[Rpm-maint] [PATCH v2 0/4] Fixes for file signatures
Panu Matilainen
pmatilai at laiskiainen.org
Fri Sep 23 11:50:15 UTC 2016
On 09/23/2016 02:20 PM, Stefan Berger wrote:
> Panu Matilainen <pmatilai at laiskiainen.org> wrote on 09/23/2016 04:15:22
> AM:
>
>> From: Panu Matilainen <pmatilai at laiskiainen.org>
>> To: Stefan Berger <stefanb at linux.vnet.ibm.com>, rpm-maint at lists.rpm.org
>> Cc: Stefan Berger/Watson/IBM at IBMUS, fionnuala.gunter at gmail.com
>> Date: 09/23/2016 04:15 AM
>> Subject: Re: [Rpm-maint] [PATCH v2 0/4] Fixes for file signatures
>>
>> On 09/22/2016 08:30 PM, Stefan Berger wrote:
>>> The following series of patches addresses some issues with signatures
> on
>>> files. In particular:
>>>
>>> - some files marked as config files are also executables and therefore
>>> need to have a signature applied
>>> - the IMA plugin may only run on package install cycle rather than the
>>> remove cycle, which would apply the previous versions' signatures on
>>> the files
>>> - some RPM packages require that the files be signed when the post
>>> install scriptlets are run since they may invoke executables that
>>> were just installed; so we introduce two new hooks, fsm_pre and
>>> fsm_post. We move the IMA plugin from the psm_post hook to the
>>> fsm_post hook.
>>>
>>> Regards,
>>> Stefan
>>>
>>> Stefan Berger (4):
>>> ima-plugin: Have executable configuration files signed
>>> ima-plugin: Only run the IMA plugin on package installation
>>> rpmplugins: Introduce new fsm_pre and fsm_post hooks
>>> IMA: Move the IMA plugin to the fsm_post hook
>>>
>>> lib/psm.c | 6 +++++-
>>> lib/rpmplugin.h | 6 ++++++
>>> lib/rpmplugins.c | 35 +++++++++++++++++++++++++++++++++++
>>> lib/rpmplugins.h | 19 +++++++++++++++++++
>>> plugins/ima.c | 32 ++++++++++++++++++++++----------
>>> 5 files changed, 87 insertions(+), 11 deletions(-)
>>>
>>
>> So... to achieve all this and actually behave correct in the face of
>> skipped files - whether due to color, netshared path or other file
>> policies - the IMA plugin should really just do what the selinux plugin
>> does and use fsm_file_prepare hook for its task, which after all is
>> highly similar anyway.
>
> Has the file been written when fsm_file_prepare is called? Otherwise it
> seems better to do it in fsm_file_post.
Yes, the entire file has been created but not yet moved to its final
destination. That's why it gets two path parameters: "path" for the
actual current filename which has a temporary suffix, and "dest" which
is the actual destination filename. So this is really the best place to
do any metadata work because then the file actually ready when it gets
renamed to its final distination (ie without the suffix).
>
> Btw, what do fsm, tsm, and psm stand for ?
Ah, that explains :)
FSM is File State Machine
PSM is Package State Machine
TSM is Transaction State Machine
These are historical artifacts and dont mean much these days,
unfortunately they ended up in the plugin interface for the lack of
better ideas, or something. Names are hard :-/
- Panu -
More information about the Rpm-maint
mailing list