[Rpm-maint] [PATCH 1/3] ima-plugin: Have executable configuration files signed

Stefan Berger stefanb at linux.vnet.ibm.com
Wed Sep 21 18:04:06 UTC 2016


Some configuration files are executables and so they require the
signature in the extended attribute. If they are not executable,
they can be skipped.

Examples for configuration files that are also executables are
the grub files in /etc/grub.d.

Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
---
 plugins/ima.c | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/plugins/ima.c b/plugins/ima.c
index be15ecf..81ed194 100644
--- a/plugins/ima.c
+++ b/plugins/ima.c
@@ -41,7 +41,8 @@ static rpmRC ima_psm_post(rpmPlugin plugin, rpmte te, int res)
 	const char *fpath;
 	const unsigned char * fsig = NULL;
 	size_t len;
-	int rc = 0;
+	int rc = 0, n;
+	struct stat statbuf;
 
 	if (fi == NULL) {
 	    rc = RPMERR_BAD_MAGIC;
@@ -49,13 +50,21 @@ static rpmRC ima_psm_post(rpmPlugin plugin, rpmte te, int res)
 	}
 
 	while (rpmfiNext(fi) >= 0) {
-	    /* Don't install signatures for (mutable) config files */
-	    if (!(rpmfiFFlags(fi) & RPMFILE_CONFIG)) {
-		fpath = rpmfiFN(fi);
-		fsig = rpmfiFSignature(fi, &len);
-		if (fsig && (check_zero_hdr(fsig, len) == 0)) {
-		    lsetxattr(fpath, XATTR_NAME_IMA, fsig, len, 0);
-		}
+	    /* Don't install signatures for (mutable) files marked
+	     * as config files unless they are also executable.
+	     */
+	    if (rpmfiFFlags(fi) & RPMFILE_CONFIG) {
+	        n = rpmfiStat(fi, 0, &statbuf);
+	        if (n != 0)
+	            continue;
+	        if ((statbuf.st_mode & 0111) == 0)
+	            continue;
+	    }
+
+	    fsig = rpmfiFSignature(fi, &len);
+	    if (fsig && (check_zero_hdr(fsig, len) == 0)) {
+	        fpath = rpmfiFN(fi);
+	        lsetxattr(fpath, XATTR_NAME_IMA, fsig, len, 0);
 	    }
 	}
 exit:
-- 
2.5.5



More information about the Rpm-maint mailing list