> Hi @stefanberger, could you please have a look at our usage of
> `imaevm_signhash()` here? We're not sure if we're using it right since
> there's no documentation available. Thanks!
Looks good to me.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-manage
The --replacefiles option seems to work on an equivalent of a regex matching
all files (`.*`). You are saying 'What rpm lacks is an ability to apply
--replacefiles to only some of the %config files in the packages being
installed in a single transaction'. What other choice do we have then than t
I would understand the side-effects of a per-file AND mask that is active
inside the plugin, but don't understand what potential side effects this on all
callers could have if this was pushed inside rpmfiFlags().
The regular expression could provide more control to the user. A `.*`, as
indicate
@n3npq: I am not sure how your suggestion of 'a per-file override of an
inherited per-transaction AND mask would provide the ability to disable
RPMFILE_CONFIG on a per-file basis' would translate into an implementation.
Would we want this to be IMA specific? Maybe a list of regular expressions f
@n3npq: Re 'Adding the ability to change the ima signature in the xattr after
installation, so that the modified, not the original %config template, would
(at least) change my opinion, similarly for %ghost. But that isn't what is
being proposed.': How would that work without including the privat
Please see https://github.com/rpm-software-management/rpm/issues/364 for the
request.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/374#issuecomment-364657716
@n3npq All I can say that I have a user who wants to have signatures written on
%config files. This is what is driving this patch.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rp
So from the documentation at
http://ftp.rpm.org/max-rpm/s1-rpm-inside-files-list-directives.html I take that
the file is neither packaged nor installed. Since it's not packaged, the RPM
also doesn't carry a signature and we cannot write a signature out. If someone
wants to write signatures out
@n3npq With this patch we would basically allow everything to be signed for
which we have signatures since we previously only filtered out %config files
that were not executable. If a %ghost file has a signature stored in the rpm,
it would at least now have it written out as well. If %ghost fil
Good point. Using .init now. :-)
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/374#issuecomment-364449325___
Rpm-maint mailing
@pmatilai I updated the patch to use `%_ima_sign_config_files`.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/374#issuecomment-364436703___
I am using the variable `_write_signatures_on_config_files`. Maybe it should be
`_write_ima_signatures_on_config_files`?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/374
@pmatilai So, tested it now. It works for me.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/374#issuecomment-363114593___
Rpm
I just pushed an update but I haven't tested it, yet. Any comments on it?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/374#issuecomment-363098710_
I'll try to look at it this week. I suppose we can introduce a new command line
option and an option for the macros file? Any suggestion? Is there another
option that already works like this with a command line option and an option in
the macros file ?
--
You are receiving this because you are
This PR https://github.com/rpm-software-management/rpm/pull/374 now addresses
the issue.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/364#issuecomment-354154257___
r programs have modified these configuration files.
Signed-off-by: Stefan Berger https://github.com/rpm-software-management/rpm/pull/374
-- Commit Summary --
* Also apply signatures to config files
-- File Changes --
M plugins/ima.c (8)
-- Patch Links --
https://github.com/rpm-software-
A potential side-effect of having signatures applied to configuration files is
that the configuration files may be modified by the user or programs /
post-installation scripts and the signature on these files may become invalid
or be removed as part of the modification of the configuration file.
@pmatilai Would it be possible to have these 4 patches applied to the latest
rpm built for Fedora 26 and later?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/333#issuec
@stefanberger pushed 3 commits.
01a97c6 Create first hard link file and keep open, write it at end
f05ea9c remove redundant 'nocontent' parameter from expandRegular
c07b93d Remove redundant 'exclusive' parameter from expandRegular
--
You are receiving this because you are subscribed to this
@stefanberger pushed 1 commit.
b2fa119 split off function wfd_open() to open a file
--
You are receiving this because you are subscribed to this thread.
View it on GitHub:
https://github.com/rpm-software-management/rpm/pull/342/files/74ea0379c03fd3acd9fc03cf19e695526fab5b27..b2fa119ea239de89ec
Reopened #342.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/342#event-1313092365___
Rpm-maint mailing list
Rpm-maint@lists.rpm
Closed #342.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/342#event-1313091691___
Rpm-maint mailing list
Rpm-maint@lists.rpm.o
Odd, the symlink test case works on my system...
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/342#issuecomment-339842010___
Rp
@patrickc25000 I will have to patch the rpm package you are using with these
patches and have you test it...
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/333#issuecomm
This series of patches attempts to address the errors we are seeing when
installing RPMs that contain hard links and an IMA policy that measures on
reading and writing of files. The problem has been explained in issue #333.
The solution is to open the first file that is created empty but now kee
The problem seems to be that only the last entry has the file content... so the
empty file that's created first cannot be written since the RPM entry currently
being processed doesn't have the data. Then a couple of hard links may get
created and only the last entry (hardlink) found there has th
@pmatilai Is there a reason that in case of hard links the file gets written
only after all the hard links have been created? It looks a bit complicated ...
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com
@pmatilai Is the problem limited to the fsmMkfile() function? I suppose this is
where the hard links are created. Would the solution be to do things in a
different order in that function ?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view
Some configuration files are executables and so they require the
signature in the extended attribute. If they are not executable,
they can be skipped.
Examples for configuration files that are also executables are
the grub files in /etc/grub.d.
Signed-off-by: Stefan Berger
---
plugins/ima.c
Since newly installed files may be invoked by post install scriptlets,
we need to have them signed before the scriptlets are executed.
Therefore, we now move the IMA plugin to the fsm_file_prepare hook.
Signed-off-by: Stefan Berger
---
plugins/ima.c | 43
run since they may invoke executables that
were just installed; so we move the IMA plugin from the psm_post hook
to the fsm_file_prepare hook.
Regards,
Stefan
Stefan Berger (2):
ima-plugin: Have executable configuration files signed
ima-plugin: Move the IMA plugin to the
Panu Matilainen wrote on 09/23/2016 03:30:54
PM:
> From: Panu Matilainen
> To: Stefan Berger/Watson/IBM@IBMUS
> Cc: fionnuala.gun...@gmail.com, rpm-maint@lists.rpm.org, Stefan
> Berger
> Date: 09/23/2016 03:31 PM
> Subject: Re: [Rpm-maint] [PATCH v2 0/4] Fixes for file sig
Stefan Berger/Watson/IBM wrote on 09/23/2016 12:43:33 PM:
> From: Stefan Berger/Watson/IBM
> To: Panu Matilainen
> Cc: fionnuala.gun...@gmail.com, rpm-maint@lists.rpm.org, Stefan
> Berger
> Date: 09/23/2016 12:43 PM
> Subject: Re: [Rpm-maint] [PATCH v2 0/4] Fixes for file si
Panu Matilainen wrote on 09/23/2016 07:50:15
AM:
> >>
> >> So... to achieve all this and actually behave correct in the face of
> >> skipped files - whether due to color, netshared path or other file
> >> policies - the IMA plugin should really just do what the selinux
plugin
> >> does and us
Panu Matilainen wrote on 09/23/2016 04:15:22
AM:
> From: Panu Matilainen
> To: Stefan Berger , rpm-maint@lists.rpm.org
> Cc: Stefan Berger/Watson/IBM@IBMUS, fionnuala.gun...@gmail.com
> Date: 09/23/2016 04:15 AM
> Subject: Re: [Rpm-maint] [PATCH v2 0/4] Fixes for file signature
Panu Matilainen wrote on 09/23/2016 03:03:48
AM:
> From: Panu Matilainen
> To: Stefan Berger , rpm-maint@lists.rpm.org
> Cc: Stefan Berger/Watson/IBM@IBMUS, fionnuala.gun...@gmail.com
> Date: 09/23/2016 03:03 AM
> Subject: Re: [Rpm-maint] [PATCH v2 3/4] rpmplugins: Introduce new
Panu Matilainen wrote on 09/23/2016 02:44:48
AM:
> From: Panu Matilainen
> To: Stefan Berger , rpm-maint@lists.rpm.org
> Cc: Stefan Berger/Watson/IBM@IBMUS, fionnuala.gun...@gmail.com
> Date: 09/23/2016 02:45 AM
> Subject: Re: [Rpm-maint] [PATCH v2 1/4] ima-plugin:
Introduce fsm_pre and fsm_post hooks, which are invoked
before and after the package files are installed.
Signed-off-by: Stefan Berger
---
lib/psm.c| 6 +-
lib/rpmplugin.h | 6 ++
lib/rpmplugins.c | 35 +++
lib/rpmplugins.h | 19
Move the IMA plugin to the fsm_post hook. Check whether the given
return code indicates and error, and do nothing in case it does
show an error. There is nothing to clean up, so we can do that.
Signed-off-by: Stefan Berger
---
plugins/ima.c | 6 +++---
1 file changed, 3 insertions(+), 3
Some configuration files are executables and so they require the
signature in the extended attribute. If they are not executable,
they can be skipped.
Examples for configuration files that are also executables are
the grub files in /etc/grub.d.
Signed-off-by: Stefan Berger
---
plugins/ima.c
We want to prevent that the IMA plugin applies signatures of the older
version of files. So we have to check whether we are in the install
(TR_ADDED) or remove (TR_REMOVED) cycle of a package. We only apply
signatures in the install cycle.
Signed-off-by: Stefan Berger
---
plugins/ima.c | 3
from the psm_post hook to the
fsm_post hook.
Regards,
Stefan
Stefan Berger (4):
ima-plugin: Have executable configuration files signed
ima-plugin: Only run the IMA plugin on package installation
rpmplugins: Introduce new fsm_pre and fsm_post hooks
IMA: Move the IMA plugin t
have to extend that hook with the rpmte
parameter type
Regards,
Stefan
Stefan Berger (3):
ima-plugin: Have executable configuration files signed
ima-plugin: Only run the IMA plugin on package installation
plugins: Pass rpmte to scriptlet_pre and call IMA plugin in this hook
the scriptlet_pre hook.
To be able to do the work in the scriptlet_pre hook, we also need to
pass the tpmte parameter all the way through.
An example for an RPM that invokes its own programs is coreutils,
which will invoke /bin/mv in the post installation script.
Signed-off-by: Stefan Berger
Stefan Berger wrote on 09/21/2016 02:04:08
PM:
> From: Stefan Berger
> To: rpm-maint@lists.rpm.org
> Cc: fionnuala.gun...@gmail.com, stef...@linux.vnet.ibm.com,
> zo...@linux.vnet.ibm.com, Stefan Berger/Watson/IBM@IBMUS
> Date: 09/21/2016 02:04 PM
> Subject: [PATCH 3/3] plug
We want to prevent that the IMA plugin applies signatures of the older
version of files. So we have to check whether we are in the install
(TR_ADDED) or remove (TR_REMOVED) cycle of a package. We only apply
signatures in the install cycle.
Signed-off-by: Stefan Berger
---
plugins/ima.c | 3
Some configuration files are executables and so they require the
signature in the extended attribute. If they are not executable,
they can be skipped.
Examples for configuration files that are also executables are
the grub files in /etc/grub.d.
Signed-off-by: Stefan Berger
---
plugins/ima.c
Use the default hash algorithm md5 on RPMs that do not contain the
RPMTAG_FILEDIGESTALGO. This may be the case if the default hash
algorithm used on files is md5 and thus no RPMTAG_FILEDIGESTALGO is
being written (see build/files.c:genCpioListAndHeader()).
Signed-off-by: Stefan Berger
---
lib
Fix the indentation and formatting in signature related files.
Signed-off-by: Stefan Berger
---
lib/rpmsignfiles.c | 12 ++--
sign/rpmgensig.c | 3 ++-
2 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/lib/rpmsignfiles.c b/lib/rpmsignfiles.c
index 61ea33e..95ac851 100644
Check the range of the algo index parameter before using it for
accessing an array.
Signed-off-by: Stefan Berger
---
lib/rpmsignfiles.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/lib/rpmsignfiles.c b/lib/rpmsignfiles.c
index b7d9ccc..97a5be4 100644
--- a/lib/rpmsignfiles.c
+++ b
This series of patches fixes several issues related to signed files
produced by rpmsign.
Stefan
Stefan Berger (5):
Fix indentation and formatting
Fix various memory leaks in file signature related functions.
Check range of algo index parameter before accessing array with it
Extend
Fix various memory leaks in file signature related functions.
Signed-off-by: Stefan Berger
---
lib/rpmsignfiles.c | 2 ++
rpmsign.c | 4 +++-
sign/rpmgensig.c | 24 +---
3 files changed, 22 insertions(+), 8 deletions(-)
diff --git a/lib/rpmsignfiles.c b/lib
write into security.ima xattr. Check for a signature
consisting of only zeroes and do not write it into the filesystem.
Signed-off-by: Stefan Berger
---
lib/rpmsignfiles.c | 4
plugins/ima.c | 36 +++-
2 files changed, 39 insertions(+), 1 deletion(-)
diff
igned-off-by: Stefan Berger
---
lib/header.c | 2 +-
lib/header_internal.h | 5 +++--
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/lib/header.c b/lib/header.c
index 81f2038..ae292f9 100644
--- a/lib/header.c
+++ b/lib/header.c
@@ -99,7 +99,7 @@ struct headerTo
> @@ -104,7 +104,7 @@ static int base64_decode_value(unsigned char value_in)
> {
> static const int decoding[] =
> {62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-2,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33
"Rpm-maint" wrote on 04/29/2016 01:42:06
PM:
>
> On Fri, 29 Apr 2016, Stefan Berger wrote:
>
> > From: Stefan Berger
> >
> > Extend the header size to 256MB in case an RPM has a lot of files
> > and the file signatures do not fit within the
e solution how to detect phase could be adding another argument to
function
> getFiles() and this argument will indicate if getFiles() was called from
> addTE() i. e. the first phase or from rpmteOpen() i. e. the second
phase then
> flags could be set according to this argument in function
all this function
with this
flag always set?
Stefan
>
> Lubos
>
> ----- Original Message -
> > From: "Florian Festi"
> > To: "Stefan Berger"
> > Cc: rpm-maint@lists.rpm.org
> > Sent: Friday, April 29, 2016 10:27:39 AM
> > Su
be 'packed'
Stefan
Stefan Berger (2):
Extend header size to 256MB due to file signatures
Fix handling of zero-length file digests
lib/header.c | 2 +-
lib/header_internal.h | 5 +++--
lib/rpmsignfiles.c| 4
plugins/ima.c | 25 +
From: Stefan Berger
Do not try to convert a zero-length file digest to a binary representation.
Zero-length file digests may stem from directory entries and symbolic links.
Return an empty signature in this case.
Returning an empty signature results in the ima.so plugin getting a sequence
of
From: Stefan Berger
Extend the header size to 256MB in case an RPM has a lot of files
and the file signatures do not fit within the current limit of 16MB.
An example for an RPM with many files is kcbench-data-4.0. It contains
more than 52000 files. With each signature with a 2048 bit key
"Rpm-maint" wrote on 04/27/2016 05:45:56
AM:
>
> I get the following warning:
>
> ima.c:23:1: warning: ‘PACKED’ attribute directive ignored [-Wattributes]
> } __attribute__((PACKED));
>
> May be there is an simpler way to check for the header being zeros only?
One way of doing it would be t
"Rpm-maint" wrote on 04/27/2016 05:50:54
AM:
>
> Well changing header size limit needs a bit more thought. The main
> problem is that packages with bigger header will look broken on older
> rpm versions and the usual way of dealing with this (adding rpmlib()
> Requires) won't work it needs rea
From: Stefan Berger
Fix the indentation and formatting in signature related files.
Signed-off-by: Stefan Berger
---
lib/rpmsignfiles.c | 12 ++--
sign/rpmgensig.c | 3 ++-
2 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/lib/rpmsignfiles.c b/lib/rpmsignfiles.c
index
From: Stefan Berger
Extend the header size to 64MB in case an RPM has a lot of files
and the file signatures do not fit within the current limit of 16MB.
An example for an RPM with many files is kcbench-data-4.0. It contains
more than 52000 files. With each signature with a 2048 bit key
From: Stefan Berger
Fix various memory leaks in file signature related functions.
Signed-off-by: Stefan Berger
---
lib/rpmsignfiles.c | 2 ++
rpmsign.c | 4 +++-
sign/rpmgensig.c | 24 +---
3 files changed, 22 insertions(+), 8 deletions(-)
diff --git a/lib
From: Stefan Berger
Check the range of the algo index parameter before using it for
accessing an array.
Signed-off-by: Stefan Berger
---
lib/rpmsignfiles.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/lib/rpmsignfiles.c b/lib/rpmsignfiles.c
index b7d9ccc..97a5be4 100644
--- a/lib
This series of patches fixes several issues related to signed files
produced by rpmsign.
Stefan
Stefan Berger (5):
Fix indentation and formatting
Fix various memory leaks in file signature related functions.
Check range of algo index parameter before accessing array with it
Extend
From: Stefan Berger
Do not try to convert a zero-length file digest to a binary representation.
Zero-length file digests may stem from directory entries and symbolic links.
Return an empty signature in this case.
Returning an empty signature results in the ima.so plugin getting a sequence
of
70 matches
Mail list logo
