[Rpm-ecosystem] [PATCH v6 10/11] IMA plugin labels ima xattr with file signatures

Lubos Kardos lkardos at redhat.com
Thu Jul 16 15:03:06 UTC 2015


You don't need to use both rpmfiles and rpmfi. Everything that you can get
from rpmfiles you can get also from rpmfi:
rpmfilesFFlags => rpmfiFFlags
rpmfilesFSignature => rpmfiFSignature

You don't need to create own function fsmFsPath() but you can use rpmfiFN(fi).


----- Original Message -----
> From: "Mimi Zohar" <zohar at linux.vnet.ibm.com>
> To: rpm-ecosystem at lists.rpm.org
> Cc: fin at linux.vnet.ibm.com, "Fionnuala Gunter" <fionnuala.gunter at gmail.com>
> Sent: Monday, July 6, 2015 8:52:24 PM
> Subject: [Rpm-ecosystem] [PATCH v6 10/11] IMA plugin labels ima xattr with	file signatures
> 
> From: "fin at linux.vnet.ibm.com" <fin at linux.vnet.ibm.com>
> 
> This plugin extracts file signatures from rpmfiles and writes them to
> security.ima xattr. Only non-config file signatures are installed.
> ---
>  macros.in           |  1 +
>  plugins/Makefile.am |  4 ++++
>  plugins/ima.c       | 60
>  +++++++++++++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 65 insertions(+)
>  create mode 100644 plugins/ima.c
> 
> diff --git a/macros.in b/macros.in
> index de89420..3c5a011 100644
> --- a/macros.in
> +++ b/macros.in
> @@ -1049,6 +1049,7 @@ done \
>  %__transaction_systemd_inhibit	%{__plugindir}/systemd_inhibit.so
>  %__transaction_selinux		%{__plugindir}/selinux.so
>  %__transaction_syslog		%{__plugindir}/syslog.so
> +%__transaction_ima		%{__plugindir}/ima.so
>  
>  #------------------------------------------------------------------------------
>  # Macros for further automated spec %setup and patch application
> diff --git a/plugins/Makefile.am b/plugins/Makefile.am
> index 53b2450..5ddc174 100644
> --- a/plugins/Makefile.am
> +++ b/plugins/Makefile.am
> @@ -31,3 +31,7 @@ endif
>  syslog_la_SOURCES = syslog.c
>  syslog_la_LIBADD = $(top_builddir)/lib/librpm.la
>  $(top_builddir)/rpmio/librpmio.la
>  plugins_LTLIBRARIES += syslog.la
> +
> +ima_la_sources = ima.c
> +ima_la_LIBADD = $(top_builddir)/lib/librpm.la
> $(top_builddir)/rpmio/librpmio.la
> +plugins_LTLIBRARIES += ima.la
> diff --git a/plugins/ima.c b/plugins/ima.c
> new file mode 100644
> index 0000000..c1d5607
> --- /dev/null
> +++ b/plugins/ima.c
> @@ -0,0 +1,60 @@
> +#include <sys/xattr.h>
> +
> +#include <rpm/rpmfi.h>
> +#include <rpm/rpmte.h>
> +#include <rpm/rpmfiles.h>
> +#include <rpm/rpmtypes.h>
> +#include <rpmio/rpmstring.h>
> +
> +#include "lib/rpmfs.h"
> +#include "lib/rpmplugin.h"
> +#include "lib/rpmte_internal.h"
> +
> +#define XATTR_NAME_IMA "security.ima"
> +
> +static char * fsmFsPath(rpmfi fi, const char * suffix)
> +{
> +    return rstrscat(NULL, rpmfiDN(fi), rpmfiBN(fi), suffix? suffix : "",
> NULL);
> +}
> +
> +static rpmRC ima_psm_post(rpmPlugin plugin, rpmte te, int res)
> +{
> +	rpmfiles files = rpmteFiles(te);
> +	rpmfi fi = rpmteFI(te);
> +	int i;
> +	char *fpath;
> +	const unsigned char * fsig = NULL;
> +	size_t len;
> +	int rc = 0;
> +
> +	if (fi == NULL) {
> +	    rc = RPMERR_BAD_MAGIC;
> +	    goto exit;
> +	}
> +
> +	while (!rc) {
> +	    rc = rpmfiNext(fi);
> +	    i = rpmfiFX(fi);
> +
> +	    if (rc < 0) {
> +		if (rc == RPMERR_ITER_END)
> +		    rc = 0;
> +		break;
> +	    }
> +
> +	    /* Don't install signatures for (mutable) config files */
> +	    if (!(rpmfilesFFlags(files, i) & RPMFILE_CONFIG)) {
> +		fpath = fsmFsPath(fi, NULL);
> +		fsig = rpmfilesFSignature(files, i, &len);
> +		if (fsig) {
> +		    lsetxattr(fpath, XATTR_NAME_IMA, fsig, len, 0);
> +		}
> +	    }
> +	}
> +exit:
> +	return rc;
> +}
> +
> +struct rpmPluginHooks_s ima_hooks = {
> +	.psm_post = ima_psm_post,
> +};
> --
> 2.1.0
> 
> _______________________________________________
> Rpm-ecosystem mailing list
> Rpm-ecosystem at lists.rpm.org
> http://lists.rpm.org/mailman/listinfo/rpm-ecosystem
> 

Lubos


More information about the Rpm-ecosystem mailing list