[Rpm-maint] [PATCH 3/3] plugins: Pass rpmte to scriptlet_pre and call IMA plugin in this hook

Panu Matilainen pmatilai at laiskiainen.org
Wed Sep 21 19:21:41 UTC 2016

On 09/21/2016 09:14 PM, Stefan Berger wrote:
> Stefan Berger <stefanb at linux.vnet.ibm.com> wrote on 09/21/2016 02:04:08
> PM:
>> From: Stefan Berger <stefanb at linux.vnet.ibm.com>
>> To: rpm-maint at lists.rpm.org
>> Cc: fionnuala.gunter at gmail.com, stefanb at linux.vnet.ibm.com,
>> zohar at linux.vnet.ibm.com, Stefan Berger/Watson/IBM at IBMUS
>> Date: 09/21/2016 02:04 PM
>> Subject: [PATCH 3/3] plugins: Pass rpmte to scriptlet_pre and call
>> IMA plugin in this hook
>> The IMA plugin needs to also be called before the post installation
>> scriptlet is run. The reason for this is that some post installation
>> scriptlets invoke the tools that were just installed. The invocatin
>> fails, if the signatures have not been applied, yet. Therefore, we
>> invoke the IMA plugin with the scriptlet_pre hook.
>> To be able to do the work in the scriptlet_pre hook, we also need to
>> pass the tpmte parameter all the way through.
>> An example for an RPM that invokes its own programs is coreutils,
>> which will invoke /bin/mv in the post installation script.
>> Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
>> ---
>>  lib/rpmplugin.h   |  3 ++-
>>  lib/rpmplugins.c  |  5 +++--
>>  lib/rpmplugins.h  |  3 ++-
>>  lib/rpmscript.c   |  5 +++--
>>  lib/rpmscript.h   |  3 ++-
>>  lib/transaction.c |  2 +-
>>  plugins/ima.c     | 10 ++++++++++
>>  7 files changed, 23 insertions(+), 8 deletions(-)
>> diff --git a/lib/rpmplugin.h b/lib/rpmplugin.h
>> index fd81aec..98205db 100644
>> --- a/lib/rpmplugin.h
>> +++ b/lib/rpmplugin.h
>> @@ -44,7 +44,8 @@ typedef rpmRC (*plugin_tsm_post_func)(rpmPlugin
>> plugin, rpmts ts, int res);
>>  typedef rpmRC (*plugin_psm_pre_func)(rpmPlugin plugin, rpmte te);
>>  typedef rpmRC (*plugin_psm_post_func)(rpmPlugin plugin, rpmte te, int
> res);
>>  typedef rpmRC (*plugin_scriptlet_pre_func)(rpmPlugin plugin,
>> -                  const char *s_name, int type);
>> +                  const char *s_name, int type,
>> +                  rpmte te);
> I am obviously modifying a public interface here. This modification does
> no harm to other plugins living in the rpm git tree since none of them is
> called in this callback hook. Are there any plugins that live outside the
> tree that would now not compile anymore? Another solution would be to
> introduce a plugin_scriptlet_pre_te_func.

rpmplugin.h is not a public header, the whole plugin interface has been 
kept "rpm internal" to allow changing things while it matures. That's 
not a (big) problem.

What I do object to is passing the transaction element to 
rpmScriptRun(). The scriptlet running machinery is intentionally 
disconnected from the higher level objects such as transaction elements. 
There were reasons for that, I just dont remember the details anymore, 
doh :) *One* of the reasons is that not all scriptlets execute in a 
context of a transaction element (think of triggers from installed 

A new plugin hook is probably more appropriate. Or a pair of them - as 
you might have noticed they try to stick to symmetry. What the hook(s) 
should be called etc I've no clue ATM and its getting late here...

	- Panu -

	- Panu -

More information about the Rpm-maint mailing list