[Rpm-ecosystem] [PATCH v6 10/11] IMA plugin labels ima xattr with file signatures

Mon Jul 6 18:52:24 UTC 2015

From: "fin at linux.vnet.ibm.com" <fin at linux.vnet.ibm.com>

This plugin extracts file signatures from rpmfiles and writes them to
security.ima xattr. Only non-config file signatures are installed.
---
 macros.in           |  1 +
 plugins/Makefile.am |  4 ++++
 plugins/ima.c       | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 65 insertions(+)
 create mode 100644 plugins/ima.c

diff --git a/macros.in b/macros.in
index de89420..3c5a011 100644
--- a/macros.in
+++ b/macros.in
@@ -1049,6 +1049,7 @@ done \
 %__transaction_systemd_inhibit	%{__plugindir}/systemd_inhibit.so
 %__transaction_selinux		%{__plugindir}/selinux.so
 %__transaction_syslog		%{__plugindir}/syslog.so
+%__transaction_ima		%{__plugindir}/ima.so
 
 #------------------------------------------------------------------------------
 # Macros for further automated spec %setup and patch application
diff --git a/plugins/Makefile.am b/plugins/Makefile.am
index 53b2450..5ddc174 100644
--- a/plugins/Makefile.am
+++ b/plugins/Makefile.am
@@ -31,3 +31,7 @@ endif
 syslog_la_SOURCES = syslog.c
 syslog_la_LIBADD = $(top_builddir)/lib/librpm.la $(top_builddir)/rpmio/librpmio.la
 plugins_LTLIBRARIES += syslog.la
+
+ima_la_sources = ima.c
+ima_la_LIBADD = $(top_builddir)/lib/librpm.la $(top_builddir)/rpmio/librpmio.la
+plugins_LTLIBRARIES += ima.la
diff --git a/plugins/ima.c b/plugins/ima.c
new file mode 100644
index 0000000..c1d5607
--- /dev/null
+++ b/plugins/ima.c
@@ -0,0 +1,60 @@
+#include <sys/xattr.h>
+
+#include <rpm/rpmfi.h>
+#include <rpm/rpmte.h>
+#include <rpm/rpmfiles.h>
+#include <rpm/rpmtypes.h>
+#include <rpmio/rpmstring.h>
+
+#include "lib/rpmfs.h"
+#include "lib/rpmplugin.h"
+#include "lib/rpmte_internal.h"
+
+#define XATTR_NAME_IMA "security.ima"
+
+static char * fsmFsPath(rpmfi fi, const char * suffix)
+{
+    return rstrscat(NULL, rpmfiDN(fi), rpmfiBN(fi), suffix? suffix : "", NULL);
+}
+
+static rpmRC ima_psm_post(rpmPlugin plugin, rpmte te, int res)
+{
+	rpmfiles files = rpmteFiles(te);
+	rpmfi fi = rpmteFI(te);
+	int i;
+	char *fpath;
+	const unsigned char * fsig = NULL;
+	size_t len;
+	int rc = 0;
+
+	if (fi == NULL) {
+	    rc = RPMERR_BAD_MAGIC;
+	    goto exit;
+	}
+
+	while (!rc) {
+	    rc = rpmfiNext(fi);
+	    i = rpmfiFX(fi);
+
+	    if (rc < 0) {
+		if (rc == RPMERR_ITER_END)
+		    rc = 0;
+		break;
+	    }
+
+	    /* Don't install signatures for (mutable) config files */
+	    if (!(rpmfilesFFlags(files, i) & RPMFILE_CONFIG)) {
+		fpath = fsmFsPath(fi, NULL);
+		fsig = rpmfilesFSignature(files, i, &len);
+		if (fsig) {
+		    lsetxattr(fpath, XATTR_NAME_IMA, fsig, len, 0);
+		}
+	    }
+	}
+exit:
+	return rc;
+}
+
+struct rpmPluginHooks_s ima_hooks = {
+	.psm_post = ima_psm_post,
+};
-- 
2.1.0

