[Rpm-maint] [PATCH 3/4] Label ima xattr when signed files are installed
Fionnuala Gunter
fin at linux.vnet.ibm.com
Wed Oct 22 18:48:11 UTC 2014
>> @@ -953,9 +964,17 @@ int rpmPackageFilesInstall(rpmts ts, rpmte te, rpmfiles files,
>> if (rc)
>> *failedFile = xstrdup(fpath);
>>
>> + /* get file signatures from header */
>> + if (sb.st_mode & (S_IXUSR|S_IXGRP|S_IXOTH)) {
>> + sig = rpmtdNextString(&sigs);
>
> What executable bit means?
I already replied to your comments on 4/4, but maybe this filtering of
executable files is unnecessary.
>> diff --git a/plugins/ima.c b/plugins/ima.c
>> new file mode 100644
>> index 0000000..6b739db
>> --- /dev/null
>> +++ b/plugins/ima.c
>> @@ -0,0 +1,83 @@
>> +/**
>> + * Copyright (C) 2014 IBM Corporation
>> + *
>> + * Author: Fionnuala Gunter <fin at linux.vnet.ibm.com>
>> + */
>> +#include <syslog.h>
>> +
>> +#include <sys/types.h>
>> +#include <sys/xattr.h>
>> +#include <rpm/rpmts.h>
>> +#include <rpm/rpmlog.h>
>> +#include <lib/rpmplugin.h>
>> +#include <errno.h>
>> +#include <ctype.h>
>> +
>> +#include "debug.h"
>> +
>> +#define XATTR_NAME_IMA "security.ima"
>> +
>> +static int hex_to_bin(char ch)
>> +{
>> + if ((ch >= '0') && (ch <= '9'))
>> + return ch - '0';
>> + ch = tolower(ch);
>> + if ((ch >= 'a') && (ch <= 'f'))
>> + return ch - 'a' + 10;
>> + return -1;
>> +}
>> +
>> +static int hex2bin(char *dst, const char *src, size_t count)
>> +{
>
> Does not RPM has any hex conversion facilities yet?
> It has digests. Does not it uses it somehow?
>
Good point, I will check before resubmitting.
> - Dmitry
>
Thanks,
Fin
>> + int hi, lo;
>> +
>> + while (count--) {
>> + if (*src == ' ')
>> + src++;
>> +
>> + hi = hex_to_bin(*src++);
>> + lo = hex_to_bin(*src++);
>> +
>> + if ((hi < 0) || (lo < 0))
>> + return -1;
>> +
>> + *dst++ = (hi << 4) | lo;
>> + }
>> + return 0;
>> +}
>> +
>> +static rpmRC ima_init(rpmPlugin plugin, rpmts ts)
>> +{
>> + return RPMRC_OK;
>> +}
>> +
>> +static void ima_cleanup(rpmPlugin plugin)
>> +{
>> +}
>> +
>> +static rpmRC ima_fsm_file_post(rpmPlugin plugin, rpmfi fi, const char *path,
>> + mode_t file_mode, rpmFsmOp op, const char *sig,
>> + int res)
>> +{
>> + rpmRC rc = RPMRC_OK;
>> + if (sig == NULL) {
>> + return rc;
>> + }
>> +
>> + int siglen = strlen(sig) + 1;
>> + char bin[siglen/2];
>> + hex2bin(bin, sig, siglen);
>> + rc = lsetxattr(path, XATTR_NAME_IMA, bin, siglen/2, 0);
>> +
>> + if (rpmIsDebug())
>> + rpmlog(RPMLOG_DEBUG, "lsetxattr: (%s) %s\n",
>> + path, (rc < 0 ? strerror(errno) : ""));
>> +
>> + return rc;
>> +}
>> +
>> +struct rpmPluginHooks_s ima_hooks = {
>> + .init = ima_init,
>> + .cleanup = ima_cleanup,
>> + .fsm_file_post = ima_fsm_file_post,
>> +};
>
More information about the Rpm-maint
mailing list