[Rpm-maint] [PATCH v2 0/4] Fixes for file signatures

Fri Sep 23 08:15:22 UTC 2016

On 09/22/2016 08:30 PM, Stefan Berger wrote:
> The following series of patches addresses some issues with signatures on
> files. In particular:
>
> - some files marked as config files are also executables and therefore
>   need to have a signature applied
> - the IMA plugin may only run on package install cycle rather than the
>   remove cycle, which would apply the previous versions' signatures on
>   the files
> - some RPM packages require that the files be signed when the post
>   install scriptlets are run since they may invoke executables that
>   were just installed; so we introduce two new hooks, fsm_pre and
>   fsm_post. We move the IMA plugin from the psm_post hook to the
>   fsm_post hook.
>
>    Regards,
>       Stefan
>
> Stefan Berger (4):
>   ima-plugin: Have executable configuration files signed
>   ima-plugin: Only run the IMA plugin on package installation
>   rpmplugins: Introduce new fsm_pre and fsm_post hooks
>   IMA: Move the IMA plugin to the fsm_post hook
>
>  lib/psm.c        |  6 +++++-
>  lib/rpmplugin.h  |  6 ++++++
>  lib/rpmplugins.c | 35 +++++++++++++++++++++++++++++++++++
>  lib/rpmplugins.h | 19 +++++++++++++++++++
>  plugins/ima.c    | 32 ++++++++++++++++++++++----------
>  5 files changed, 87 insertions(+), 11 deletions(-)
>

So... to achieve all this and actually behave correct in the face of 
skipped files  - whether due to color, netshared path or other file 
policies - the IMA plugin should really just do what the selinux plugin 
does and use fsm_file_prepare hook for its task, which after all is 
highly similar anyway.

Something like this (mind you, non-compiled, never mind tested code ahead):

static rpmRC ima_file_prepare(rpmPlugin plugin, rpmfi fi,
                               const char *path, const char *dest,
                               mode_t file_mode, rpmFsmOp op)

{
         const unsigned char * fsig = NULL;
         size_t len;
         rpmRC rc = RPMRC_OK;

         /* Ignore skipped files */
         if (XFA_SKIPPING(action))
             goto exit;

         /* Don't install signatures for (mutable) config files */
         if (rpmfiFFlags(fi) & RPMFILE_CONFIG) {
             if (!rpmfiFMode(fi) & (S_IXUSR|S_IXGRP|S_IXOTH))
                 goto exit;
         }

         fsig = rpmfiFSignature(fi, &len);
         if (fsig && (check_zero_hdr(fsig, len) == 0)) {
             if (lsetxattr(fpath, XATTR_NAME_IMA, fsig, len, 0) < 0)
                 rc = RPMRC_FAIL;
         }

exit:
         return rc;
}

struct rpmPluginHooks_s ima_hooks = {
         .fsm_file_prepare = ima_file_prepare,
};

That hook will only get called on file creation so you dont need to 
separately weed out erasures, skipped files are ignored as they should 
be and all the signatures will be in place by the time %post runs.

As a diff, that's nothing more than:
  plugins/ima.c | 34 ++++++++++++++++++----------------
  1 file changed, 18 insertions(+), 16 deletions(-)

	- Panu -