fix lsetxattr error in container

2021-09-13 17:40:24 +08:00 · 2021-09-13 17:40:24 +08:00 · 3efc136750
commit 3efc136750
parent 034d051622
2 changed files with 72 additions and 1 deletions
--- a/fix-lsetxattr-error-in-container.patch
+++ b/fix-lsetxattr-error-in-container.patch
@ -0,0 +1,64 @@
+From 848cad38da6c727c91f0fcb8052f9402de598737 Mon Sep 17 00:00:00 2001
+From: Zhang Tianxing <zhangtianxing3@huawei.com>
+Date: Mon, 13 Sep 2021 17:32:11 +0800
+Subject: [PATCH] fix lsetxattr error in container
+
+The digest list plugin in rpm will set security.ima xattr to IMA digest lists
+when installing or updating an rpm package. However, in a container without
+CAP_SYS_ADMIN, we'll get error messages when calling lsetxattr.
+
+This patch is to skip lsetxattr when CAP_SYS_ADMIN is missing.
+
+Signed-off-by: Zhang Tianxing <zhangtianxing3@huawei.com>
+---
+ plugins/digest_list.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/plugins/digest_list.c b/plugins/digest_list.c
+index 6bc9415..2d14463 100644
+--- a/plugins/digest_list.c
+++ b/plugins/digest_list.c
+@@ -12,6 +12,7 @@
+ #include <sys/stat.h>
+ #include <openssl/sha.h>
+ #include <sys/xattr.h>
+#include <sys/capability.h>
+ #include <linux/xattr.h>
+ #include <asm/byteorder.h>
+ #include <sys/wait.h>
+@@ -370,6 +371,10 @@ static int process_digest_list(rpmte te, int parser)
+ 	int digest_list_signed = 0;
+ 	struct stat st;
+ 	ssize_t size;
+	struct __user_cap_header_struct cap_header_data;
+	cap_user_header_t cap_header = &cap_header_data;
+	struct __user_cap_data_struct cap_data_data;
+	cap_user_data_t cap_data = &cap_data_data;
+ 	rpmRC ret = RPMRC_OK;
+ 
+ 	path = malloc(PATH_MAX);
+@@ -435,7 +440,21 @@ static int process_digest_list(rpmte te, int parser)
+ 				ret = RPMRC_FAIL;
+ 				goto out;
+ 			}
+		}
+ 
+		/* don't call lsetxattr without CAP_SYS_ADMIN */
+		cap_header->pid = getpid();
+		cap_header->version = _LINUX_CAPABILITY_VERSION_1;
+		if (capget(cap_header, cap_data) < 0) {
+			ret = -ENOENT;
+			goto out;
+		}
+		if (!(cap_data->effective & CAP_TO_MASK(CAP_SYS_ADMIN))) {
+			ret = -EPERM;
+			goto out;
+		}
+
+		if (!digest_list_signed) {
+ 			/* Write RPM header sig to security.ima */
+ 			ret = write_rpm_digest_list_ima_xattr(te, path);
+ 		} else {
+-- 
+2.27.0
+
--- a/rpm.spec
+++ b/rpm.spec
@ -1,6 +1,6 @@
 Name:          rpm
 Version:       4.15.1
-Release:       29
+Release:       30
 Summary:       RPM Package Manager
 License:       GPLv2+
 URL:           http://www.rpm.org/
@ -53,6 +53,7 @@ Patch42: backport-optimize-signature-header-merge-a-bit.patch
 Patch43: CVE-2021-20266.patch
 Patch44: backport-build-prioritize-large-packages.patch
 Patch45: backport-Fix-data-race-in-packageBinaries-function.patch
+Patch46: fix-lsetxattr-error-in-container.patch

 BuildRequires: gcc autoconf automake libtool make gawk popt-devel openssl-devel readline-devel libdb-devel 
 BuildRequires: zlib-devel libzstd-devel xz-devel bzip2-devel libarchive-devel ima-evm-utils-devel
@ -315,6 +316,12 @@ make check || (cat tests/rpmtests.log; exit 0)
 %{_mandir}/man1/gendiff.1*

 %changelog
+* Mon Sep 13 2021 zhangtianxing<zhangtianxing3@huawei.com> - 4.15.1-30
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix lsetxattr error in container
+
 * Thu Jul 22 2021 liudabo<liudabo1@huawei.com> - 4.15.1-29
 - Type:bugfix
 - ID:NA