[Rpm-maint] [rpm-software-management/rpm] Problem with --signfiles for files that are hardlinked together (#333)

patrickc25000 Fri, 13 Oct 2017 18:16:43 -0700

We have encountered a problem when performing an RPM update while Integrity 
Measurement Architecture (IMA) signatures are applied to the files. In other 
words, we are having a problem with the "--signfiles" support in the RPM 
package.


When we install a new glibc RPM on a system with SELinux and IMA enabled, we 
are seeing appraise errors with 3 files. Looking at an strace (see attached), I 
see that the files are referenced different from the normal sequence (i.e. of 
open, lsetxattr of security.ima, lsetxattr of security.selinux, rename) and 
instead, there is a hard link call made before the open. Taking just one of 
these files that results in an appraise error, namely 
/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8, and looking for references to it 
and some related files (i.e. /usr/libexec/getconf/POSIX_V6_LP64_OFF64;59d3a6c8 
and /usr/libexec/getconf/POSIX_V7_LP64_OFF64), I see the following summary: 

Create POSIX_V6 temp file and rename as POSIX_V6 regular file and hard link 
POSIX_V7 temp file to POSIX_V6 regular file and rename POSIX_V7 temp file as 
POSIX_V7 regular file and hard link XBS5 temp file to POSIX_V6 regular file and 
open XBS5 temp file and then set security.ima on the XBS5 temp file. Since the 
set of security.ima is done after the open and the open will not be creating a 
file since it has a hard link to an existing file at that point, the open will 
encounter an appraise error (in this strace, just resulting in a log entry) 
since the security.ima signature will not be found.

Below are the relevant entries within the strace to support the problem summary 
above: 

write(2, "create     100755  3 (   0,   0)"..., 89create     100755  3 (   0,   
0)     0 /usr/libexec/getconf/POSIX_V6_LP64_OFF64;59d3a6c8
open("/usr/libexec/getconf/POSIX_V6_LP64_OFF64;59d3a6c8", 
O_WRONLY|O_CREAT|O_TRUNC, 0666) = 30
lstat("/usr/libexec/getconf/POSIX_V6_LP64_OFF64", {st_mode=S_IFREG|0755, 
st_size=26648, ...}) = 0
lstat("/usr/libexec/getconf/POSIX_V6_LP64_OFF64", {st_mode=S_IFREG|0755, 
st_size=26648, ...}) = 0
removexattr("/usr/libexec/getconf/POSIX_V6_LP64_OFF64", "security.capability") 
= -1 ENODATA (No data available)
rename("/usr/libexec/getconf/POSIX_V6_LP64_OFF64;59d3a6c8", 
"/usr/libexec/getconf/POSIX_V6_LP64_OFF64") = 0
write(2, "create     100755  3 (   0,   0)"..., 89create     100755  3 (   0,   
0)     0 /usr/libexec/getconf/POSIX_V7_LP64_OFF64;59d3a6c8
link("/usr/libexec/getconf/POSIX_V6_LP64_OFF64", 
"/usr/libexec/getconf/POSIX_V7_LP64_OFF64;59d3a6c8") = 0
lstat("/usr/libexec/getconf/POSIX_V7_LP64_OFF64", {st_mode=S_IFREG|0755, 
st_size=26648, ...}) = 0
lstat("/usr/libexec/getconf/POSIX_V7_LP64_OFF64", {st_mode=S_IFREG|0755, 
st_size=26648, ...}) = 0
removexattr("/usr/libexec/getconf/POSIX_V7_LP64_OFF64", "security.capability") 
= -1 ENODATA (No data available)
rename("/usr/libexec/getconf/POSIX_V7_LP64_OFF64;59d3a6c8", 
"/usr/libexec/getconf/POSIX_V7_LP64_OFF64") = 0
write(2, "create     100755  3 (   0,   0)"..., 85create     100755  3 (   0,   
0) 26648 /usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8
link("/usr/libexec/getconf/POSIX_V6_LP64_OFF64", 
"/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8") = 0
open("/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8", O_WRONLY|O_CREAT|O_TRUNC, 
0666) = 30
chown("/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8", 0, 0) = 0
chmod("/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8", 0755) = 0
utimensat(AT_FDCWD, "/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8", 
{{1506436625, 0}, (1506436625, 0}}, AT_SYMLINK_NOFOLLOW) = 0
lsetxattr("/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8", "security.ima", 
"...", 265, 0) = 0
lsetxattr("/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8", "security.selinux", 
"system_u:object_r:bin_t:s0", 27, 0) = 0
write(2, "lsetfilecon: (/usr/libexec/getco"..., 90lsetfilecon: 
(/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8, system_u:object_r:bin_t:s0)
lstat("/usr/libexec/getconf/XBS5_LP64_OFF64", {st_mode=S_IFREG|0755, 
st_size=26648, ...}) = 0
lstat("/usr/libexec/getconf/XBS5_LP64_OFF64", {st_mode=S_IFREG|0755, 
st_size=26648, ...}) = 0
removexattr("/usr/libexec/getconf/XBS5_LP64_OFF64", "security.capability") = -1 
ENODATA (No data available)
rename("/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8", 
"/usr/libexec/getconf/XBS5_LP64_OFF64") = 0

As you can see in the sequence above, an open of an existing file (because it 
is a hard link) is made before the lsetxattr call to add the IMA signature and 
this is the problem. Note, although the open of the existing file is performed 
with the O_TRUNC option, by design, the IMA support in the kernel appraises the 
file (i.e. validates the signature) before the truncation of the file.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/333

_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

[Rpm-maint] [rpm-software-management/rpm] Problem with --signfiles for files that are hardlinked together (#333)

Reply via email to