[Rpm-maint] [PATCH v3 2/2] ima-plugin: Move the IMA plugin to the fsm_file_prepare hook

Fri, 23 Sep 2016 14:12:31 -0700 

Since newly installed files may be invoked by post install scriptlets,
we need to have them signed before the scriptlets are executed.
Therefore, we now move the IMA plugin to the fsm_file_prepare hook.

Signed-off-by: Stefan Berger <stef...@linux.vnet.ibm.com>
---
 plugins/ima.c | 43 +++++++++++++++++++++++--------------------
 1 file changed, 23 insertions(+), 20 deletions(-)

diff --git a/plugins/ima.c b/plugins/ima.c
index 76c7d3d..9264708 100644
--- a/plugins/ima.c
+++ b/plugins/ima.c
@@ -1,9 +1,11 @@
+#include <errno.h>
 #include <sys/xattr.h>
 
 #include <rpm/rpmfi.h>
 #include <rpm/rpmte.h>
 #include <rpm/rpmfiles.h>
 #include <rpm/rpmtypes.h>
+#include <rpm/rpmlog.h>
 #include <rpmio/rpmstring.h>
 
 #include "lib/rpmfs.h"
@@ -35,38 +37,39 @@ static int check_zero_hdr(const unsigned char *fsig, size_t 
siglen)
        return (memcmp(fsig, &zero_hdr, sizeof(zero_hdr)) == 0);
 }
 
-static rpmRC ima_psm_post(rpmPlugin plugin, rpmte te, int res)
+static rpmRC ima_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
+                                  const char *path,
+                                  const char *dest,
+                                  mode_t file_mode, rpmFsmOp op)
 {
-       rpmfi fi = rpmteFI(te);
-       const char *fpath;
        const unsigned char * fsig = NULL;
        size_t len;
-       int rc = 0;
+       int rc = RPMRC_OK;
+       rpmFileAction action = XFO_ACTION(op);
 
-       if (fi == NULL) {
-           rc = RPMERR_BAD_MAGIC;
+       if (!fi || !path || XFA_SKIPPING(action))
            goto exit;
-       }
 
-       while (rpmfiNext(fi) >= 0) {
-           /* Don't install signatures for (mutable) files marked
-            * as config files unless they are also executable.
-            */
-           if (rpmfiFFlags(fi) & RPMFILE_CONFIG) {
-               if (!(rpmfiFMode(fi) & (S_IXUSR|S_IXGRP|S_IXOTH)))
-                   continue;
-           }
+       /* Don't install signatures for (mutable) files marked
+        * as config files unless they are also executable.
+        */
+       if (rpmfiFFlags(fi) & RPMFILE_CONFIG) {
+           if (!(rpmfiFMode(fi) & (S_IXUSR|S_IXGRP|S_IXOTH)))
+               goto exit;
+       }
 
-           fsig = rpmfiFSignature(fi, &len);
-           if (fsig && (check_zero_hdr(fsig, len) == 0)) {
-               fpath = rpmfiFN(fi);
-               lsetxattr(fpath, XATTR_NAME_IMA, fsig, len, 0);
+       fsig = rpmfiFSignature(fi, &len);
+       if (fsig && (check_zero_hdr(fsig, len) == 0)) {
+           if (lsetxattr(path, XATTR_NAME_IMA, fsig, len, 0) < 0) {
+               rpmlog(RPMLOG_ERR, "ima: could not apply signature on '%s': 
%s\n", path, strerror(errno));
+               rc = RPMRC_FAIL;
            }
        }
+
 exit:
        return rc;
 }
 
 struct rpmPluginHooks_s ima_hooks = {
-       .psm_post = ima_psm_post,
+       .fsm_file_prepare = ima_fsm_file_prepare,
 };
-- 
2.5.5

_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Reply via email to