[Rpm-maint] [PATCH v2 0/4] Fixes for file signatures

Stefan Berger stefanb at us.ibm.com
Fri Sep 23 20:02:01 UTC 2016 

Panu Matilainen <pmatilai at laiskiainen.org> wrote on 09/23/2016 03:30:54 
PM:

> From: Panu Matilainen <pmatilai at laiskiainen.org>
> To: Stefan Berger/Watson/IBM at IBMUS
> Cc: fionnuala.gunter at gmail.com, rpm-maint at lists.rpm.org, Stefan 
> Berger <stefanb at linux.vnet.ibm.com>
> Date: 09/23/2016 03:31 PM
> Subject: Re: [Rpm-maint] [PATCH v2 0/4] Fixes for file signatures
> 
> On 09/23/2016 07:43 PM, Stefan Berger wrote:
> > Panu Matilainen <pmatilai at laiskiainen.org> wrote on 09/23/2016 
07:50:15
> > AM:
> >
> >
> >>>>
> >>>> So... to achieve all this and actually behave correct in the face 
of
> >>>> skipped files  - whether due to color, netshared path or other file
> >>>> policies - the IMA plugin should really just do what the selinux
> > plugin
> >>>> does and use fsm_file_prepare hook for its task, which after all is
> >>>> highly similar anyway.
> >>>
> >>> Has the file been written when fsm_file_prepare is called? Otherwise
> > it
> >>> seems better to do it in fsm_file_post.
> >>
> >> Yes, the entire file has been created but not yet moved to its final
> >> destination. That's why it gets two path parameters: "path" for the
> >> actual current filename which has a temporary suffix, and "dest" 
which
> >> is the actual destination filename. So this is really the best place 
to
> >> do any metadata work because then the file actually ready when it 
gets
> >> renamed to its final distination (ie without the suffix).
> >
> > For some mysterious reason dnf now exists in an update when I run in 
the
> > fsm_file_prepare hook. After that, when telling dnf to install a 
package,
> > it enumerates all kinds of locks that it unlocks. Do you know what may 
be
> > the cause for this ?
> 
> A bug in the code, causing a crash? Like I said, what I posted is 
> entirely untested, it was just to point you in the general direction.
> 
> My first guess would be NULL fi tripping up one of the rpmfiFoo() calls, 

> reading through http://rpm.org/wiki/DevelDocs/Plugins reminded me that 
> fi can be NULL (on unowned directories).
> 
> So change the start to eg:
> 
>          /* Ignore skipped files and unowned directories */
>          if (XFA_SKIPPING(action) || fi == NULL)
>              goto exit;
> 

So it must have been the fi being NULL. For some reason though it wasn't a 
pointer...

   Stefan

> >
> > Following these issues, I would like to try to meve it to the
> > fsm_file_post hook.
> 
> I fail to see how that would accomplish anything at all.
> 
>    - Panu -
> 
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20160923/69bddf06/attachment.html>

More information about the Rpm-maint mailing list