[Rpm-maint] [PATCH v2 0/4] Fixes for file signatures

Panu Matilainen pmatilai at laiskiainen.org
Fri Sep 23 08:19:18 UTC 2016


On 09/23/2016 11:15 AM, Panu Matilainen wrote:
> On 09/22/2016 08:30 PM, Stefan Berger wrote:
>> The following series of patches addresses some issues with signatures on
>> files. In particular:
>>
>> - some files marked as config files are also executables and therefore
>>   need to have a signature applied
>> - the IMA plugin may only run on package install cycle rather than the
>>   remove cycle, which would apply the previous versions' signatures on
>>   the files
>> - some RPM packages require that the files be signed when the post
>>   install scriptlets are run since they may invoke executables that
>>   were just installed; so we introduce two new hooks, fsm_pre and
>>   fsm_post. We move the IMA plugin from the psm_post hook to the
>>   fsm_post hook.
>>
>>    Regards,
>>       Stefan
>>
>> Stefan Berger (4):
>>   ima-plugin: Have executable configuration files signed
>>   ima-plugin: Only run the IMA plugin on package installation
>>   rpmplugins: Introduce new fsm_pre and fsm_post hooks
>>   IMA: Move the IMA plugin to the fsm_post hook
>>
>>  lib/psm.c        |  6 +++++-
>>  lib/rpmplugin.h  |  6 ++++++
>>  lib/rpmplugins.c | 35 +++++++++++++++++++++++++++++++++++
>>  lib/rpmplugins.h | 19 +++++++++++++++++++
>>  plugins/ima.c    | 32 ++++++++++++++++++++++----------
>>  5 files changed, 87 insertions(+), 11 deletions(-)
>>
>
> So... to achieve all this and actually behave correct in the face of
> skipped files  - whether due to color, netshared path or other file
> policies - the IMA plugin should really just do what the selinux plugin
> does and use fsm_file_prepare hook for its task, which after all is
> highly similar anyway.
>
> Something like this (mind you, non-compiled, never mind tested code ahead):
>
> static rpmRC ima_file_prepare(rpmPlugin plugin, rpmfi fi,
>                               const char *path, const char *dest,
>                               mode_t file_mode, rpmFsmOp op)
>
> {
>         const unsigned char * fsig = NULL;
>         size_t len;
>         rpmRC rc = RPMRC_OK;
>
>         /* Ignore skipped files */
>         if (XFA_SKIPPING(action))
>             goto exit;
>
>         /* Don't install signatures for (mutable) config files */
>         if (rpmfiFFlags(fi) & RPMFILE_CONFIG) {
>             if (!rpmfiFMode(fi) & (S_IXUSR|S_IXGRP|S_IXOTH))
>                 goto exit;
>         }
>
>         fsig = rpmfiFSignature(fi, &len);
>         if (fsig && (check_zero_hdr(fsig, len) == 0)) {
>             if (lsetxattr(fpath, XATTR_NAME_IMA, fsig, len, 0) < 0)
                             ^^^^^

Should be "path" obviously.

Good thing I explicitly said I hadn't even compiled it ;)

	- Panu -




More information about the Rpm-maint mailing list