!309 [sync] PR-308: ima digest list support modsig

From: @openeuler-sync-bot Reviewed-by: @overweight Signed-off-by: @overweight
2024-03-22 07:08:25 +00:00 · 2024-03-22 07:08:25 +00:00 · dff8919e50
commit dff8919e50
parent 2c5e010d4c bbb38f3992
2 changed files with 68 additions and 6 deletions
--- a/Add-digest-list-plugin.patch
+++ b/Add-digest-list-plugin.patch
@ -4,16 +4,16 @@ Date: Fri, 16 Jun 2023 11:21:37 +0800
 Subject: [PATCH] Add-digest-list-plugin
 ---
- plugins/digest_list.c | 611 ++++++++++++++++++++++++++++++++++++++++++
+ plugins/digest_list.c | 670 ++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 611 insertions(+)
+ 1 file changed, 670 insertions(+)
 create mode 100644 plugins/digest_list.c
 diff --git a/plugins/digest_list.c b/plugins/digest_list.c
 new file mode 100644
-index 0000000..151011c
+index 0000000..70cae82
 --- /dev/null
 +++ b/plugins/digest_list.c
-@@ -0,0 +1,611 @@
+@@ -0,0 +1,670 @@
 +/*
 + * Copyright (C) 2020-2021 Huawei Technologies Duesseldorf GmbH
 + *
@ -399,10 +399,59 @@ index 0000000..151011c
 +	return ret;
 +}
 +
 +static int check_append_signature(const char *path)
 +{
 +	const char *magic_str="~Module signature appended~";
 +	int magic_len = strlen(magic_str);
 +	char buf[magic_len + 1];
 +	FILE *fp = NULL;
 +	struct stat st;
 +	int file_size = 0;
 +	int ret = 0;
 +	long offset = 0;
 +
 +	if (stat(path, &st) == -1)
 +		return 0;
 +
 +	file_size = st.st_size;
 +
 +	/* the character \0xa is append to MAGIC */
 +	offset = magic_len + 1;
 +	if (file_size < offset) {
 +		rpmlog(RPMLOG_ERR, "digest_list: not have sig, do nothing\n");
 +		return 0;
 +	}
 +
 +	fp = fopen(path, "rb+");
 +	if (!fp) {
 +		rpmlog(RPMLOG_ERR, "digest_list: could not open '%s': %s\n", path, strerror(errno));
 +		return 0;
 +	}
 +
 +	ret = fseek(fp, (-offset), SEEK_END);
 +	if (ret) {
 +		rpmlog(RPMLOG_ERR, "digest_list: seek file fail with %s\n", strerror(errno));
 +		fclose(fp);
 +		return 0;
 +	}
 +
 +	ret = fread(buf, 1, magic_len, fp);
 +	if (ret == magic_len) {
 +		if (strncmp(buf, magic_str, magic_len) == 0) {
 +			fclose(fp);
 +			return 1;
 +		}
 +	}
 +
 +	fclose(fp);
 +	return 0;
 +}
 +
 +static int process_digest_list(rpmte te, int parser, int pre)
 +{
 +	char *path = NULL, *path_sig = NULL;
 +	int digest_list_signed = 0;
 +	int digest_list_signed_append = 0;
 +	struct stat st;
 +	ssize_t size;
 +	int type = rpmteType(te);
@ -452,6 +501,11 @@ index 0000000..151011c
 +	if (stat(path, &st) == -1)
 +		goto out;
 +
 +	if (!digest_list_signed && check_append_signature(path)) {
 +		digest_list_signed = 1;
 +		digest_list_signed_append = 1;
 +	}
 +
 +	if (!parser && !digest_list_signed)
 +		snprintf(path, PATH_MAX, "%s/0-metadata_list-rpm-%s-%s-%s.%s",
 +			 DIGEST_LIST_DEFAULT_PATH, rpmteN(te), rpmteV(te),
@ -484,6 +538,8 @@ index 0000000..151011c
 +		if (!digest_list_signed) {
 +			/* Write RPM header sig to security.ima */
 +			ret = write_rpm_digest_list_ima_xattr(te, path);
 +		} else if (digest_list_signed_append) {
 +			ret = RPMRC_OK;
 +		} else {
 +			ret = write_digest_list_ima_xattr(te, path, path_sig);
 +		}
@ -509,6 +565,9 @@ index 0000000..151011c
 +			goto out;
 +		}
 +
 +		if (digest_list_signed_append)
 +			goto out;
 +
 +		ret = lremovexattr(path, XATTR_NAME_IMA);
 +		if (ret < 0)
 +			rpmlog(RPMLOG_ERR, "digest_list: cannot remove "
@ -626,5 +685,5 @@ index 0000000..151011c
 +	.fsm_file_post = digest_list_file_post,
 +};
 -- 
-2.39.1
+2.33.0
--- a/rpm.spec
+++ b/rpm.spec
@ -1,6 +1,6 @@
 Name:          rpm
 Version:       4.18.2
-Release:       3
+Release:       4
 Summary:       RPM Package Manager
 License:       GPLv2+
 URL:           http://www.rpm.org/
@ -322,6 +322,9 @@ make clean
 %exclude %{_mandir}/man8/rpmspec.8.gz
 %changelog
 * Thu Mar 21 2024 zhangguangzhi<zhangguangzhi3@huawei.com> - 4.18.2-4
 - ima digest list support modsig
 * Thu Mar 14 2024 gengqihu<gengqihu2@h-partners.com> - 4.18.2-3
 - Backport some patches from upstream