a657614..d40dce6 100644 -packages=("ima-evm-utils" "digest-list-tools") +packages=("ima-evm-utils" "digest-list-tools" "selinux-policy" "selinux-policy-targeted" "policycoreutils") for pkg in "${packages[@]}"; do - get_usr_input "${pkg} is about to installed?【Y/N】" + check_rpm_package ${pkg} if [ $? -eq 1 ]; then @@ -33,14 +33,14 @@ rm_kernel_param() for param in "${@}"; do diff --git a/secpaver.spec b/secpaver.spec index 2fac1586f1271bfe1a80f5316500c2e28ab5b0de..a6bf2cbf9ed5a4fca847e909076d7f2fbac85840 100755 --- a/secpaver.spec +++ b/secpaver.spec @@ -1,26 +1,32 @@ - +%define secconf_pck secpaver-secconf-1.0.0 Name: secpaver Summary: Security policy development tool Version: 1.0.2 -Release: 14 +Release: 15 License: MulanPSL-2.0 URL: https://gitee.com/openeuler/secpaver Source: https://gitee.com/openeuler/secpaver/repository/archive/%{name}-%{version}.tar.gz #source1 version sys@v0.0.0-20220908164124-27713097b956 Source1: sys.tar.gz -Source2: secpaver-secconf-1.0.0.zip +Source2: %{secconf_pck}.zip Patch0001: dont-do-daemon-reload-in-make-install.patch Patch0002: set-default-log-path.patch Patch0003: support-clang-build.patch Patch0004: fix-go-build-ref-cldflags.patch Patch0005: remove-unused-socket.patch -Patch0006: Add-example-of-how-to-import-digest-list-when-using-.patch -Patch0007: restore-ima-selinux-type-when-perform-new-configurat.patch + %ifarch riscv64 loongarch64 Patch1000: 1000-fix-build-on-riscv64.patch %endif +# secconf +Patch2000: Add-example-of-how-to-import-digest-list-when-using-.patch +Patch2001: fix-some-bugs.patch +Patch2002: restore-ima-selinux-type-when-perform-new-configurat.patch +Patch2003: extend-check_ima-to-check-whether-gen_ima-is-right.patch +Patch2004: add-the-wget-timeout-mechanism-and-optimize-the-dim-.patch + BuildRequires: golang make systemd Requires: %{name}-plugin = %{version}-%{release} @@ -59,25 +65,30 @@ unzip %{SOURCE2} %patch0003 -p1 %patch0004 -p1 %patch0005 -p1 -%patch0006 -p1 -%patch0007 -p1 + %ifarch riscv64 loongarch64 %patch1000 -p1 %endif - +# secconfg +cd ./%{secconf_pck} +%patch2000 -p1 +%patch2001 -p1 +%patch2002 -p1 +%patch2003 -p1 +%patch2004 -p1 %build %make_build everything -cd ./secpaver-secconf-1.0.0 +cd ./%{secconf_pck} make %install %make_install DESTDIR="%{buildroot}" -cd ./secpaver-secconf-1.0.0 +cd ./%{secconf_pck} %make_install DESTDIR="%{buildroot}" %check -cd ./secpaver-secconf-1.0.0 +cd ./%{secconf_pck} make test %files @@ -119,6 +130,9 @@ make test %systemd_postun_with_restart pavd.service %changelog +* Tue Dec 10 2024 jinlun - 1.0.2-15 +- fix some bugs + * Mon Dec 2 2024 xuce - 1.0.2-14 - restore ima selinux type when perform new configuration