[Rpm-maint] [PATCH 3/4] Label ima xattr when signed files are installed

Dmitry Kasatkin d.kasatkin at samsung.com
Thu Oct 23 07:29:44 UTC 2014


On 22/10/14 21:48, Fionnuala Gunter wrote:
>>> @@ -953,9 +964,17 @@ int rpmPackageFilesInstall(rpmts ts, rpmte te, rpmfiles files,
>>>  	if (rc)
>>>  	    *failedFile = xstrdup(fpath);
>>>  
>>> +	/* get file signatures from header */
>>> +	if (sb.st_mode & (S_IXUSR|S_IXGRP|S_IXOTH)) {
>>> +	    sig = rpmtdNextString(&sigs);
>> What executable bit means?
> I already replied to your comments on 4/4, but maybe this filtering of
> executable files is unnecessary.

(replied to this as well because first one did not go to the list.. now
I subscribed)

I understand that it was a safe bet that binaries can always has signature.
What about libraries or may be some important configuration file which
would have signature..
Files which can be modified should not have a signature.

Signatures should be set for all files in the package which has a signature.
Package maintainer should be able to select what files  to sign or not
to sign...

I think it has to be addressed before it can be really used.

- Dmitry



>>> diff --git a/plugins/ima.c b/plugins/ima.c
>>> new file mode 100644
>>> index 0000000..6b739db
>>> --- /dev/null
>>> +++ b/plugins/ima.c
>>> @@ -0,0 +1,83 @@
>>> +/**
>>> + * Copyright (C) 2014 IBM Corporation
>>> + *
>>> + * Author: Fionnuala Gunter <fin at linux.vnet.ibm.com>
>>> + */
>>> +#include <syslog.h>
>>> +
>>> +#include <sys/types.h>
>>> +#include <sys/xattr.h>
>>> +#include <rpm/rpmts.h>
>>> +#include <rpm/rpmlog.h>
>>> +#include <lib/rpmplugin.h>
>>> +#include <errno.h>
>>> +#include <ctype.h>
>>> +
>>> +#include "debug.h"
>>> +
>>> +#define XATTR_NAME_IMA "security.ima"
>>> +
>>> +static int hex_to_bin(char ch)
>>> +{
>>> +	if ((ch >= '0') && (ch <= '9'))
>>> +		return ch - '0';
>>> +	ch = tolower(ch);
>>> +	if ((ch >= 'a') && (ch <= 'f'))
>>> +		return ch - 'a' + 10;
>>> +	return -1;
>>> +}
>>> +
>>> +static int hex2bin(char *dst, const char *src, size_t count)
>>> +{
>> Does not RPM has any hex conversion facilities yet?
>> It has digests. Does not it uses it somehow?
>>
> Good point, I will check before resubmitting.
>> - Dmitry
>>
> Thanks,
> Fin
>>> +	int hi, lo;
>>> +
>>> +	while (count--) {
>>> +		if (*src == ' ')
>>> +			src++;
>>> +
>>> +		hi = hex_to_bin(*src++);
>>> +		lo = hex_to_bin(*src++);
>>> +
>>> +		if ((hi < 0) || (lo < 0))
>>> +			return -1;
>>> +
>>> +		*dst++ = (hi << 4) | lo;
>>> +        }
>>> +	return 0;
>>> +}
>>> +
>>> +static rpmRC ima_init(rpmPlugin plugin, rpmts ts)
>>> +{
>>> +	return RPMRC_OK;
>>> +}
>>> +
>>> +static void ima_cleanup(rpmPlugin plugin)
>>> +{
>>> +}
>>> +
>>> +static rpmRC ima_fsm_file_post(rpmPlugin plugin, rpmfi fi, const char *path,
>>> +                               mode_t file_mode, rpmFsmOp op, const char *sig,
>>> +                               int res)
>>> +{
>>> +	rpmRC rc = RPMRC_OK;
>>> +	if (sig == NULL) {
>>> +		return rc;
>>> +	}
>>> +
>>> +	int siglen = strlen(sig) + 1;
>>> +	char bin[siglen/2];
>>> +	hex2bin(bin, sig, siglen);
>>> +	rc = lsetxattr(path, XATTR_NAME_IMA, bin, siglen/2, 0);
>>> +
>>> +	if (rpmIsDebug())
>>> +		rpmlog(RPMLOG_DEBUG, "lsetxattr: (%s) %s\n",
>>> +			path, (rc < 0 ? strerror(errno) : ""));
>>> +
>>> +	return rc;
>>> +}
>>> +
>>> +struct rpmPluginHooks_s ima_hooks = {
>>> +	.init = ima_init,
>>> +	.cleanup = ima_cleanup,
>>> +	.fsm_file_post = ima_fsm_file_post,
>>> +};
>



More information about the Rpm-maint mailing list