#!/usr/bin/sh
ACTION=$1
KEY_PATH=$2
FS_TYPE=`cat /etc/fstab | grep -E "[\s\ ]\/[\s\ ]" | sed -e "s,.*\/[\t\ ]*\([A-Za-z0-9]*\).*,\1,"`
HASHALGO="sha256"

get_hashalgo_from_conf() {
    ALLOWEDHASHALGO=("sha1" "sha224" "sha256" "sha384" "sha512" "streebog256" "streebog512")
    _HASHALGO=`cat /etc/ima-manage.conf 2> /dev/null | grep -E "^HASHALGO=" | sed -e "s,^HASHALGO=\"\(.*\)\",\1,"`
    if [[ " ${ALLOWEDHASHALGO[*]} " =~ " ${_HASHALGO} " ]]; then
        HASHALGO="${_HASHALGO}"
    else
        printf "Неизвестный HASHALGO в файле настроек, используем алгоритм sha256.\n"
    fi

}

regen_grub() {
    EFI_HOME=/boot/efi/EFI/redos
    GRUB_HOME=/boot/grub2
    if [[ -d /sys/firmware/efi ]] && ! grep -q "configfile" ${EFI_HOME}/grub.cfg ; then
        grub2-mkconfig -o ${EFI_HOME}/grub.cfg
    else
        grub2-mkconfig -o ${GRUB_HOME}/grub.cfg
    fi
}

get_hashalgo_from_conf

case ${ACTION} in
    "signfs")
        find / -fstype ${FS_TYPE} -type f |
        while read line
        do
            FILE=$line
            CHECK_FILE=$(file "${FILE}")
            if [[ "$CHECK_FILE" =~ "ELF" || "$CHECK_FILE" =~ "script" ]];
            then
                TEST=$(evmctl ima_sign -k ${KEY_PATH} -a ${HASHALGO} "${FILE}" 2>&1 | grep error)
                if [ -z "$TEST" ];
                then
                    printf "${FILE} signed with key ${KEY_PATH}\n" >> /var/log/ima-sig.log
                else
                    printf "Error while signing ${FILE} with ${KEY_PATH}: $TEST\n" >> /var/log/ima-sig.log
                fi
            else
                evmctl ima_hash -k {KEY_PATH} -a ${HASHALGO} "${FILE}"
                printf "IMA hash added to ${FILE}\n" >> /var/log/ima-sig.log
            fi
        done
        ;;

    "init")
        sed -i "/check()/!b;n;c\ \ \ return 0" /usr/lib/dracut/modules.d/98integrity/module-setup.sh
        sed -i "/\[Service\]/a KeyringMode=shared" /usr/lib/systemd/system/dracut-pre-mount.service

        grep -q "ima_appraise=enforce" /etc/default/grub
        if [ $? -eq 0 ];
        then
            echo "Судя по всему контроль целостности уже включен. Вы уверены что хотите продолжить? (Дд/Yy/Нн/Nn):"
            read cont
            case ${cont} in
                "Y"|"y"|"Д"|"д")
                    sed -i /etc/default/grub -e "s/ima_appraise=enforce/ima_appraise=fix/"
                    ;;
                "N"|"n"|"Н"|"н")
                    exit 0
                    ;;
            esac
        else
            printf "\nGRUB_CMDLINE_LINUX+=\" ima_appraise=fix\"\n" >> /etc/default/grub
        fi
        regen_grub
        ;;

    "enforce")
        cp -f /etc/ima/ima-policy.new /etc/sysconfig/ima-policy
        sed -i /etc/default/grub -e "s/ima_appraise=fix/ima_appraise=enforce/"
        regen_grub
        dracut -f > /dev/null
        echo "Нажмите Enter для перезагрузки..."
        read
        systemctl reboot
        ;;

    *)
        echo "Usage: ima-manage enforce|signfs|init <path-to-key>"
        ;;
esac

