From: Harald Hoyer Date: Fri, 26 Mar 2021 09:29:32 +0000 (+0100) Subject: fix(integrity): shellcheck for modules.d/98integrity X-Git-Tag: 054~217 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=895dd4eb25e86278ce04dae2a0b1310bc3caf6c3;p=thirdparty%2Fdracut.git fix(integrity): shellcheck for modules.d/98integrity --- diff --git a/modules.d/98integrity/.shchkdir b/modules.d/98integrity/.shchkdir new file mode 100644 index 000000000..e69de29bb diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh index c359f6e3b..313ca5da4 100755 --- a/modules.d/98integrity/evm-enable.sh +++ b/modules.d/98integrity/evm-enable.sh @@ -14,14 +14,15 @@ EVMKEYID="" load_evm_key() { # read the configuration from the config file + # shellcheck disable=SC1090 [ -f "${EVMCONFIG}" ] \ - && . ${EVMCONFIG} + && . "${EVMCONFIG}" # override the EVM key path name from the 'evmkey=' parameter in the kernel # command line - EVMKEYARG=$(getarg evmkey=) - [ $? -eq 0 ] \ - && EVMKEY=${EVMKEYARG} + if EVMKEYARG=$(getarg evmkey=); then + EVMKEY=${EVMKEYARG} + fi # set the default value [ -z "${EVMKEY}" ] \ @@ -39,14 +40,13 @@ load_evm_key() { fi # read the EVM encrypted key blob - KEYBLOB=$(cat ${EVMKEYPATH}) + KEYBLOB=$(cat "${EVMKEYPATH}") # load the EVM encrypted key - EVMKEYID=$(keyctl add ${EVMKEYTYPE} ${EVMKEYDESC} "load ${KEYBLOB}" @u) - [ $? -eq 0 ] || { + if ! EVMKEYID=$(keyctl add ${EVMKEYTYPE} ${EVMKEYDESC} "load ${KEYBLOB}" @u); then info "integrity: failed to load the EVM encrypted key: ${EVMKEYDESC}" return 1 - } + fi return 0 } @@ -55,9 +55,9 @@ load_evm_x509() { # override the EVM key path name from the 'evmx509=' parameter in # the kernel command line - EVMX509ARG=$(getarg evmx509=) - [ $? -eq 0 ] \ - && EVMX509=${EVMX509ARG} + if EVMX509ARG=$(getarg evmx509=); then + EVMX509=${EVMX509ARG} + fi # set the default value [ -z "${EVMX509}" ] \ @@ -75,8 +75,7 @@ load_evm_x509() { fi local evm_pubid line - line=$(keyctl describe %keyring:.evm) - if [ $? -eq 0 ]; then + if line=$(keyctl describe %keyring:.evm); then # the kernel already setup a trusted .evm keyring so use that one evm_pubid=${line%%:*} else @@ -89,11 +88,12 @@ load_evm_x509() { fi # load the EVM public key onto the EVM keyring - EVMX509ID=$(evmctl import ${EVMX509PATH} ${evm_pubid}) - [ $? -eq 0 ] || { + # FIXME: EVMX509ID unused? + # shellcheck disable=SC2034 + if ! EVMX509ID=$(evmctl import "${EVMX509PATH}" "${evm_pubid}"); then info "integrity: failed to load the EVM X509 cert ${EVMX509PATH}" return 1 - } + fi if [ "${RD_DEBUG}" = "yes" ]; then keyctl show @u @@ -104,7 +104,7 @@ load_evm_x509() { unload_evm_key() { # unlink the EVM encrypted key - keyctl unlink ${EVMKEYID} @u || { + keyctl unlink "${EVMKEYID}" @u || { info "integrity: failed to unlink the EVM encrypted key: ${EVMKEYDESC}" return 1 } @@ -136,7 +136,7 @@ enable_evm() { # initialize EVM info "Enabling EVM" - echo 1 > ${EVMSECFILE} + echo 1 > "${EVMSECFILE}" # unload the EVM encrypted key unload_evm_key || return 1 diff --git a/modules.d/98integrity/ima-keys-load.sh b/modules.d/98integrity/ima-keys-load.sh index 04d83f102..2959331a6 100755 --- a/modules.d/98integrity/ima-keys-load.sh +++ b/modules.d/98integrity/ima-keys-load.sh @@ -9,14 +9,15 @@ load_x509_keys() { # override the default configuration if [ -f "${IMACONFIG}" ]; then - . ${IMACONFIG} + # shellcheck disable=SC1090 + . "${IMACONFIG}" fi if [ -z "${IMAKEYSDIR}" ]; then IMAKEYSDIR="/etc/keys/ima" fi - PUBKEY_LIST=$(ls ${NEWROOT}${IMAKEYSDIR}/*) + PUBKEY_LIST=$(ls "${NEWROOT}"${IMAKEYSDIR}/*) for PUBKEY in ${PUBKEY_LIST}; do # check for public key's existence if [ ! -f "${PUBKEY}" ]; then @@ -26,14 +27,15 @@ load_x509_keys() { continue fi - X509ID=$(evmctl import ${PUBKEY} ${KEYRING_ID}) - if [ $? -ne 0 ]; then + # FIXME: X509ID unused? + # shellcheck disable=SC2034 + if ! X509ID=$(evmctl import "${PUBKEY}" "${KEYRING_ID}"); then info "integrity: IMA x509 cert not loaded on keyring: ${PUBKEY}" fi done if [ "${RD_DEBUG}" = "yes" ]; then - keyctl show ${KEYRING_ID} + keyctl show "${KEYRING_ID}" fi return 0 } @@ -47,8 +49,8 @@ if [ ! -e "${IMASECDIR}" ]; then fi # get the IMA keyring id -line=$(keyctl describe %keyring:.ima) -if [ $? -eq 0 ]; then + +if line=$(keyctl describe %keyring:.ima); then _ima_id=${line%%:*} else _ima_id=$(keyctl search @u keyring _ima) @@ -58,4 +60,4 @@ else fi # load the IMA public key(s) -load_x509_keys ${_ima_id} +load_x509_keys "${_ima_id}" diff --git a/modules.d/98integrity/ima-policy-load.sh b/modules.d/98integrity/ima-policy-load.sh index dd78e39ad..a1fbb4d5b 100755 --- a/modules.d/98integrity/ima-policy-load.sh +++ b/modules.d/98integrity/ima-policy-load.sh @@ -20,8 +20,9 @@ load_ima_policy() { fi # override the default configuration + # shellcheck disable=SC1090 [ -f "${IMACONFIG}" ] \ - && . ${IMACONFIG} + && . "${IMACONFIG}" # set the IMA policy path name IMAPOLICYPATH="${NEWROOT}${IMAPOLICY}" @@ -29,8 +30,8 @@ load_ima_policy() { # check the existence of the IMA policy file [ -f "${IMAPOLICYPATH}" ] && { info "Loading the provided IMA custom policy" - printf '%s' "${IMAPOLICYPATH}" > ${IMASECDIR}/policy \ - || cat "${IMAPOLICYPATH}" > ${IMASECDIR}/policy + printf '%s' "${IMAPOLICYPATH}" > "${IMASECDIR}"/policy \ + || cat "${IMAPOLICYPATH}" > "${IMASECDIR}"/policy } return 0