| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
which was accidentially dropped when converting to cmake
Use CMAKE_INSTALL_FULL_SYSCONFDIR as it expands to /etc instead of
/usr/etc
Resolves: #2474
|
|
|
|
|
|
|
| |
Abort the build if imaevm enabled but header+library not present, use
detected values. Check for lsetxattr() availability. Drop unnecessary
imaevm linkage from the plugin, the plugin only manipulates xattrs and
does not need the IMA library.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These imported targets passed to target_link_library() are supposed to
handle all the pesky compilation, linkage etc details behind the scenes.
I was pretty sure I was missing a trick with this, but this sure isn't
exactly underlined in the documentation.
Unroll the supposedly helpful loop for handling plugins: turns out doing
this cmake native way is plenty shorter and more obvious too. The unroll
kinda belongs to a separate commit but that'd be rather painful for very
little if any gain.
Fixes: #2269 and a whole class of similar cases, allegedly
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There are some missing bits and pieces still to be done for cmake build,
but that is so much easier if you don't have to worry about keeping
compatibility with the system you're about to remove that it doesn't
make sense to drag this on any further. The sooner this is over, the
sooner it is over and we can start making use of cmake's advantages
instead of just trying to bend over backwards to maintain compatibility
with the autotools build.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libselinux logs to stderr by default, which up to now has been just fine
with us. However somewhere around libselinux 3.2 it begun issuing
log messages for events discovered in selinux_status_updated().
We only call that to see whether the status *was* updated behind our
back and are not interested in these audit-style messages for our
functionality, but to suppress them while preserving actually relevant
errors and warnings, we need to have a log callback of our own. Might as
well forward them to rpmlog then.
SELINUX_ERROR and SELINUX_WARNING are pretty obvious, of SELINUX_AVC
selinux_set_callback(3) says it should be treated as SELINUX_ERROR if
not audited. The rest we suppress to debug messages, they may be handy
for diagnostics some day.
Note that this intentionally avoids explicit SELINUX_POLICYLOAD and
SELINUX_SETENFORCE cases in the switch: we don't want to introduce
libselinux >= 3.2 dependency just because of this silly thing.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- switch to read only and non blocking mode for pipe
- add 1 minute loop to wait for pipe to reappear
Sometimes during the system update/upgrade fapolicyd
get restarted e.g. when systemd gets updated.
That can lead to the situation where fapolicyd pipe
has been removed and created again.
In such cases rpm-plugin-fapolicyd gets stuck on
write() to the pipe which does not exist anymore.
After switching to non blocking file descriptor
we can try to reopen the pipe if there is an error
from write(). Assuming that a new pipe should appear
when fapolicyd daemon starts again.
If not then after 1 minute of waiting we expect
fapolicyd daemon to be not active and we let the
transaction continue.
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is an incomplete release-early version, NOT intended or
suitable for production use. It is intended to replace the autotools
based buildsystem in rpm 4.20, until then it'll be developed alongside
it. This causes some extra complications of course, but then we avoid
a huge flag-day, and that matters more.
To those wondering why cmake and not ${myfavorite}: the community around
us effectively made that choice for us. We've made a lot of noise about
bootstrap dependencies. When libsolv, dnf and all the related stack is
powered by cmake build, it'd be just foolish to go with anything else.
This way people working on the rpm stack have only one build system to
learn, there's peer support available nearby and bootstrap dependencies
are reduced, not increased. It also doesn't hurt that cmake is actually
and actively maintained.
|
|
|
|
|
|
|
| |
setexecfilecon() is in libselinux version 2.3 in 2014, we don't need to
worry about it's availability anymore. Instead, use it to determine
libselinux suitability in the configure check, eliminating another
redundant check and a bunch of unused code.
|
|
|
|
|
|
|
|
|
|
|
| |
Introduced back in 2007 in 583140460100ea99553d883174065ca22a3099b2 the
point was to fake up a sane public header structure with minimal
internal disruption, TEMPORARILY. I think 15 years is temporary enough.
The machinery has worked rather well for what it is, but having the
headers appear in multiple locations is weird and confusing to people,
plus this "physical" separation makes it far more clearer what is
a public header and what isn't.
|
| |
|
|
|
|
|
|
| |
Fixup internal callers to use rpmhex(), deprecate pgpHexStr().
pgpHexStr() should be dropped at next soname bump, whenever that
happens.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If an RPM contains IMA signed digests and rpm-plugin-ima is installed,
then any attempt to install to a filesystem that doesn't support
extended attributes will cause the RPM installation to fail.
This can be seen, for example, if installing a file /boot, which is
usually a vFAT filesystem.
The rpm-plugin for selinux fixed this some time back, and that same
logic can be applied to IMA too - where, if a failure to set an extended
attribute results in an errno that is set to EOPNOTSUPP, then this
should not cause a complete failure, but should instead just be logged
at a debug level.
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Sadly the thing that allegedly makes things better mostly just makes
things more complicated as symlinks can't be opened, so we'll now have
to deal with both cases in plugins too. To make matters worse, most
APIs out there support either an fd or a path, but very few support
the *at() style dirfd + basename approach so plugins are stuck with
absolute paths for now.
This is of course a plugin API/ABI change too.
|
| |
|
|
|
|
|
| |
Include necessary headers that were previously transitively included
by including rpmpgp.h.
|
|
|
|
| |
The plugin announces start and end of transactions
|
|
|
|
|
|
| |
Issues were found by coverity scan.
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fapolicyd (File Access Policy Daemon) implements application whitelisting
to decide file access rights. Applications that are known via a reputation
source are allowed access while unknown applications are not.
The rpm plugin allows us to use rpm database as a source of trust.
We used dnf plugin since the beggining but it only provides notification
when transaction ends. With "integrity checking" requirement we need
a continual addition of files which are installed during the system
update. With fapolicyd rpm plugin we can allow using of recently
added/updated files in scriptlets during rpm transaction.
The fapolicyd plugin gathers metadata of currently installed files.
It sends the information about files and about ongoing rpm transaction
to the fapolicyd daemon. The information is written to Linux pipe which
is placed in /var/run/fapolicyd/fapolicyd.fifo.
The data format is "%s %lu %64s\n". [path, size, sha256]
The fapolicyd rpm plugin can be enabled with "--with-fapolicyd"
configure option.
Related PRs:
https://github.com/linux-application-whitelisting/fapolicyd/pull/105
https://github.com/linux-application-whitelisting/fapolicyd/pull/106
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
|
|
|
|
|
|
|
| |
In libselinux >= 3.1 these cause deprecation warnings on build.
security_context_t always was nothing but typedef to plain old "char *"
so just using that is entirely backwards compatible too.
|
|
|
|
|
|
| |
This uses the algorithm from the tag, if available. Fallback is SHA256.
Signed-off-by: Jes Sorensen <jsorensen@fb.com>
|
|
|
|
|
|
|
|
| |
This plugin installs fsverity signatures for regular files, when a signature
is found in the RPM. It tries to enable them unconditionally, but fails
gracefully if fsverity isn't supported or enabled.
Signed-off-by: Jes Sorensen <jsorensen@fb.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Refactor the custom exec context setting code to look like setexecfilecon()
in case the real one is not available to eliminate pesky behavioral
differences between the two cases.
This fixes a concrete bug of libselinux setexecfilecon() returning with
an error when security_getenforce() returns with -1 (such as a bare
chroot with no /sys mounts etc), causing us to spit out useless error
messages in that case ever since fixing the bogus if-logic in
commit ab601b882b9d9d8248250111317615db1aa7b7c6.
Fixes: #1077
|
|
|
|
|
|
| |
Commit 708e61307bc3fd027b016fdf5a1d1a5274c1843c introduced a memory leak
on the error object: if the message is suppressed then the error object
is never freed. Test for the suppression conditions separately to fix.
|
|
|
|
|
|
| |
We already filter out -EOPNOTSUPP and return OK, but the message was
getting logged before the filtering so we'd spit out spurious error
messages on filesystems that don't support SELinux (RhBug:1777502)
|
|
|
|
|
|
|
|
|
| |
Turns out this isn't a safe thing to do, as an API user could have
their own dbus connections in the same process and shutting those
down is a rather impolite thing to do (and causes crash, burn and
other injuries, eg RhBug:1750575)
This reverts commit d5f201345f6d27b6280750e5c6502f4418614fbc.
|
|
|
|
|
|
| |
Misplaced parenthesis introduced in commit 148e82833a.
Fixes #872
|
|
|
|
|
|
|
|
|
|
| |
The message may just confuse users if DBus is not running as default,
e.g. single-user mode. We suppress it when DBus is not available,
which is done by checking two cases:
socket does not exist (DBUS_ERROR_FILE_NOT_FOUND), or
unable to connect to server (DBUS_ERROR_NO_SERVER).
Note that this is an approximate but not an exact way to detect
whether DBus service should be running in the environment or not.
|
|
|
|
|
|
| |
dbus_shutdown() frees internal DBUS memory allocations that will otherwise
show up as memory leaks. This is of little consequence in practise
but shuts up valgrind...
|
|
|
|
|
|
|
|
|
|
|
|
| |
When enabled, log audit events for package install, update and remove.
The log includes the operation, package nevra, signature check result,
whether signatures are being enforced enforced and overall operation
result code. Package install/update/remove are logged as such,
obsoletion is logged as install + remove (whereas the erasure element
on updates is silent). Enable compilation in CI.
Loosely based on initial RHEL 7-8 implementations by Pavlina Moravcova
Varekova and Florian Festi (RhBug:1555326, RhBug:1607612)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When there's an actual error, people will want to know without having
to rerun in verbose mode. Such as in RhBug:1641631 where configured
selinux policy differs from what is installed - the former message
error: Plugin selinux: hook tsm_pre failed
...is not particularly helpful to anybody, whereas this actually provides
some clues now:
error: selabel_open: (/etc/selinux/ponies/contexts/files/file_contexts) No such file or directory
error: Plugin selinux: hook tsm_pre failed
|
|
|
|
|
| |
The strerror() case couldn't be reached as we were testing for the
wrong rc, spotted by covscan.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Even though config files may be close to what could be described as
'mutuable files', we now want to give the user control over the
installation of signatures on these files as well. We enable this
through a variable in the macro file. For this, we should be aware
that the signatures of these files may become incorrect or missing
once RPM post installation scripts or other programs have modified
these configuration files.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com
|
|
|
|
|
| |
Came up in PR #260 review, we shouldn't assume the presence of this
Linux-specific API.
|
|
|
|
|
| |
While connection to dbus is closed with dbus_connection_close(),
dbus_connection_unref() is still required to unreference it.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, there is no harm if config.h is not included in these files
because they are not sensitive to macros defined in config.h, but any
code added later or any plugin created using these plugins as examples
might be affected by these macros and therefore has to include config.h.
An example of bug when this header is not included properly can be seen
in the previous commit.
Signed-off-by: Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>
|
|
|
|
|
|
|
|
|
|
| |
plugin
This problem was found by ALT rpm verify-elf brp script:
verify-elf: WARNING: ./usr/lib/rpm-plugins/systemd_inhibit.so: uses non-LFS functions: __lxstat
verify-elf: WARNING: ./usr/lib/rpm/sepdebugcrcfix: uses non-LFS functions: __xstat mmap open pread pwrite
Signed-off-by: Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resetting priorities against daemons inheriting nice'd properties
from rpm is a workaround needed only on legacy SysV init systems,
but in systemd era this is nothing but counter-productive. So make
the functionality optional by moving it into a plugin.
This probably breaks the testcase because now we'd somehow need to
determine from the testsuite whether the plugin will be loaded or not,
but since the test is only enabled as root ... maybe its not that big
a deal.
|
|
|
|
|
|
|
|
|
|
| |
SELinux recommends to use string_to_security_class() instead of referencing
class IDs directly. This also fixes a build issue for systems that don't
include flask.h by default.
References:
https://selinuxproject.org/page/NB_Imp_SELinux-aware_Apps#Implementing_SELinux-aware_Applications_2
https://github.com/SELinuxProject/selinux/commit/76913d8adb61b5afe28fd3b4ce91feab29e284dd
|
|
|
|
|
|
|
|
|
|
|
| |
Trying to include AM_CFLAGS through a configure generated rpm.am file
doesn't really work because at the time automake runs configure doesn't
exist yet to process rpm.am.in. Just define the AM_CFLAGS substitution
inside the Makefile.am files themselves.
Rename rpm.am.in back to rpm.am.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
|
|
|
|
|
| |
Dbus carries an error message which we used to just discard and
log a generic "mumble failed" message. Use the error from dbus
instead to help diagnose it when something goes wrong, eg RhBug:1372925.
|
|
|
|
|
|
|
|
|
|
| |
Since newly installed files may be invoked by post install scriptlets,
we need to have them signed before the scriptlets are executed.
Therefore, we now move the IMA plugin to the fsm_file_prepare hook.
This way we can also correctly handle skipped files without silencing
away any errors from lsetxattr().
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Some configuration files are executables and so they require the
signature in the extended attribute. If they are not executable,
they can be skipped.
Examples for configuration files that are also executables are
the grub files in /etc/grub.d.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
| |
Besides unused, this has started spitting warnings in recent selinux versions:
In file included from selinux.c:5:0:
/usr/include/selinux/flask.h:5:2: warning: #warning "Please remove any #include's of this header in your source code." [-Wcpp]
#warning "Please remove any #include's of this header in your source code."
^~~~~~~
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not try to convert a zero-length file digest to a binary representation.
Zero-length file digests may stem from directory entries and symbolic links.
Return an empty signature in this case.
Returning an empty signature results in the ima.so plugin getting a sequence
of zeroes that it would write into security.ima xattr. Check for a signature
header consisting of only zeroes and do not write it into the filesystem.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
| |
For a pre hook function display an error message and for a post hook
function display just a warning message. This corresponds with
the way how error/warning messages are displayed for scriptlets.
Also add a debug message into selinux plugin.
|
|
|
|
|
| |
We really should not suspend or hibernate during rpm operations. Chances are
too high to not wake up properly and damage the system (see rhbz#1297984).
|
|
|
|
|
|
| |
for new code path, too.
See also 9c082fb8689efdaa5a595d3043e67ccec4ed930c
|
|
|
|
|
|
| |
Only the first file signature was getting installed. rpmfiNext returns
the next file iterator index and -1 on termination. Now the loop correctly
terminates only when rpmfiNext return value is negative.
|