The IMA plugin needs to also be called before the post installation
scriptlet is run. The reason for this is that some post installation
scriptlets invoke the tools that were just installed. The invocatin
fails, if the signatures have not been applied, yet. Therefore, we
invoke the IMA plugin with the scriptlet_pre hook.

To be able to do the work in the scriptlet_pre hook, we also need to
pass the tpmte parameter all the way through.

An example for an RPM that invokes its own programs is coreutils,
which will invoke /bin/mv in the post installation script.

Signed-off-by: Stefan Berger <stef...@linux.vnet.ibm.com>
---
 lib/rpmplugin.h   |  3 ++-
 lib/rpmplugins.c  |  5 +++--
 lib/rpmplugins.h  |  3 ++-
 lib/rpmscript.c   |  5 +++--
 lib/rpmscript.h   |  3 ++-
 lib/transaction.c |  2 +-
 plugins/ima.c     | 10 ++++++++++
 7 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/lib/rpmplugin.h b/lib/rpmplugin.h
index fd81aec..98205db 100644
--- a/lib/rpmplugin.h
+++ b/lib/rpmplugin.h
@@ -44,7 +44,8 @@ typedef rpmRC (*plugin_tsm_post_func)(rpmPlugin plugin, rpmts 
ts, int res);
 typedef rpmRC (*plugin_psm_pre_func)(rpmPlugin plugin, rpmte te);
 typedef rpmRC (*plugin_psm_post_func)(rpmPlugin plugin, rpmte te, int res);
 typedef rpmRC (*plugin_scriptlet_pre_func)(rpmPlugin plugin,
-                                          const char *s_name, int type);
+                                          const char *s_name, int type,
+                                          rpmte te);
 typedef rpmRC (*plugin_scriptlet_fork_post_func)(rpmPlugin plugin,
                                                 const char *path, int type);
 typedef rpmRC (*plugin_scriptlet_post_func)(rpmPlugin plugin,
diff --git a/lib/rpmplugins.c b/lib/rpmplugins.c
index 97e5d30..a9574b8 100644
--- a/lib/rpmplugins.c
+++ b/lib/rpmplugins.c
@@ -292,7 +292,8 @@ rpmRC rpmpluginsCallPsmPost(rpmPlugins plugins, rpmte te, 
int res)
     return rc;
 }
 
-rpmRC rpmpluginsCallScriptletPre(rpmPlugins plugins, const char *s_name, int 
type)
+rpmRC rpmpluginsCallScriptletPre(rpmPlugins plugins, const char *s_name, int 
type,
+                                 rpmte te)
 {
     plugin_scriptlet_pre_func hookFunc;
     int i;
@@ -301,7 +302,7 @@ rpmRC rpmpluginsCallScriptletPre(rpmPlugins plugins, const 
char *s_name, int typ
     for (i = 0; i < plugins->count; i++) {
        rpmPlugin plugin = plugins->plugins[i];
        RPMPLUGINS_SET_HOOK_FUNC(scriptlet_pre);
-       if (hookFunc && hookFunc(plugin, s_name, type) == RPMRC_FAIL) {
+       if (hookFunc && hookFunc(plugin, s_name, type, te) == RPMRC_FAIL) {
            rpmlog(RPMLOG_ERR, "Plugin %s: hook scriplet_pre failed\n", 
plugin->name);
            rc = RPMRC_FAIL;
        }
diff --git a/lib/rpmplugins.h b/lib/rpmplugins.h
index 39762c3..de0bb78 100644
--- a/lib/rpmplugins.h
+++ b/lib/rpmplugins.h
@@ -101,7 +101,8 @@ rpmRC rpmpluginsCallPsmPost(rpmPlugins plugins, rpmte te, 
int res);
  * @return             RPMRC_OK on success, RPMRC_FAIL otherwise
  */
 RPM_GNUC_INTERNAL
-rpmRC rpmpluginsCallScriptletPre(rpmPlugins plugins, const char *s_name, int 
type);
+rpmRC rpmpluginsCallScriptletPre(rpmPlugins plugins, const char *s_name, int 
type,
+                                 rpmte te);
 
 /** \ingroup rpmplugins
  * Call the post fork scriptlet plugin hook.
diff --git a/lib/rpmscript.c b/lib/rpmscript.c
index 98d3f42..4a79203 100644
--- a/lib/rpmscript.c
+++ b/lib/rpmscript.c
@@ -443,7 +443,8 @@ exit:
 }
 
 rpmRC rpmScriptRun(rpmScript script, int arg1, int arg2, FD_t scriptFd,
-                  ARGV_const_t prefixes, int warn_only, rpmPlugins plugins)
+                  ARGV_const_t prefixes, int warn_only, rpmPlugins plugins,
+                  rpmte te)
 {
     ARGV_t args = NULL;
     rpmlogLvl lvl = warn_only ? RPMLOG_WARNING : RPMLOG_ERR;
@@ -463,7 +464,7 @@ rpmRC rpmScriptRun(rpmScript script, int arg1, int arg2, 
FD_t scriptFd,
        script_type = RPMSCRIPTLET_NONE;
 
     /* Run scriptlet pre hook for all plugins */
-    rc = rpmpluginsCallScriptletPre(plugins, script->descr, script_type);
+    rc = rpmpluginsCallScriptletPre(plugins, script->descr, script_type, te);
 
     if (rc != RPMRC_FAIL) {
        if (script_type & RPMSCRIPTLET_EXEC) {
diff --git a/lib/rpmscript.h b/lib/rpmscript.h
index 3768077..ca9c2c6 100644
--- a/lib/rpmscript.h
+++ b/lib/rpmscript.h
@@ -66,7 +66,8 @@ rpmScript rpmScriptFree(rpmScript script);
 
 RPM_GNUC_INTERNAL
 rpmRC rpmScriptRun(rpmScript script, int arg1, int arg2, FD_t scriptFd,
-                   ARGV_const_t prefixes, int warn_only, rpmPlugins plugins);
+                   ARGV_const_t prefixes, int warn_only, rpmPlugins plugins,
+                   rpmte te);
 
 RPM_GNUC_INTERNAL
 rpmTagVal rpmScriptTag(rpmScript script);
diff --git a/lib/transaction.c b/lib/transaction.c
index cf46788..83a8408 100644
--- a/lib/transaction.c
+++ b/lib/transaction.c
@@ -1433,7 +1433,7 @@ rpmRC runScript(rpmts ts, rpmte te, ARGV_const_t prefixes,
 
     rpmswEnter(rpmtsOp(ts, RPMTS_OP_SCRIPTLETS), 0);
     rc = rpmScriptRun(script, arg1, arg2, sfd,
-                     prefixes, warn_only, rpmtsPlugins(ts));
+                     prefixes, warn_only, rpmtsPlugins(ts), te);
     rpmswExit(rpmtsOp(ts, RPMTS_OP_SCRIPTLETS), 0);
 
     /* Map warn-only errors to "notfound" for script stop callback */
diff --git a/plugins/ima.c b/plugins/ima.c
index 4a419b0..0055916 100644
--- a/plugins/ima.c
+++ b/plugins/ima.c
@@ -74,6 +74,16 @@ exit:
        return rc;
 }
 
+static rpmRC ima_scriptlet_pre(rpmPlugin plugin, const char *s_name, int type,
+                               rpmte te)
+{
+       if (strncmp(s_name, "%post(", 6) != 0)
+           return 0;
+
+       return ima_psm_post(plugin, te, 0);
+}
+
 struct rpmPluginHooks_s ima_hooks = {
+       .scriptlet_pre = ima_scriptlet_pre,
        .psm_post = ima_psm_post,
 };
-- 
2.5.5

_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Reply via email to