ima: Also apply signatures to config files

Even though config files may be close to what could be described as
'mutuable files', we now want to give the user control over the
installation of signatures on these files as well. We enable this
through a variable in the macro file. For this, we should be aware
that the signatures of these files may become incorrect or missing
once RPM post installation scripts or other programs have modified
these configuration files.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com

1 files changed, 17 insertions, 3 deletions

diff --git a/plugins/ima.c b/plugins/ima.c
index fe6d3ad7f..a30ccb4a6 100644
--- a/plugins/ima.c
+++ b/plugins/ima.c
@@ -9,6 +9,7 @@
 #include <rpm/rpmtypes.h>
 #include <rpm/rpmlog.h>
 #include <rpmio/rpmstring.h>
+#include <rpmio/rpmmacro.h>
 
 #include "lib/rpmfs.h"
 #include "lib/rpmplugin.h"
@@ -16,6 +17,8 @@
 
 #define XATTR_NAME_IMA "security.ima"
 
+static int write_signatures_on_config_files = 0;
+
 /*
  * check_zero_hdr: Check the signature for a zero header
  *
@@ -54,11 +57,13 @@ static rpmRC ima_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
 	    goto exit;
 
 	/* Don't install signatures for (mutable) files marked
-	 * as config files unless they are also executable.
+	 * as config files unless they are also executable or
+	 * user specifically asks for it.
 	 */
 	if (rpmfiFFlags(fi) & RPMFILE_CONFIG) {
-	    if (!(rpmfiFMode(fi) & (S_IXUSR|S_IXGRP|S_IXOTH)))
-	        goto exit;
+	    if (!(rpmfiFMode(fi) & (S_IXUSR|S_IXGRP|S_IXOTH)) &&
+	        !write_signatures_on_config_files)
+		goto exit;
 	}
 
 	fsig = rpmfiFSignature(fi, &len);
@@ -75,6 +80,15 @@ exit:
 	return rc;
 }
 
+static rpmRC ima_init(rpmPlugin plugin, rpmts ts)
+{
+	write_signatures_on_config_files =
+	    rpmExpandNumeric("%{?_ima_sign_config_files}");
+
+	return RPMRC_OK;
+}
+
 struct rpmPluginHooks_s ima_hooks = {
+        .init = ima_init,
 	.fsm_file_prepare = ima_fsm_file_prepare,
 };