[Rpm-maint] [rpm-software-management/rpm] Problem with --signfiles for files that are hardlinked together (#333)

patrickc25000 notifications at github.com
Sat Oct 14 01:15:20 UTC 2017

We have encountered a problem when performing an RPM update while Integrity Measurement Architecture (IMA) signatures are applied to the files. In other words, we are having a problem with the "--signfiles" support in the RPM package.

When we install a new glibc RPM on a system with SELinux and IMA enabled, we are seeing appraise errors with 3 files. Looking at an strace (see attached), I see that the files are referenced different from the normal sequence (i.e. of open, lsetxattr of security.ima, lsetxattr of security.selinux, rename) and instead, there is a hard link call made before the open. Taking just one of these files that results in an appraise error, namely /usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8, and looking for references to it and some related files (i.e. /usr/libexec/getconf/POSIX_V6_LP64_OFF64;59d3a6c8 and /usr/libexec/getconf/POSIX_V7_LP64_OFF64), I see the following summary: 

Create POSIX_V6 temp file and rename as POSIX_V6 regular file and hard link POSIX_V7 temp file to POSIX_V6 regular file and rename POSIX_V7 temp file as POSIX_V7 regular file and hard link XBS5 temp file to POSIX_V6 regular file and open XBS5 temp file and then set security.ima on the XBS5 temp file. Since the set of security.ima is done after the open and the open will not be creating a file since it has a hard link to an existing file at that point, the open will encounter an appraise error (in this strace, just resulting in a log entry) since the security.ima signature will not be found.

Below are the relevant entries within the strace to support the problem summary above: 

write(2, "create     100755  3 (   0,   0)"..., 89create     100755  3 (   0,   0)     0 /usr/libexec/getconf/POSIX_V6_LP64_OFF64;59d3a6c8
open("/usr/libexec/getconf/POSIX_V6_LP64_OFF64;59d3a6c8", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 30
lstat("/usr/libexec/getconf/POSIX_V6_LP64_OFF64", {st_mode=S_IFREG|0755, st_size=26648, ...}) = 0
lstat("/usr/libexec/getconf/POSIX_V6_LP64_OFF64", {st_mode=S_IFREG|0755, st_size=26648, ...}) = 0
removexattr("/usr/libexec/getconf/POSIX_V6_LP64_OFF64", "security.capability") = -1 ENODATA (No data available)
rename("/usr/libexec/getconf/POSIX_V6_LP64_OFF64;59d3a6c8", "/usr/libexec/getconf/POSIX_V6_LP64_OFF64") = 0
write(2, "create     100755  3 (   0,   0)"..., 89create     100755  3 (   0,   0)     0 /usr/libexec/getconf/POSIX_V7_LP64_OFF64;59d3a6c8
link("/usr/libexec/getconf/POSIX_V6_LP64_OFF64", "/usr/libexec/getconf/POSIX_V7_LP64_OFF64;59d3a6c8") = 0
lstat("/usr/libexec/getconf/POSIX_V7_LP64_OFF64", {st_mode=S_IFREG|0755, st_size=26648, ...}) = 0
lstat("/usr/libexec/getconf/POSIX_V7_LP64_OFF64", {st_mode=S_IFREG|0755, st_size=26648, ...}) = 0
removexattr("/usr/libexec/getconf/POSIX_V7_LP64_OFF64", "security.capability") = -1 ENODATA (No data available)
rename("/usr/libexec/getconf/POSIX_V7_LP64_OFF64;59d3a6c8", "/usr/libexec/getconf/POSIX_V7_LP64_OFF64") = 0
write(2, "create     100755  3 (   0,   0)"..., 85create     100755  3 (   0,   0) 26648 /usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8
link("/usr/libexec/getconf/POSIX_V6_LP64_OFF64", "/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8") = 0
open("/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 30
chown("/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8", 0, 0) = 0
chmod("/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8", 0755) = 0
utimensat(AT_FDCWD, "/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8", {{1506436625, 0}, (1506436625, 0}}, AT_SYMLINK_NOFOLLOW) = 0
lsetxattr("/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8", "security.ima", "...", 265, 0) = 0
lsetxattr("/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8", "security.selinux", "system_u:object_r:bin_t:s0", 27, 0) = 0
write(2, "lsetfilecon: (/usr/libexec/getco"..., 90lsetfilecon: (/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8, system_u:object_r:bin_t:s0)
lstat("/usr/libexec/getconf/XBS5_LP64_OFF64", {st_mode=S_IFREG|0755, st_size=26648, ...}) = 0
lstat("/usr/libexec/getconf/XBS5_LP64_OFF64", {st_mode=S_IFREG|0755, st_size=26648, ...}) = 0
removexattr("/usr/libexec/getconf/XBS5_LP64_OFF64", "security.capability") = -1 ENODATA (No data available)
rename("/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8", "/usr/libexec/getconf/XBS5_LP64_OFF64") = 0

As you can see in the sequence above, an open of an existing file (because it is a hard link) is made before the lsetxattr call to add the IMA signature and this is the problem. Note, although the open of the existing file is performed with the O_TRUNC option, by design, the IMA support in the kernel appraises the file (i.e. validates the signature) before the truncation of the file.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20171014/81bc3577/attachment.html>

More information about the Rpm-maint mailing list