[Rpm-ecosystem] [PATCH v6 10/11] IMA plugin labels ima xattr with file signatures
Lubos Kardos
lkardos at redhat.com
Thu Jul 16 15:03:06 UTC 2015
You don't need to use both rpmfiles and rpmfi. Everything that you can get
from rpmfiles you can get also from rpmfi:
rpmfilesFFlags => rpmfiFFlags
rpmfilesFSignature => rpmfiFSignature
You don't need to create own function fsmFsPath() but you can use rpmfiFN(fi).
----- Original Message -----
> From: "Mimi Zohar" <zohar at linux.vnet.ibm.com>
> To: rpm-ecosystem at lists.rpm.org
> Cc: fin at linux.vnet.ibm.com, "Fionnuala Gunter" <fionnuala.gunter at gmail.com>
> Sent: Monday, July 6, 2015 8:52:24 PM
> Subject: [Rpm-ecosystem] [PATCH v6 10/11] IMA plugin labels ima xattr with file signatures
>
> From: "fin at linux.vnet.ibm.com" <fin at linux.vnet.ibm.com>
>
> This plugin extracts file signatures from rpmfiles and writes them to
> security.ima xattr. Only non-config file signatures are installed.
> ---
> macros.in | 1 +
> plugins/Makefile.am | 4 ++++
> plugins/ima.c | 60
> +++++++++++++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 65 insertions(+)
> create mode 100644 plugins/ima.c
>
> diff --git a/macros.in b/macros.in
> index de89420..3c5a011 100644
> --- a/macros.in
> +++ b/macros.in
> @@ -1049,6 +1049,7 @@ done \
> %__transaction_systemd_inhibit %{__plugindir}/systemd_inhibit.so
> %__transaction_selinux %{__plugindir}/selinux.so
> %__transaction_syslog %{__plugindir}/syslog.so
> +%__transaction_ima %{__plugindir}/ima.so
>
> #------------------------------------------------------------------------------
> # Macros for further automated spec %setup and patch application
> diff --git a/plugins/Makefile.am b/plugins/Makefile.am
> index 53b2450..5ddc174 100644
> --- a/plugins/Makefile.am
> +++ b/plugins/Makefile.am
> @@ -31,3 +31,7 @@ endif
> syslog_la_SOURCES = syslog.c
> syslog_la_LIBADD = $(top_builddir)/lib/librpm.la
> $(top_builddir)/rpmio/librpmio.la
> plugins_LTLIBRARIES += syslog.la
> +
> +ima_la_sources = ima.c
> +ima_la_LIBADD = $(top_builddir)/lib/librpm.la
> $(top_builddir)/rpmio/librpmio.la
> +plugins_LTLIBRARIES += ima.la
> diff --git a/plugins/ima.c b/plugins/ima.c
> new file mode 100644
> index 0000000..c1d5607
> --- /dev/null
> +++ b/plugins/ima.c
> @@ -0,0 +1,60 @@
> +#include <sys/xattr.h>
> +
> +#include <rpm/rpmfi.h>
> +#include <rpm/rpmte.h>
> +#include <rpm/rpmfiles.h>
> +#include <rpm/rpmtypes.h>
> +#include <rpmio/rpmstring.h>
> +
> +#include "lib/rpmfs.h"
> +#include "lib/rpmplugin.h"
> +#include "lib/rpmte_internal.h"
> +
> +#define XATTR_NAME_IMA "security.ima"
> +
> +static char * fsmFsPath(rpmfi fi, const char * suffix)
> +{
> + return rstrscat(NULL, rpmfiDN(fi), rpmfiBN(fi), suffix? suffix : "",
> NULL);
> +}
> +
> +static rpmRC ima_psm_post(rpmPlugin plugin, rpmte te, int res)
> +{
> + rpmfiles files = rpmteFiles(te);
> + rpmfi fi = rpmteFI(te);
> + int i;
> + char *fpath;
> + const unsigned char * fsig = NULL;
> + size_t len;
> + int rc = 0;
> +
> + if (fi == NULL) {
> + rc = RPMERR_BAD_MAGIC;
> + goto exit;
> + }
> +
> + while (!rc) {
> + rc = rpmfiNext(fi);
> + i = rpmfiFX(fi);
> +
> + if (rc < 0) {
> + if (rc == RPMERR_ITER_END)
> + rc = 0;
> + break;
> + }
> +
> + /* Don't install signatures for (mutable) config files */
> + if (!(rpmfilesFFlags(files, i) & RPMFILE_CONFIG)) {
> + fpath = fsmFsPath(fi, NULL);
> + fsig = rpmfilesFSignature(files, i, &len);
> + if (fsig) {
> + lsetxattr(fpath, XATTR_NAME_IMA, fsig, len, 0);
> + }
> + }
> + }
> +exit:
> + return rc;
> +}
> +
> +struct rpmPluginHooks_s ima_hooks = {
> + .psm_post = ima_psm_post,
> +};
> --
> 2.1.0
>
> _______________________________________________
> Rpm-ecosystem mailing list
> Rpm-ecosystem at lists.rpm.org
> http://lists.rpm.org/mailman/listinfo/rpm-ecosystem
>
Lubos
More information about the Rpm-ecosystem
mailing list