From 479b5cd94f16052cf6ea28d0e8abba2b926fff83 Mon Sep 17 00:00:00 2001

From: Stefan Berger <stefanb@us.ibm.com>

Date: Thu, 13 Oct 2016 16:49:43 -0400

Subject: [PATCH] 98integrity: support validating the IMA policy file signature

IMA validates file signatures based on the security.ima xattr. As of

Linux-4.7, instead of cat'ing the IMA policy into the securityfs policy,

the IMA policy pathname can be written, allowing the IMA policy file

signature to be validated.

This patch first attempts to write the pathname, but on failure falls

back to cat'ing the IMA policy contents .

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

---

 modules.d/98integrity/ima-policy-load.sh | 3 ++-

 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules.d/98integrity/ima-policy-load.sh b/modules.d/98integrity/ima-policy-load.sh

index 0061cff..5460d02 100755

--- a/modules.d/98integrity/ima-policy-load.sh

+++ b/modules.d/98integrity/ima-policy-load.sh

@@ -30,7 +30,8 @@ load_ima_policy()

     # check the existence of the IMA policy file

     [ -f "${IMAPOLICYPATH}" ] && {

         info "Loading the provided IMA custom policy";

-        cat ${IMAPOLICYPATH} > ${IMASECDIR}/policy;

+        echo -n "${IMAPOLICYPATH}" > ${IMASECDIR}/policy || \

+            cat "${IMAPOLICYPATH}" > ${IMASECDIR}/policy

     }

     return 0