packages/rpm
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix lsetxattr error in container

Browse Source
This commit is contained in:
PrinterFranklin 2021-09-13 17:40:24 +08:00
parent 034d051622
commit 3efc136750
2 changed files with 72 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
fix-lsetxattr-error-in-container.patch Normal file
View File

@ -0,0 +1,64 @@
From 848cad38da6c727c91f0fcb8052f9402de598737 Mon Sep 17 00:00:00 2001
From: Zhang Tianxing <zhangtianxing3@huawei.com>
Date: Mon, 13 Sep 2021 17:32:11 +0800
Subject: [PATCH] fix lsetxattr error in container
The digest list plugin in rpm will set security.ima xattr to IMA digest lists
when installing or updating an rpm package. However, in a container without
CAP_SYS_ADMIN, we'll get error messages when calling lsetxattr.
This patch is to skip lsetxattr when CAP_SYS_ADMIN is missing.
Signed-off-by: Zhang Tianxing <zhangtianxing3@huawei.com>
---
plugins/digest_list.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/plugins/digest_list.c b/plugins/digest_list.c
index 6bc9415..2d14463 100644
--- a/plugins/digest_list.c
+++ b/plugins/digest_list.c
@@ -12,6 +12,7 @@
#include <sys/stat.h>
#include <openssl/sha.h>
#include <sys/xattr.h>
+#include <sys/capability.h>
#include <linux/xattr.h>
#include <asm/byteorder.h>
#include <sys/wait.h>
@@ -370,6 +371,10 @@ static int process_digest_list(rpmte te, int parser)
int digest_list_signed = 0;
struct stat st;
ssize_t size;
+ struct __user_cap_header_struct cap_header_data;
+ cap_user_header_t cap_header = &cap_header_data;
+ struct __user_cap_data_struct cap_data_data;
+ cap_user_data_t cap_data = &cap_data_data;
rpmRC ret = RPMRC_OK;
path = malloc(PATH_MAX);
@@ -435,7 +440,21 @@ static int process_digest_list(rpmte te, int parser)
ret = RPMRC_FAIL;
goto out;
}
+ }
+ /* don't call lsetxattr without CAP_SYS_ADMIN */
+ cap_header->pid = getpid();
+ cap_header->version = _LINUX_CAPABILITY_VERSION_1;
+ if (capget(cap_header, cap_data) < 0) {
+ ret = -ENOENT;
+ goto out;
+ }
+ if (!(cap_data->effective & CAP_TO_MASK(CAP_SYS_ADMIN))) {
+ ret = -EPERM;
+ goto out;
+ }
+
+ if (!digest_list_signed) {
/* Write RPM header sig to security.ima */
ret = write_rpm_digest_list_ima_xattr(te, path);
} else {
--
2.27.0

9
rpm.spec
View File

@ -1,6 +1,6 @@
Name: rpm Name: rpm
Version: 4.15.1 Version: 4.15.1
Release: 29 Release: 30
Summary: RPM Package Manager Summary: RPM Package Manager
License: GPLv2+ License: GPLv2+
URL: http://www.rpm.org/ URL: http://www.rpm.org/
@ -53,6 +53,7 @@ Patch42: backport-optimize-signature-header-merge-a-bit.patch
Patch43: CVE-2021-20266.patch Patch43: CVE-2021-20266.patch
Patch44: backport-build-prioritize-large-packages.patch Patch44: backport-build-prioritize-large-packages.patch
Patch45: backport-Fix-data-race-in-packageBinaries-function.patch Patch45: backport-Fix-data-race-in-packageBinaries-function.patch
Patch46: fix-lsetxattr-error-in-container.patch
BuildRequires: gcc autoconf automake libtool make gawk popt-devel openssl-devel readline-devel libdb-devel BuildRequires: gcc autoconf automake libtool make gawk popt-devel openssl-devel readline-devel libdb-devel
BuildRequires: zlib-devel libzstd-devel xz-devel bzip2-devel libarchive-devel ima-evm-utils-devel BuildRequires: zlib-devel libzstd-devel xz-devel bzip2-devel libarchive-devel ima-evm-utils-devel
@ -315,6 +316,12 @@ make check || (cat tests/rpmtests.log; exit 0)
%{_mandir}/man1/gendiff.1* %{_mandir}/man1/gendiff.1*
%changelog %changelog
* Mon Sep 13 2021 zhangtianxing<zhangtianxing3@huawei.com> - 4.15.1-30
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:fix lsetxattr error in container
* Thu Jul 22 2021 liudabo<liudabo1@huawei.com> - 4.15.1-29 * Thu Jul 22 2021 liudabo<liudabo1@huawei.com> - 4.15.1-29
- Type:bugfix - Type:bugfix
- ID:NA - ID:NA