[Rpm-maint] [PATCH v3 2/2] ima-plugin: Move the IMA plugin to the fsm_file_prepare hook

Stefan Berger stefanb at linux.vnet.ibm.com
Fri Sep 23 21:11:51 UTC 2016


Since newly installed files may be invoked by post install scriptlets,
we need to have them signed before the scriptlets are executed.
Therefore, we now move the IMA plugin to the fsm_file_prepare hook.

Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
---
 plugins/ima.c | 43 +++++++++++++++++++++++--------------------
 1 file changed, 23 insertions(+), 20 deletions(-)

diff --git a/plugins/ima.c b/plugins/ima.c
index 76c7d3d..9264708 100644
--- a/plugins/ima.c
+++ b/plugins/ima.c
@@ -1,9 +1,11 @@
+#include <errno.h>
 #include <sys/xattr.h>
 
 #include <rpm/rpmfi.h>
 #include <rpm/rpmte.h>
 #include <rpm/rpmfiles.h>
 #include <rpm/rpmtypes.h>
+#include <rpm/rpmlog.h>
 #include <rpmio/rpmstring.h>
 
 #include "lib/rpmfs.h"
@@ -35,38 +37,39 @@ static int check_zero_hdr(const unsigned char *fsig, size_t siglen)
 	return (memcmp(fsig, &zero_hdr, sizeof(zero_hdr)) == 0);
 }
 
-static rpmRC ima_psm_post(rpmPlugin plugin, rpmte te, int res)
+static rpmRC ima_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
+                                  const char *path,
+                                  const char *dest,
+                                  mode_t file_mode, rpmFsmOp op)
 {
-	rpmfi fi = rpmteFI(te);
-	const char *fpath;
 	const unsigned char * fsig = NULL;
 	size_t len;
-	int rc = 0;
+	int rc = RPMRC_OK;
+	rpmFileAction action = XFO_ACTION(op);
 
-	if (fi == NULL) {
-	    rc = RPMERR_BAD_MAGIC;
+	if (!fi || !path || XFA_SKIPPING(action))
 	    goto exit;
-	}
 
-	while (rpmfiNext(fi) >= 0) {
-	    /* Don't install signatures for (mutable) files marked
-	     * as config files unless they are also executable.
-	     */
-	    if (rpmfiFFlags(fi) & RPMFILE_CONFIG) {
-	        if (!(rpmfiFMode(fi) & (S_IXUSR|S_IXGRP|S_IXOTH)))
-	            continue;
-	    }
+	/* Don't install signatures for (mutable) files marked
+	 * as config files unless they are also executable.
+	 */
+	if (rpmfiFFlags(fi) & RPMFILE_CONFIG) {
+	    if (!(rpmfiFMode(fi) & (S_IXUSR|S_IXGRP|S_IXOTH)))
+	        goto exit;
+	}
 
-	    fsig = rpmfiFSignature(fi, &len);
-	    if (fsig && (check_zero_hdr(fsig, len) == 0)) {
-	        fpath = rpmfiFN(fi);
-	        lsetxattr(fpath, XATTR_NAME_IMA, fsig, len, 0);
+	fsig = rpmfiFSignature(fi, &len);
+	if (fsig && (check_zero_hdr(fsig, len) == 0)) {
+	    if (lsetxattr(path, XATTR_NAME_IMA, fsig, len, 0) < 0) {
+	        rpmlog(RPMLOG_ERR, "ima: could not apply signature on '%s': %s\n", path, strerror(errno));
+	        rc = RPMRC_FAIL;
 	    }
 	}
+
 exit:
 	return rc;
 }
 
 struct rpmPluginHooks_s ima_hooks = {
-	.psm_post = ima_psm_post,
+	.fsm_file_prepare = ima_fsm_file_prepare,
 };
-- 
2.5.5



More information about the Rpm-maint mailing list