<tt><font size=2>Panu Matilainen <pmatilai@laiskiainen.org> wrote
on 09/23/2016 04:15:22 AM:<br><br>> From: Panu Matilainen <pmatilai@laiskiainen.org></font></tt><br><tt><font size=2>> To: Stefan Berger <stefanb@linux.vnet.ibm.com>,
rpm-maint@lists.rpm.org</font></tt><br><tt><font size=2>> Cc: Stefan Berger/Watson/IBM@IBMUS, fionnuala.gunter@gmail.com</font></tt><br><tt><font size=2>> Date: 09/23/2016 04:15 AM</font></tt><br><tt><font size=2>> Subject: Re: [Rpm-maint] [PATCH v2 0/4] Fixes
for file signatures</font></tt><br><tt><font size=2>> <br>> On 09/22/2016 08:30 PM, Stefan Berger wrote:<br>> > The following series of patches addresses some issues with signatures
on<br>> > files. In particular:<br>> ><br>> > - some files marked as config files are also executables and
therefore<br>> > need to have a signature applied<br>> > - the IMA plugin may only run on package install cycle rather
than the<br>> > remove cycle, which would apply the previous versions'
signatures on<br>> > the files<br>> > - some RPM packages require that the files be signed when the
post<br>> > install scriptlets are run since they may invoke executables
that<br>> > were just installed; so we introduce two new hooks, fsm_pre
and<br>> > fsm_post. We move the IMA plugin from the psm_post hook
to the<br>> > fsm_post hook.<br>> ><br>> > Regards,<br>> > Stefan<br>> ><br>> > Stefan Berger (4):<br>> > ima-plugin: Have executable configuration files signed<br>> > ima-plugin: Only run the IMA plugin on package installation<br>> > rpmplugins: Introduce new fsm_pre and fsm_post hooks<br>> > IMA: Move the IMA plugin to the fsm_post hook<br>> ><br>> > lib/psm.c | 6 +++++-<br>> > lib/rpmplugin.h | 6 ++++++<br>> > lib/rpmplugins.c | 35 +++++++++++++++++++++++++++++++++++<br>> > lib/rpmplugins.h | 19 +++++++++++++++++++<br>> > plugins/ima.c | 32 ++++++++++++++++++++++----------<br>> > 5 files changed, 87 insertions(+), 11 deletions(-)<br>> ><br>> <br>> So... to achieve all this and actually behave correct in the face
of <br>> skipped files - whether due to color, netshared path or other
file <br>> policies - the IMA plugin should really just do what the selinux plugin
<br>> does and use fsm_file_prepare hook for its task, which after all is
<br>> highly similar anyway.</font></tt><br><br><tt><font size=2>Has the file been written when fsm_file_prepare is
called? Otherwise it seems better to do it in fsm_file_post.</font></tt><br><br><tt><font size=2>Btw, what do fsm, tsm, and psm stand for ?</font></tt><br><br><tt><font size=2><br>> <br>> Something like this (mind you, non-compiled, never mind tested code
ahead):<br>> <br>> static rpmRC ima_file_prepare(rpmPlugin plugin, rpmfi fi,<br>>
const char *path, const char *dest,<br>>
mode_t file_mode, rpmFsmOp op)<br>> <br>> {<br>> const unsigned char * fsig = NULL;<br>> size_t len;<br>> rpmRC rc = RPMRC_OK;<br>> <br>> /* Ignore skipped files */<br>> if (XFA_SKIPPING(action))<br>> goto exit;</font></tt><br><br><tt><font size=2>Good to know....</font></tt><br><tt><font size=2><br>> <br>> /* Don't install signatures for
(mutable) config files */<br>> if (rpmfiFFlags(fi) & RPMFILE_CONFIG)
{<br>> if (!rpmfiFMode(fi)
& (S_IXUSR|S_IXGRP|S_IXOTH))<br>> goto
exit;<br>> }<br>> <br>> fsig = rpmfiFSignature(fi, &len);<br>> if (fsig && (check_zero_hdr(fsig,
len) == 0)) {<br>> if (lsetxattr(fpath,
XATTR_NAME_IMA, fsig, len, 0) < 0)<br>> rc =
RPMRC_FAIL;<br>> }<br></font></tt><br><tt><font size=2>Thanks.</font></tt><br><br><tt><font size=2> Stefan</font></tt><br><br><tt><font size=2>> <br>> exit:<br>> return rc;<br>> }<br>> <br>> struct rpmPluginHooks_s ima_hooks = {<br>> .fsm_file_prepare = ima_file_prepare,<br>> };<br>> <br>> <br>> <br>> That hook will only get called on file creation so you dont need to
<br>> separately weed out erasures, skipped files are ignored as they should
<br>> be and all the signatures will be in place by the time %post runs.<br>> <br>> As a diff, that's nothing more than:<br>> plugins/ima.c | 34 ++++++++++++++++++----------------<br>> 1 file changed, 18 insertions(+), 16 deletions(-)<br>> <br>> - Panu -<br>> <br></font></tt><BR>