IMA plugin labels ima xattr with file signatures

This plugin extracts file signatures from rpmfiles and writes them to
security.ima xattr. Only non-config file signatures are installed.

Changelog:
- use rpmfi instead of rpmfiles
- use rpmfiFN instead of fsmFsPath

Signed-off-by: Lubos Kardos <lkardos@redhat.com>

2 files changed, 55 insertions, 0 deletions

diff --git a/plugins/Makefile.am b/plugins/Makefile.am
index 53b24500a..5ddc174bf 100644
--- a/plugins/Makefile.am
+++ b/plugins/Makefile.am
@@ -31,3 +31,7 @@ endif
 syslog_la_SOURCES = syslog.c
 syslog_la_LIBADD = $(top_builddir)/lib/librpm.la $(top_builddir)/rpmio/librpmio.la
 plugins_LTLIBRARIES += syslog.la
+
+ima_la_sources = ima.c
+ima_la_LIBADD = $(top_builddir)/lib/librpm.la $(top_builddir)/rpmio/librpmio.la
+plugins_LTLIBRARIES += ima.la
diff --git a/plugins/ima.c b/plugins/ima.c
new file mode 100644
index 000000000..ccd59a412
--- /dev/null
+++ b/plugins/ima.c
@@ -0,0 +1,51 @@
+#include <sys/xattr.h>
+
+#include <rpm/rpmfi.h>
+#include <rpm/rpmte.h>
+#include <rpm/rpmfiles.h>
+#include <rpm/rpmtypes.h>
+#include <rpmio/rpmstring.h>
+
+#include "lib/rpmfs.h"
+#include "lib/rpmplugin.h"
+#include "lib/rpmte_internal.h"
+
+#define XATTR_NAME_IMA "security.ima"
+
+static rpmRC ima_psm_post(rpmPlugin plugin, rpmte te, int res)
+{
+	rpmfi fi = rpmteFI(te);
+	const char *fpath;
+	const unsigned char * fsig = NULL;
+	size_t len;
+	int rc = 0;
+
+	if (fi == NULL) {
+	    rc = RPMERR_BAD_MAGIC;
+	    goto exit;
+	}
+
+	while (!rc) {
+	    rc = rpmfiNext(fi);
+	    if (rc < 0) {
+		if (rc == RPMERR_ITER_END)
+		    rc = 0;
+		break;
+	    }
+
+	    /* Don't install signatures for (mutable) config files */
+	    if (!(rpmfiFFlags(fi) & RPMFILE_CONFIG)) {
+		fpath = rpmfiFN(fi);
+		fsig = rpmfiFSignature(fi, &len);
+		if (fsig) {
+		    lsetxattr(fpath, XATTR_NAME_IMA, fsig, len, 0);
+		}
+	    }
+	}
+exit:
+	return rc;
+}
+
+struct rpmPluginHooks_s ima_hooks = {
+	.psm_post = ima_psm_post,
+};