ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY

The IMA policy will be specified using the IMA_EVM_POLICY variable since systemd will not be involved in loading the policy but the init script will load it. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-01-11 15:00:34 +00:00 · 2023-04-28 08:23:12 -04:00
parent f4f7624d2e
commit 292b49342c
2 changed files with 3 additions and 3 deletions
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -187,7 +187,7 @@ IMA policy loading became broken in systemd 2.18. The modified systemd
 changes. To activate policy loading via systemd, place a policy file
 in `/etc/ima/ima-policy`, for example with:

-    IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple"
+    IMA_EVM_POLICY = "${INTEGRITY_BASE}/data/ima_policy_simple"

 To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements`

--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -69,10 +69,10 @@ ima_evm_sign_rootfs () {
    find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash

    # Optionally install custom policy for loading by systemd.
-    if [ "${IMA_EVM_POLICY_SYSTEMD}" ]; then
+    if [ "${IMA_EVM_POLICY}" ]; then
        install -d ./${sysconfdir}/ima
        rm -f ./${sysconfdir}/ima/ima-policy
-        install "${IMA_EVM_POLICY_SYSTEMD}" ./${sysconfdir}/ima/ima-policy
+        install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy
    fi
 }