[Rpm-maint] First attempt for the patch on extending the plugin interface for rpm

Panu Matilainen pmatilai at laiskiainen.org
Tue Oct 16 11:04:39 UTC 2012


On 10/15/2012 03:18 PM, Reshetova, Elena wrote:
> Hi,
>
> After reading your responses I think we indeed need to break this patch into
> at least two or three parts. It would help us to concentrate on one set of
> the hooks at the time and integrate them separately in steps.
> You mentioned that pre/post tsm/psm hooks are pretty much fine, so we can
> start from them.

Fine with me.

> I would propose to add to them a security plugin loading
> function and macros.

Obviously there needs to be some way of loading the plugins... What 
kinda bothers me here is the notion of "security plugin" - except for 
perhaps the signature/conflict hooks, there's nothing inherently 
security-specific here.

The two immediate candidates *are* security-oriented, but they're very, 
very different in what they do and how they affect the system. Eg if you 
disable SELinux labeling on a system where SELinux is enabled, you'll 
pretty much just shoot yourself in the foot (by ending up with a rather 
screwed up system) rather than fundametally bypass system security. 
"Transaction plugin" or something to that effect would seem to be more 
appropriate as these hooks could be used for all sorts of purposes 
(additional logging / interaction with other systems like dbus 
notifications for somebody ... whatever).

> Also, if there are no objections I would add here a
> ScriptSetup hook (it is rather simple one and outside of other hooks). This
> can be the first bunch that we can bring into shape to be acceptable for
> merge.

The script setup hook is fairly obvious too, just forgot to mention it. 
The one question with that is (again) the argument(s) it receives: 
currently its ARGV_t, but does it actually need the entire argv or would 
just the actual executable path suffice for the setup?

Another possibility might be passing an rpmScript "object" (which would 
need exporting and probably added interfaces, but that's kinda in the 
plans anyway at some point). But perhaps that's best left for later.

> Then after the above is hopefully merged I will start attacking the
> file-related hooks (I have already made a number of changes and will look
> into improving them further based on your comments). And at the end we can
> talk about how to integrate the rest.
>
> I will post the first bunch shortly if there are no objections.

Feel free to post as many revisions as you want, it tends to be more 
productive to discuss actual patches than hand-wavy abstractions :)

> Further comments are inline:
>
>> Actually, the ability to sanely disable these things from cli and API is in
> practise a hard requirement. The reason is that rpm is used in a large
> variety of situations beyond the basic "system package management"
>> task: creation of chroot (build-)environments that are nothing like what
> the system might be running, install/live images, certain per-user tasks,
> workarounds for weird setups etc. Plus all the things we never even imagined
> - by now I hope to have learned (the hard way) that no matter how unlikely
> it >seems, the unforeseen oddball (yet legal) cases always exist :)
>
>> I do realize that needs on an embedded / handheld systems can be
> drastically different from  a general purpose system. How to support "full
> lockdown" where needed but allow disabling for other uses is something to
> think about.
>
> Hm.. This isn't easy indeed. Can we make a security plugin a special case
> regarding to the cli? Meaning that if the rpm is compiled with
> "ENFORCE_SECURITY", then it isn't possible to disable the security plugin
> from cli and if loading/expanding of security plugin fails, then rpm stops.
> Providing cli or API option to disable additional security enforced by the
> plugin(s) even if security have been compiled in sounds scary for me....

I dunno... There are soooo many different options and API flags that 
affect these things, attempting to enforce things from the inside of rpm 
seems hopelessly futile: practically every aspect of rpm's behavior is 
overridable via cli, API and configuration. Including the paths where 
rpm loads its configuration from. You'd need to have a hard-wired list 
of mandatory plugins and their non-macro paths compiled rpm to enforce 
anything at all. And even then, if you have cli access as root, what's 
to prevent the user from just replacing the executable/libraries with 
something that doesn't enforce anything?

The way I see it, the only thing that can enforce the kind of MAC-style 
behavior you're after is the kernel:

In terms of SELinux (which is more familiar to me), it might be 
something like having rpm confined to very limited read-only 
functionality, and the plugin would request a transition to a context 
that where installations etc become possible. With that sort of setup, 
you can try to disable whatever you want on the cli/api/configuration 
but you're unable to *do* anything without having the "security" plugin 
loaded, turning the whole picture upside-down. Obviously there would 
have to be some kind of (signature?) mechanism of ensuring the plugin is 
actually authorized to request the extra privileges.

>> What I was thinking was more in the direction of "if plugin X returned
> failure, should we even call the other hooks" (such as falling back to
> something else if one of the involved filesystem doesn't support feature Y),
> but this is now something that neither the plugin or rpm has any way of
> actually knowing.
>> The point perhaps being, the exact semantics for the plugin hooks needs to
> be far more clearly defined sooner or later.
>
> I think even if plugin X returns failure on hook Z, we need to call the hook
> Z for all other plugins, because this will make sure that all plugins have
> the same set of hooks that got executed during the rpm transaction. Also, it
> would be up to each plugin to be prepared that rpm transaction can stop and
> fail outside of the plugin (inside rpm itself or inside of other plugins)
> and then be ready that only cleanup hook is called. So, for example, plugin
> might have pre tsm/psm hooks called and they go fine, but then some other
> plugin returns a failure on prepsm hook, so whole transaction goes to
> failure and plugin gets cleanup hook called even if from its point of view
> everything went fine.

Yup. My "issues" here are probably just a matter of adjusting my own 
thinking to the different style needed by plugins :)

>> FWIW, I've been considering exporting the fd digest API for quite some
>> time. That stuff probably needs a bit of polishing/sanitizing before
>> exporting, but I'm not at all opposed to doing it.
>
> Yes, I think this would be good and then it can be cleaner from plugin side
> to get digest calculated.

Ok. I'll try to have a look at it soonish.

>> For now, go for the absolute minimum exposure of rpm "objects". The
>> problem here is different from the other internals (such as fsm in the
>> previous versions) exposure, the issue here is that it exposes a ad-hoc
>> set of things that rpm currently happens to internally use to handle
>> this stuff. Which is not entirely unlike Lucas Arts adventure games of
>> old: you have a rope, two bananas and a fish, and you need to somehow
>> use those to cross the ravine to get the umbrella from the other side
>> that you need to... :)
>
>> The fact that the hook breaks in rpm >= 4.10 despite arguments remaining
>> the same kinda underlines the issue. Rpm internals are going through
>> some pretty fundamental changes at the moment, and this is one of the
>> places that will hopefully become saner when its all done (my wishful
>> thinking is to have at least the basics around in rpm 4.11 already).
>> When that happens we can export more, but right now its better to keep
>> things to minimum you can get by with.
>
> Agree, I will take a stronger attempt to reduce the arguments to the actual
> needed once
> for all the file hooks. I guess the conflict one is the most heavy one at
> the moment, so
> I will try to address it properly next time I post the patch for file hooks.

The conflict hook is indeed probably the worst "offender". Of course you 
really do want the full information such as in rpmfi to do informed 
decisions (at least without having to duplicate all the relevant data 
inside plugins, and I dont want to encourage that), the issue here is 
just the rpm-internal hysteria with internal/external interfaces, 
different representations of packages that are to-be-installed vs the 
already installed-ones etc. Lets leave worrying about the conflicts-hook 
till later.

>
>> The signature verification hook is another place where some weird
>> internal bits and pieces get passed around. That might be unavoidable,
>> dunno... but then (and I think I've said this before), signature
>> enforcing mechanism should really be in rpm core (and is sorely missed
>> currently). Plugins might further enhance / implement policy around
>> that, or something. Oh and I know this is hand-wavy and vague :-/
>
> Yes, I think it would be good to think more on this. I understood how you
> would like
>   to have it now and agree that this would be an ideal case. I will put this
> on my todo list
> to see how this can be done in a better way.

Ok, cool. The signature enforcement is something I've thought about on 
and off for quite some time. I don't recall the specifics offhand, but 
IIRC the issues tend to revolve more around legacy expectations of how 
things work, both from cli and API-user POV, than the signature 
enforcement itself.

>> What I referred to above is specifically the file conflict resolution
>> thing (and our previous discussion about that). Eg looking at the MSM
>> plugin, AFAICT it can let conflicts pass at this point, yet deny it deep
>> down from inside when the transaction is already in progress. There
>> always will be cases where a failure cannot be detected before actually
>> trying to install (ie, in fsm), but that should be the absolute last
>> resort, not something you'd ever see in "normal" operation.
>
> Sure, I guess this problem is about the actual hook content, not necessary
> the hook itself. I guess the hook should be redone to not simply log the
> conflict case and decide on it later, but actually decide before starting a
> transaction.

Yes, its indeed what the MSM hook does, rather than the hook itself, 
that bothers me. And more generally, the fact that such things become 
possible with plugins. I guess its not possible to really prevent, given 
sufficiently powerful plugin interface, but if nothing else the 
interfaces should encourage the "correct" usage and discourage working 
behind rpms back. Whatever that means - I do realize I'm just waving 
hands again :)

> I am quite sure I can change it in the plugin itself.

Ok, that'd be good. I was actually wondering why its done the way it is 
now - if there is an actual reason (such insufficient information 
available at that point), I'd like to understand it.

	- Panu -




More information about the Rpm-maint mailing list