[Rpm-maint] [PATCH v2 0/4] Fixes for file signatures
Stefan Berger
stefanb at us.ibm.com
Fri Sep 23 11:20:23 UTC 2016
Panu Matilainen <pmatilai at laiskiainen.org> wrote on 09/23/2016 04:15:22
AM:
> From: Panu Matilainen <pmatilai at laiskiainen.org>
> To: Stefan Berger <stefanb at linux.vnet.ibm.com>, rpm-maint at lists.rpm.org
> Cc: Stefan Berger/Watson/IBM at IBMUS, fionnuala.gunter at gmail.com
> Date: 09/23/2016 04:15 AM
> Subject: Re: [Rpm-maint] [PATCH v2 0/4] Fixes for file signatures
>
> On 09/22/2016 08:30 PM, Stefan Berger wrote:
> > The following series of patches addresses some issues with signatures
on
> > files. In particular:
> >
> > - some files marked as config files are also executables and therefore
> > need to have a signature applied
> > - the IMA plugin may only run on package install cycle rather than the
> > remove cycle, which would apply the previous versions' signatures on
> > the files
> > - some RPM packages require that the files be signed when the post
> > install scriptlets are run since they may invoke executables that
> > were just installed; so we introduce two new hooks, fsm_pre and
> > fsm_post. We move the IMA plugin from the psm_post hook to the
> > fsm_post hook.
> >
> > Regards,
> > Stefan
> >
> > Stefan Berger (4):
> > ima-plugin: Have executable configuration files signed
> > ima-plugin: Only run the IMA plugin on package installation
> > rpmplugins: Introduce new fsm_pre and fsm_post hooks
> > IMA: Move the IMA plugin to the fsm_post hook
> >
> > lib/psm.c | 6 +++++-
> > lib/rpmplugin.h | 6 ++++++
> > lib/rpmplugins.c | 35 +++++++++++++++++++++++++++++++++++
> > lib/rpmplugins.h | 19 +++++++++++++++++++
> > plugins/ima.c | 32 ++++++++++++++++++++++----------
> > 5 files changed, 87 insertions(+), 11 deletions(-)
> >
>
> So... to achieve all this and actually behave correct in the face of
> skipped files - whether due to color, netshared path or other file
> policies - the IMA plugin should really just do what the selinux plugin
> does and use fsm_file_prepare hook for its task, which after all is
> highly similar anyway.
Has the file been written when fsm_file_prepare is called? Otherwise it
seems better to do it in fsm_file_post.
Btw, what do fsm, tsm, and psm stand for ?
>
> Something like this (mind you, non-compiled, never mind tested code
ahead):
>
> static rpmRC ima_file_prepare(rpmPlugin plugin, rpmfi fi,
> const char *path, const char *dest,
> mode_t file_mode, rpmFsmOp op)
>
> {
> const unsigned char * fsig = NULL;
> size_t len;
> rpmRC rc = RPMRC_OK;
>
> /* Ignore skipped files */
> if (XFA_SKIPPING(action))
> goto exit;
Good to know....
>
> /* Don't install signatures for (mutable) config files */
> if (rpmfiFFlags(fi) & RPMFILE_CONFIG) {
> if (!rpmfiFMode(fi) & (S_IXUSR|S_IXGRP|S_IXOTH))
> goto exit;
> }
>
> fsig = rpmfiFSignature(fi, &len);
> if (fsig && (check_zero_hdr(fsig, len) == 0)) {
> if (lsetxattr(fpath, XATTR_NAME_IMA, fsig, len, 0) < 0)
> rc = RPMRC_FAIL;
> }
Thanks.
Stefan
>
> exit:
> return rc;
> }
>
> struct rpmPluginHooks_s ima_hooks = {
> .fsm_file_prepare = ima_file_prepare,
> };
>
>
>
> That hook will only get called on file creation so you dont need to
> separately weed out erasures, skipped files are ignored as they should
> be and all the signatures will be in place by the time %post runs.
>
> As a diff, that's nothing more than:
> plugins/ima.c | 34 ++++++++++++++++++----------------
> 1 file changed, 18 insertions(+), 16 deletions(-)
>
> - Panu -
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20160923/2fa9ffbc/attachment-0001.html>
More information about the Rpm-maint
mailing list