[Rpm-maint] [RFC v5 10/11] IMA plugin labels ima xattr with file signatures
fin at linux.vnet.ibm.com
fin at linux.vnet.ibm.com
Tue Jan 27 15:04:58 UTC 2015
This plugin extract file signatures from rpmfiles and writes them to
security.ima xattr. Only non-config file signatures are installed.
Signed-off-by: Fionnnuala Gunter <fin at linux.vnet.ibm.com>
---
macros.in | 1 +
plugins/Makefile.am | 4 ++++
plugins/ima.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 65 insertions(+)
create mode 100644 plugins/ima.c
diff --git a/macros.in b/macros.in
index 1647104..0b62991 100644
--- a/macros.in
+++ b/macros.in
@@ -1043,6 +1043,7 @@ done \
%__transaction_systemd_inhibit %{__plugindir}/systemd_inhibit.so
%__transaction_selinux %{__plugindir}/selinux.so
%__transaction_syslog %{__plugindir}/syslog.so
+%__transaction_ima %{__plugindir}/ima.so
#------------------------------------------------------------------------------
# Macros for further automated spec %setup and patch application
diff --git a/plugins/Makefile.am b/plugins/Makefile.am
index 53b2450..5ddc174 100644
--- a/plugins/Makefile.am
+++ b/plugins/Makefile.am
@@ -31,3 +31,7 @@ endif
syslog_la_SOURCES = syslog.c
syslog_la_LIBADD = $(top_builddir)/lib/librpm.la $(top_builddir)/rpmio/librpmio.la
plugins_LTLIBRARIES += syslog.la
+
+ima_la_sources = ima.c
+ima_la_LIBADD = $(top_builddir)/lib/librpm.la $(top_builddir)/rpmio/librpmio.la
+plugins_LTLIBRARIES += ima.la
diff --git a/plugins/ima.c b/plugins/ima.c
new file mode 100644
index 0000000..c1d5607
--- /dev/null
+++ b/plugins/ima.c
@@ -0,0 +1,60 @@
+#include <sys/xattr.h>
+
+#include <rpm/rpmfi.h>
+#include <rpm/rpmte.h>
+#include <rpm/rpmfiles.h>
+#include <rpm/rpmtypes.h>
+#include <rpmio/rpmstring.h>
+
+#include "lib/rpmfs.h"
+#include "lib/rpmplugin.h"
+#include "lib/rpmte_internal.h"
+
+#define XATTR_NAME_IMA "security.ima"
+
+static char * fsmFsPath(rpmfi fi, const char * suffix)
+{
+ return rstrscat(NULL, rpmfiDN(fi), rpmfiBN(fi), suffix? suffix : "", NULL);
+}
+
+static rpmRC ima_psm_post(rpmPlugin plugin, rpmte te, int res)
+{
+ rpmfiles files = rpmteFiles(te);
+ rpmfi fi = rpmteFI(te);
+ int i;
+ char *fpath;
+ const unsigned char * fsig = NULL;
+ size_t len;
+ int rc = 0;
+
+ if (fi == NULL) {
+ rc = RPMERR_BAD_MAGIC;
+ goto exit;
+ }
+
+ while (!rc) {
+ rc = rpmfiNext(fi);
+ i = rpmfiFX(fi);
+
+ if (rc < 0) {
+ if (rc == RPMERR_ITER_END)
+ rc = 0;
+ break;
+ }
+
+ /* Don't install signatures for (mutable) config files */
+ if (!(rpmfilesFFlags(files, i) & RPMFILE_CONFIG)) {
+ fpath = fsmFsPath(fi, NULL);
+ fsig = rpmfilesFSignature(files, i, &len);
+ if (fsig) {
+ lsetxattr(fpath, XATTR_NAME_IMA, fsig, len, 0);
+ }
+ }
+ }
+exit:
+ return rc;
+}
+
+struct rpmPluginHooks_s ima_hooks = {
+ .psm_post = ima_psm_post,
+};
--
2.1.0
More information about the Rpm-maint
mailing list