[Rpm-maint] [PATCH v2 0/4] Fixes for file signatures

Stefan Berger stefanb at us.ibm.com
Fri Sep 23 11:20:23 UTC 2016


Panu Matilainen <pmatilai at laiskiainen.org> wrote on 09/23/2016 04:15:22 
AM:

> From: Panu Matilainen <pmatilai at laiskiainen.org>
> To: Stefan Berger <stefanb at linux.vnet.ibm.com>, rpm-maint at lists.rpm.org
> Cc: Stefan Berger/Watson/IBM at IBMUS, fionnuala.gunter at gmail.com
> Date: 09/23/2016 04:15 AM
> Subject: Re: [Rpm-maint] [PATCH v2 0/4] Fixes for file signatures
> 
> On 09/22/2016 08:30 PM, Stefan Berger wrote:
> > The following series of patches addresses some issues with signatures 
on
> > files. In particular:
> >
> > - some files marked as config files are also executables and therefore
> >   need to have a signature applied
> > - the IMA plugin may only run on package install cycle rather than the
> >   remove cycle, which would apply the previous versions' signatures on
> >   the files
> > - some RPM packages require that the files be signed when the post
> >   install scriptlets are run since they may invoke executables that
> >   were just installed; so we introduce two new hooks, fsm_pre and
> >   fsm_post. We move the IMA plugin from the psm_post hook to the
> >   fsm_post hook.
> >
> >    Regards,
> >       Stefan
> >
> > Stefan Berger (4):
> >   ima-plugin: Have executable configuration files signed
> >   ima-plugin: Only run the IMA plugin on package installation
> >   rpmplugins: Introduce new fsm_pre and fsm_post hooks
> >   IMA: Move the IMA plugin to the fsm_post hook
> >
> >  lib/psm.c        |  6 +++++-
> >  lib/rpmplugin.h  |  6 ++++++
> >  lib/rpmplugins.c | 35 +++++++++++++++++++++++++++++++++++
> >  lib/rpmplugins.h | 19 +++++++++++++++++++
> >  plugins/ima.c    | 32 ++++++++++++++++++++++----------
> >  5 files changed, 87 insertions(+), 11 deletions(-)
> >
> 
> So... to achieve all this and actually behave correct in the face of 
> skipped files  - whether due to color, netshared path or other file 
> policies - the IMA plugin should really just do what the selinux plugin 
> does and use fsm_file_prepare hook for its task, which after all is 
> highly similar anyway.

Has the file been written when fsm_file_prepare is called? Otherwise it 
seems better to do it in fsm_file_post.

Btw, what do fsm, tsm, and psm stand for ?


> 
> Something like this (mind you, non-compiled, never mind tested code 
ahead):
> 
> static rpmRC ima_file_prepare(rpmPlugin plugin, rpmfi fi,
>                                const char *path, const char *dest,
>                                mode_t file_mode, rpmFsmOp op)
> 
> {
>          const unsigned char * fsig = NULL;
>          size_t len;
>          rpmRC rc = RPMRC_OK;
> 
>          /* Ignore skipped files */
>          if (XFA_SKIPPING(action))
>              goto exit;

Good to know....

> 
>          /* Don't install signatures for (mutable) config files */
>          if (rpmfiFFlags(fi) & RPMFILE_CONFIG) {
>              if (!rpmfiFMode(fi) & (S_IXUSR|S_IXGRP|S_IXOTH))
>                  goto exit;
>          }
> 
>          fsig = rpmfiFSignature(fi, &len);
>          if (fsig && (check_zero_hdr(fsig, len) == 0)) {
>              if (lsetxattr(fpath, XATTR_NAME_IMA, fsig, len, 0) < 0)
>                  rc = RPMRC_FAIL;
>          }

Thanks.

    Stefan

> 
> exit:
>          return rc;
> }
> 
> struct rpmPluginHooks_s ima_hooks = {
>          .fsm_file_prepare = ima_file_prepare,
> };
> 
> 
> 
> That hook will only get called on file creation so you dont need to 
> separately weed out erasures, skipped files are ignored as they should 
> be and all the signatures will be in place by the time %post runs.
> 
> As a diff, that's nothing more than:
>   plugins/ima.c | 34 ++++++++++++++++++----------------
>   1 file changed, 18 insertions(+), 16 deletions(-)
> 
>    - Panu -
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20160923/2fa9ffbc/attachment-0001.html>


More information about the Rpm-maint mailing list