#!/bin/sh
ACTION=$1
KEY_PATH=$2
FS_TYPE=`cat /etc/fstab | grep -E "[\s\ ]\/[\s\ ]" | sed -e "s,.*\/[\t\ ]*\([A-Za-z0-9]*\).*,\1,"`

regen_grub(){

    cat /etc/fstab | grep efi > /dev/null

    if [ $? -eq 0 ]; then
        grub2-mkconfig -o /boot/efi/EFI/*/grub.cfg
    else
        grub2-mkconfig -o /boot/grub2/grub.cfg
    fi
}


case ${ACTION} in
"signfs")
    find / -fstype ${FS_TYPE} -type f |
    while read line
    do
        FILE=$line
        file "${FILE}" | grep ELF > /dev/null
        if [ $? -eq 0 ];
        then
            evmctl ima_sign -k ${KEY_PATH} -a sha256 "${FILE}"
            printf "ELF ${FILE} signed with key ${KEY_PATH}\n" >> /var/log/ima-sig.log
        else
            file "${FILE}" | grep script > /dev/null
            if [ $? -eq 0 ];
            then
                evmctl ima_sign -k ${KEY_PATH} -a sha256 "${FILE}"
                printf "Script ${FILE} signed with key ${KEY_PATH}\n" >> /var/log/ima-sig.log
            else
                evmctl ima_hash -k {KEY_PATH} "${FILE}"
                printf "IMA hash added to ${FILE}\n" >> /var/log/ima-sig.log
            fi
        fi
    done
;;

"init")
    cat /etc/default/grub | grep "ima_appraise=enforce" > /dev/null
    if [ $? -eq 0 ]; 
    then
        echo "Судя по всему контроль целостности уже включен. Вы уверены что хотите продолжить? (Дд/Yy/Нн/Nn):"
        read cont
        case cont in
        "Y"|"y"|"Д"|"д")
            sed -i /etc/default/grub -e "s/ima_appraise=enforce/ima_appraise=fix/"
        ;;
        "N"|"n"|"Н"|"н")
        exit 0
        ;;
        esac
    else
        printf "\nGRUB_CMDLINE_LINUX+=\" ima_appraise=fix\"\n" >> /etc/default/grub 
    fi
    regen_grub
;;

"enforce")
    mv -f /etc/ima/ima-policy.new /etc/ima/ima-policy
    sed -i /etc/default/grub -e "s/ima_appraise=fix/ima_appraise=enforce/"
    regen_grub
    echo "Нажмите любую клавишу для перезагрузки..."
    read
    systemctl reboot
;;

*)
    echo "Usage: ima-manage enforce|signfs|init <path-to-key>"
;;

esac

