[Rpm-maint] [PATCH v2 0/4] Fixes for file signatures

Panu Matilainen pmatilai at laiskiainen.org
Fri Sep 23 19:30:54 UTC 2016

On 09/23/2016 07:43 PM, Stefan Berger wrote:
> Panu Matilainen <pmatilai at laiskiainen.org> wrote on 09/23/2016 07:50:15
> AM:
>>>> So... to achieve all this and actually behave correct in the face of
>>>> skipped files  - whether due to color, netshared path or other file
>>>> policies - the IMA plugin should really just do what the selinux
> plugin
>>>> does and use fsm_file_prepare hook for its task, which after all is
>>>> highly similar anyway.
>>> Has the file been written when fsm_file_prepare is called? Otherwise
> it
>>> seems better to do it in fsm_file_post.
>> Yes, the entire file has been created but not yet moved to its final
>> destination. That's why it gets two path parameters: "path" for the
>> actual current filename which has a temporary suffix, and "dest" which
>> is the actual destination filename. So this is really the best place to
>> do any metadata work because then the file actually ready when it gets
>> renamed to its final distination (ie without the suffix).
> For some mysterious reason dnf now exists in an update when I run in the
> fsm_file_prepare hook. After that, when telling dnf to install a package,
> it enumerates all kinds of locks that it unlocks. Do you know what may be
> the cause for this ?

A bug in the code, causing a crash? Like I said, what I posted is 
entirely untested, it was just to point you in the general direction.

My first guess would be NULL fi tripping up one of the rpmfiFoo() calls, 
reading through http://rpm.org/wiki/DevelDocs/Plugins reminded me that 
fi can be NULL (on unowned directories).

So change the start to eg:

         /* Ignore skipped files and unowned directories */
         if (XFA_SKIPPING(action) || fi == NULL)
             goto exit;

> Following these issues, I would like to try to meve it to the
> fsm_file_post hook.

I fail to see how that would accomplish anything at all.

	- Panu -

More information about the Rpm-maint mailing list