#!/bin/sh
### BEGIN INIT INFO
# Provides:            integrity
# Required-Start:      mountfs udev
# Should-Start:
# Required-Stop:
# Should-Stop:
# Default-Start:       3 4 5
# Default-Stop:
# Short-Description:   Enabling IMA/EVM.
# Description:         This service try to load IMA/EVM keys, policy
#                      and enable IMA/EVM subsytem.
### END INIT INFO

. /etc/init.d/template

IMA_POLICY=
IMA_POLICY_ADMIN=/etc/integrity/policy
IMA_POLICY_DEFAULT=/usr/share/integrity/policy
SECFS=/sys/kernel/security
NEED_UNMOUNT=

start()
{
	if ! grep -q  "$SECFS" /proc/mounts; then
		mount -n -t securityfs securityfs "$SECFS"
		NEED_UNMOUNT=1
	fi

	# search for IMA keyring
	ima_id="$(keyctl search @u keyring _ima 2>/dev/null)"
	if [ -z "$ima_id" ]; then
		ima_id="$(keyctl newring _ima @u)"
	fi

	# import IMA X509 certificate
	evmctl import /etc/keys/x509_ima.der "$ima_id" >/dev/null

	# search for EVM keyring
	evm_id="$(keyctl search @u keyring _evm 2>/dev/null)"
	if [ -z "$evm_id" ]; then
		evm_id="$(keyctl newring _evm @u)"
	fi

	# import EVM X509 certificate
	evmctl import /etc/keys/x509_evm.der "$evm_id" >/dev/null

	# import EVM encrypted key
	keyctl show | grep -q kmk-user || keyctl add user kmk-user "$(cat /etc/keys/kmk-user.blob)" @u >/dev/null
	keyctl add encrypted evm-key "load $(cat /etc/keys/evm-key.blob)" @u >/dev/null

	# enable EVM
	echo "1" > /sys/kernel/security/evm

	# load policy
	if [ -f "$IMA_POLICY_ADMIN" ]; then
		IMA_POLICY="$IMA_POLICY_ADMIN"
	elif [ -f "$IMA_POLICY_DEFAULT" ]; then
		IMA_POLICY="$IMA_POLICY_DEFAULT"
	fi
	if [ -n "$IMA_POLICY" ]; then
		echo_msg "Loading IMA policy $IMA_POLICY "
		cat "$IMA_POLICY" >>"$SECFS"/ima/policy &&
			echo_success || echo_failure
		echo_newline
	fi

	if [ -n "$NEED_UNMOUNT" ]; then
		umount "$SECFS"
	fi
}

switch "${1-}"
