!211 Sync IMA related patches

From: @gys66 Reviewed-by: @zhujianwei001 Signed-off-by: @zhujianwei001
2023-02-08 03:51:24 +00:00 · 2023-02-08 03:51:24 +00:00 · 21a3ef5b6b
commit 21a3ef5b6b
parent 04f3d26fe9 3471713e62
5 changed files with 234 additions and 1 deletions
--- a/0010-Remove-digest-list-from-the-kernel-during-package-re.patch
+++ b/0010-Remove-digest-list-from-the-kernel-during-package-re.patch
@ -0,0 +1,106 @@
+From 3c3e44171146c5c78287635e71c7adaea26fab3e Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Thu, 11 Mar 2021 11:59:45 +0100
+Subject: [PATCH 10/13] Remove digest list from the kernel during package
+ reinstallation
+
+Signed-off-by: luhuaxin <luhuaxin1@huawei.com>
+---
+ plugins/digest_list.c | 36 +++++++++++++++++-------------------
+ 1 file changed, 17 insertions(+), 19 deletions(-)
+
+diff --git a/plugins/digest_list.c b/plugins/digest_list.c
+index ca77282..63f8f1c 100644
+--- a/plugins/digest_list.c
+++ b/plugins/digest_list.c
+@@ -27,9 +27,6 @@
+ #define DIGEST_LIST_DEFAULT_PATH "/etc/ima/digest_lists"
+ #define RPM_PARSER "/usr/libexec/rpm_parser"
+ 
+-#define DIGEST_LIST_OP_ADD 0
+-#define DIGEST_LIST_OP_DEL 1
+-
+ enum hash_algo {
+ 	HASH_ALGO_MD4,
+ 	HASH_ALGO_MD5,
+@@ -372,12 +369,13 @@ out:
+ 	return ret;
+ }
+ 
+-static int process_digest_list(rpmte te, int parser)
+static int process_digest_list(rpmte te, int parser, int pre)
+ {
+ 	char *path = NULL, *path_sig = NULL;
+ 	int digest_list_signed = 0;
+ 	struct stat st;
+ 	ssize_t size;
+	int type = rpmteType(te);
+ 	struct __user_cap_header_struct cap_header_data;
+ 	cap_user_header_t cap_header = &cap_header_data;
+ 	struct __user_cap_data_struct cap_data_data;
+@@ -431,15 +429,7 @@ static int process_digest_list(rpmte te, int parser)
+ 
+ 	size = lgetxattr(path, XATTR_NAME_IMA, NULL, 0);
+ 
+-	/* Don't upload again if digest list was already processed */
+-	if ((rpmteType(te) == TR_ADDED && size > 0) ||
+-	    (rpmteType(te) == TR_REMOVED && size < 0)) {
+-		rpmlog(RPMLOG_DEBUG, "digest_list: '%s' already processed, "
+-		       "nothing to do\n", path);
+-		goto out;
+-	}
+-
+-	if (rpmteType(te) == TR_ADDED) {
+	if (type == TR_ADDED && !pre && size < 0) {
+ 		if (!digest_list_signed) {
+ 			/* Write RPM header to the disk */
+ 			ret = write_rpm_digest_list(te, path);
+@@ -472,12 +462,18 @@ static int process_digest_list(rpmte te, int parser)
+ 			ret = RPMRC_FAIL;
+ 			goto out;
+ 		}
+	} else if (type == TR_ADDED && pre) {
+		if (size < 0)
+			goto out;
+
+		/* rpm is overwriting the digest list, remove from the kernel */
+		type = TR_REMOVED;
+ 	}
+ 
+ 	/* Upload digest list to securityfs */
+-	upload_digest_list(path, rpmteType(te), digest_list_signed);
+	upload_digest_list(path, type, digest_list_signed);
+ 
+-	if (rpmteType(te) == TR_REMOVED) {
+	if (type == TR_REMOVED) {
+ 		if (!digest_list_signed) {
+ 			unlink(path);
+ 			goto out;
+@@ -552,8 +548,10 @@ static rpmRC digest_list_file_common(rpmPlugin plugin, rpmfi fi,
+ 	if (!pre && res != RPMRC_OK)
+ 		return res;
+ 
+-	if ((pre && action != FA_ERASE) ||
+-	    (!pre && action != FA_CREATE))
+	if (!pre && rpmteType(cur_te) != TR_ADDED)
+		return RPMRC_OK;
+
+	if (pre && action == FA_SKIP)
+ 		return RPMRC_OK;
+ 
+ 	if (strncmp(path, DIGEST_LIST_DEFAULT_PATH,
+@@ -564,9 +562,9 @@ static rpmRC digest_list_file_common(rpmPlugin plugin, rpmfi fi,
+ 	if (!pre && --digest_list_counter)
+ 		return RPMRC_OK;
+ 
+-	process_digest_list(cur_te, 0);
+	process_digest_list(cur_te, 0, pre);
+ 	if (!strcmp(rpmteN(cur_te), "digest-list-tools"))
+-		process_digest_list(cur_te, 1);
+		process_digest_list(cur_te, 1, pre);
+ 
+ 	return RPMRC_OK;
+ }
+-- 
+2.33.0
+
--- a/0011-Add-license-to-digest_list.c.patch
+++ b/0011-Add-license-to-digest_list.c.patch
@ -0,0 +1,34 @@
+From e33dee894957fabb5d229d9f02b9e308bf79eb70 Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Fri, 12 Mar 2021 10:57:24 +0100
+Subject: [PATCH 11/13] Add license to digest_list.c
+
+---
+ plugins/digest_list.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/plugins/digest_list.c b/plugins/digest_list.c
+index 63f8f1c..0692b5b 100644
+--- a/plugins/digest_list.c
+++ b/plugins/digest_list.c
+@@ -1,3 +1,17 @@
+/*
+ * Copyright (C) 2020-2021 Huawei Technologies Duesseldorf GmbH
+ *
+ * Author: Roberto Sassu <roberto.sassu@huawei.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * File: digest_list.c
+ *      Plugin to load digest lists in the Linux kernel.
+ */
+
+ #include "system.h"
+ #include "errno.h"
+ 
+-- 
+2.33.0
+
--- a/0012-Avoid-generating-digest-lists-if-they-are-already-pa.patch
+++ b/0012-Avoid-generating-digest-lists-if-they-are-already-pa.patch
@ -0,0 +1,51 @@
+From 1cd90e4828c52919e103bebd3c4e37fba2749d11 Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Wed, 17 Mar 2021 17:25:46 +0100
+Subject: [PATCH 12/13] Avoid generating digest lists if they are already
+ packaged
+
+---
+ build/files.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/build/files.c b/build/files.c
+index 84858b6..7312029 100644
+--- a/build/files.c
+++ b/build/files.c
+@@ -51,6 +51,7 @@
+ #define DEBUG_ID_DIR		"/usr/lib/debug/.build-id"
+ #define DEBUG_DWZ_DIR 		"/usr/lib/debug/.dwz"
+ #define DIGEST_LIST_DIR		"/.digest_lists"
+#define DEST_DIGEST_LIST_DIR	"/etc/ima/digest_lists"
+ 
+ #undef HASHTYPE
+ #undef HTKEYTYPE
+@@ -1005,7 +1006,7 @@ static void genDigestListInput(FileList fl, Package pkg, int isSrc)
+     char buf[BUFSIZ];
+     char file_info[BUFSIZ];
+     char file_digest[128 * 2 + 1];
+-    int i;
+    int i, gen_digest_lists = 1;
+     uint32_t defaultalgo = PGPHASHALGO_MD5, digestalgo;
+     Header h = pkg->header; /* just a shortcut */
+ 
+@@ -1112,9 +1113,15 @@ static void genDigestListInput(FileList fl, Package pkg, int isSrc)
+                strlen(flp->caps) ? flp->caps : "");
+            appendStringBuf(check_fileList_bin_pkg, file_info);
+        }
+
+       if (S_ISREG(flp->fl_mode) &&
+           !strncmp(flp->cpioPath, DEST_DIGEST_LIST_DIR,
+                    sizeof(DEST_DIGEST_LIST_DIR) - 1))
+               gen_digest_lists = 0;
+     }
+ 
+-    if (genDigestList(pkg->header, fl, check_fileList_bin_pkg) > 0)
+    if (gen_digest_lists &&
+               genDigestList(pkg->header, fl, check_fileList_bin_pkg) > 0)
+        fl->processingFailed = 1;
+ }
+ 
+-- 
+2.33.0
+
--- a/0013-dont-remove-ima-xattr-of-parser-when-upgrading.patch
+++ b/0013-dont-remove-ima-xattr-of-parser-when-upgrading.patch
@ -0,0 +1,35 @@
+From 44af19d23061b73e35a5d65a743f23333da1f22c Mon Sep 17 00:00:00 2001
+From: luhuaxin <luhuaxin1@huawei.com>
+Date: Tue, 15 Mar 2022 20:54:06 +0800
+Subject: [PATCH 13/13] dont remove ima xattr of parser when upgrading
+
+Signed-off-by: luhuaxin <luhuaxin1@huawei.com>
+---
+ plugins/digest_list.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/plugins/digest_list.c b/plugins/digest_list.c
+index 0692b5b..1d7ef92 100644
+--- a/plugins/digest_list.c
+++ b/plugins/digest_list.c
+@@ -576,9 +576,16 @@ static rpmRC digest_list_file_common(rpmPlugin plugin, rpmfi fi,
+ 	if (!pre && --digest_list_counter)
+ 		return RPMRC_OK;
+ 
+	rpmlog(RPMLOG_DEBUG, "process ima digest, pre: %d, action: %d, teType: %d\n",
+		pre, action, rpmteType(cur_te));
+ 	process_digest_list(cur_te, 0, pre);
+-	if (!strcmp(rpmteN(cur_te), "digest-list-tools"))
+	if (!strcmp(rpmteN(cur_te), "digest-list-tools")) {
+		if (pre && rpmteType(cur_te) == TR_REMOVED)
+			return RPMRC_OK;
+
+		rpmlog(RPMLOG_DEBUG, "process parser digest\n");
+ 		process_digest_list(cur_te, 1, pre);
+	}
+ 
+ 	return RPMRC_OK;
+ }
+-- 
+2.33.0
+
--- a/rpm.spec
+++ b/rpm.spec
@ -1,6 +1,6 @@
 Name:          rpm
 Version:       4.18.0
-Release:       4
+Release:       5
 Summary:       RPM Package Manager
 License:       GPLv2+
 URL:           http://www.rpm.org/
@ -43,6 +43,10 @@ Patch9006: 0006-fix-lsetxattr-error-in-container.patch
 Patch9007: 0007-rpm-selinux-plugin-check-context-file-exist.patch
 Patch9008: 0008-Fix-digest_list_counter.patch
 Patch9009: 0009-Check-rpm-parser.patch
+Patch9010: 0010-Remove-digest-list-from-the-kernel-during-package-re.patch
+Patch9011: 0011-Add-license-to-digest_list.c.patch
+Patch9012: 0012-Avoid-generating-digest-lists-if-they-are-already-pa.patch
+Patch9013: 0013-dont-remove-ima-xattr-of-parser-when-upgrading.patch

 BuildRequires: gcc autoconf automake libtool make gawk popt-devel openssl-devel readline-devel
 BuildRequires: zlib-devel zstd-devel >= 1.3.8 xz-devel bzip2-devel libarchive-devel ima-evm-utils-devel
@ -329,6 +333,9 @@ make clean
 %exclude %{_mandir}/man8/rpmspec.8.gz

 %changelog
+* Wed Feb 08 2023 gaoyusong<gaoyusong2@huawei.com> - 4.18.0-5
+- Sync IMA related patches
+
 * Wed Feb 08 2023 gaoyusong<gaoyusong2@huawei.com> - 4.18.0-4
 - Add digest list plugin support