diff --git a/0001-Generate-digest-lists.patch b/0001-Generate-digest-lists.patch deleted file mode 100644 index 2a9e31c..0000000 --- a/0001-Generate-digest-lists.patch +++ /dev/null @@ -1,323 +0,0 @@ -From 928b54fde56410c4615ac1b2a14727270a2d3692 Mon Sep 17 00:00:00 2001 -From: Roberto Sassu -Date: Thu, 12 Mar 2020 17:29:55 +0100 -Subject: [PATCH 01/13] Generate digest lists - ---- - build/files.c | 175 ++++++++++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 169 insertions(+), 6 deletions(-) - -diff --git a/build/files.c b/build/files.c -index 5ae20c6..dbac22f 100644 ---- a/build/files.c -+++ b/build/files.c -@@ -50,6 +50,7 @@ - #define DEBUG_LIB_PREFIX "/usr/lib/debug/" - #define DEBUG_ID_DIR "/usr/lib/debug/.build-id" - #define DEBUG_DWZ_DIR "/usr/lib/debug/.dwz" -+#define DIGEST_LIST_DIR "/.digest_lists" - - #undef HASHTYPE - #undef HTKEYTYPE -@@ -129,6 +130,8 @@ typedef struct AttrRec_s { - - /* list of files */ - static StringBuf check_fileList = NULL; -+/* list of files per binary package */ -+static StringBuf check_fileList_bin_pkg = NULL; - - typedef struct FileEntry_s { - rpmfileAttrs attrFlags; -@@ -193,6 +196,10 @@ typedef struct FileList_s { - struct FileEntry_s cur; - } * FileList; - -+static char *digest_list_dir; -+ -+static int genDigestList(Header header, FileList fl, StringBuf fileList); -+ - static void nullAttrRec(AttrRec ar) - { - memset(ar, 0, sizeof(*ar)); -@@ -996,11 +1003,14 @@ static void genCpioListAndHeader(FileList fl, Package pkg, int isSrc) - { - FileListRec flp; - char buf[BUFSIZ]; -+ char file_info[BUFSIZ]; -+ char file_digest[128 * 2 + 1]; - int i, npaths = 0; - int fail_on_dupes = rpmExpandNumeric("%{?_duplicate_files_terminate_build}") > 0; - uint32_t defaultalgo = RPM_HASH_MD5, digestalgo; - rpm_loff_t totalFileSize = 0; - Header h = pkg->header; /* just a shortcut */ -+ int processed = 0; - time_t source_date_epoch = 0; - char *srcdate = getenv("SOURCE_DATE_EPOCH"); - -@@ -1069,8 +1079,9 @@ static void genCpioListAndHeader(FileList fl, Package pkg, int isSrc) - - pkg->dpaths = xmalloc((fl->files.used + 1) * sizeof(*pkg->dpaths)); - -+process_files: - /* Generate the header. */ -- for (i = 0, flp = fl->files.recs; i < fl->files.used; i++, flp++) { -+ for (i = processed, flp = fl->files.recs + processed; i < fl->files.used; i++, flp++) { - rpm_ino_t fileid = flp - fl->files.recs; - - /* Merge duplicate entries. */ -@@ -1206,7 +1217,8 @@ static void genCpioListAndHeader(FileList fl, Package pkg, int isSrc) - (void) rpmDoDigest(digestalgo, flp->diskPath, 1, - (unsigned char *)buf); - headerPutString(h, RPMTAG_FILEDIGESTS, buf); -- -+ snprintf(file_digest, sizeof(file_digest), "%s", buf); -+ - buf[0] = '\0'; - if (S_ISLNK(flp->fl_mode)) { - ssize_t llen = readlink(flp->diskPath, buf, BUFSIZ-1); -@@ -1246,7 +1258,33 @@ static void genCpioListAndHeader(FileList fl, Package pkg, int isSrc) - flp->flags &= PARSEATTR_MASK; - - headerPutUint32(h, RPMTAG_FILEFLAGS, &(flp->flags) ,1); -+ -+ if (!processed && check_fileList_bin_pkg && S_ISREG(flp->fl_mode) && -+ !(flp->flags & RPMFILE_GHOST)) { -+ appendStringBuf(check_fileList_bin_pkg, "path="); -+ appendStringBuf(check_fileList_bin_pkg, flp->diskPath); -+ snprintf(file_info, sizeof(file_info), -+ "|digestalgopgp=%d|digest=%s|mode=%d" -+ "|uname=%s|gname=%s|caps=%s\n", -+ digestalgo, file_digest, flp->fl_mode, -+ rpmstrPoolStr(fl->pool, flp->uname), -+ rpmstrPoolStr(fl->pool, flp->gname), flp->caps && -+ strlen(flp->caps) ? flp->caps : ""); -+ appendStringBuf(check_fileList_bin_pkg, file_info); -+ } -+ } -+ -+ if (!processed) { -+ if (genDigestList(pkg->header, fl, check_fileList_bin_pkg) > 0) { -+ fl->processingFailed = 1; -+ } else if (i < fl->files.used) { -+ pkg->dpaths = xrealloc(pkg->dpaths, -+ (fl->files.used + 1) * sizeof(*pkg->dpaths)); -+ processed = i; -+ goto process_files; -+ } - } -+ - pkg->dpaths[npaths] = NULL; - - if (totalFileSize < UINT32_MAX) { -@@ -1359,8 +1397,8 @@ static int validFilename(const char *fn) - * @param statp file stat (possibly NULL) - * @return RPMRC_OK on success - */ --static rpmRC addFile(FileList fl, const char * diskPath, -- struct stat * statp) -+static rpmRC addFile_common(FileList fl, const char * diskPath, -+ struct stat * statp, int digest_list) - { - size_t plen = strlen(diskPath); - char buf[plen + 1]; -@@ -1371,6 +1409,10 @@ static rpmRC addFile(FileList fl, const char * diskPath, - gid_t fileGid; - const char *fileUname; - const char *fileGname; -+ char realPath[PATH_MAX]; -+ int digest_list_prefix = 0; -+ struct stat st; -+ int exclude = 0; - rpmRC rc = RPMRC_FAIL; /* assume failure */ - - /* Strip trailing slash. The special case of '/' path is handled below. */ -@@ -1406,6 +1448,33 @@ static rpmRC addFile(FileList fl, const char * diskPath, - if (*cpioPath == '\0') - cpioPath = "/"; - -+ snprintf(realPath, sizeof(realPath), "%s", diskPath); -+ rpmCleanPath(realPath); -+ -+ digest_list_prefix = (!strncmp(realPath, digest_list_dir, -+ strlen(digest_list_dir))); -+ -+ if ((!digest_list && digest_list_prefix) || -+ (digest_list && !digest_list_prefix)) { -+ rc = RPMRC_OK; -+ goto exit; -+ } -+ -+ if (digest_list) { -+ if (strncmp(cpioPath, DIGEST_LIST_DIR, sizeof(DIGEST_LIST_DIR) - 1)) { -+ rc = RPMRC_OK; -+ goto exit; -+ } -+ -+ cpioPath += sizeof(DIGEST_LIST_DIR) - 1; -+ -+ snprintf(realPath, sizeof(realPath), "%.*s%s", -+ (int)(strlen(digest_list_dir) - sizeof(DIGEST_LIST_DIR) + 1), -+ digest_list_dir, cpioPath); -+ if (!stat(realPath, &st)) -+ exclude = 1; -+ } -+ - /* - * Unless recursing, we dont have stat() info at hand. Handle the - * various cases, preserving historical behavior wrt %dev(): -@@ -1543,6 +1612,8 @@ static rpmRC addFile(FileList fl, const char * diskPath, - } - - flp->flags = fl->cur.attrFlags; -+ if (exclude) -+ flp->flags |= RPMFILE_EXCLUDE; - flp->specdFlags = fl->cur.specdFlags; - flp->verifyFlags = fl->cur.verifyFlags; - -@@ -1563,6 +1634,32 @@ exit: - return rc; - } - -+/** -+ * Add a file to the package manifest. -+ * @param fl package file tree walk data -+ * @param diskPath path to file -+ * @param statp file stat (possibly NULL) -+ * @return RPMRC_OK on success -+ */ -+static rpmRC addFile(FileList fl, const char * diskPath, -+ struct stat * statp) -+{ -+ return addFile_common(fl, diskPath, statp, 0); -+} -+ -+/** -+ * Add a digest list to the package manifest. -+ * @param fl package file tree walk data -+ * @param diskPath path to digest list -+ * @param statp file stat (possibly NULL) -+ * @return RPMRC_OK on success -+ */ -+static rpmRC addDigestList(FileList fl, const char * diskPath, -+ struct stat * statp) -+{ -+ return addFile_common(fl, diskPath, statp, 1); -+} -+ - /** - * Add directory (and all of its files) to the package manifest. - * @param fl package file tree walk data -@@ -2584,6 +2681,58 @@ static void addPackageFileList (struct FileList_s *fl, Package pkg, - argvFree(fileNames); - } - -+/** -+ * Generate digest lists list for current binary package. -+ * @header package header -+ * @fl file list -+ * @param fileList packaged file list -+ * @return -1 if skipped, 0 on OK, 1 on error -+ */ -+static int genDigestList(Header header, FileList fl, StringBuf fileList) -+{ -+ const char *errorString; -+ char *binFormat = rpmGetPath("%{_rpmfilename}", NULL); -+ char *binRpm = headerFormat(header, binFormat, &errorString); -+ static char * av_brp[] = { "%{?__brp_digest_list}", DIGEST_LIST_DIR + 1, NULL, NULL }; -+ StringBuf sb_stdout = NULL; -+ int rc = -1; -+ char * s = rpmExpand(av_brp[0], NULL); -+ -+ if (!(s && *s)) -+ goto exit; -+ -+ av_brp[2] = strchr(binRpm, '/') + 1; -+ rpmlog(RPMLOG_NOTICE, _("Generating digest list: %s\n"), s); -+ -+ rc = rpmfcExec(av_brp, fileList, &sb_stdout, 0, binRpm); -+ if (sb_stdout && getStringBuf(sb_stdout)) { -+ const char * t = getStringBuf(sb_stdout), *ptr; -+ char *digest_list_path; -+ -+ while((ptr = strchr(t, '\n'))) { -+ digest_list_path = strndup(t, ptr - t); -+ if (!digest_list_path) { -+ rc = -1; -+ goto exit; -+ } -+ FileEntryFree(&fl->cur); -+ resetPackageFilesDefaults(fl, fl->pkgFlags); -+ rc = addDigestList(fl, digest_list_path, NULL); -+ free(digest_list_path); -+ if (rc != RPMRC_OK) -+ break; -+ -+ t = ptr + 1; -+ } -+ } -+exit: -+ free(binFormat); -+ free(binRpm); -+ free(s); -+ freeStringBuf(sb_stdout); -+ return rc; -+} -+ - static rpmRC processPackageFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags, - Package pkg, int didInstall, int test) - { -@@ -2597,6 +2746,10 @@ static rpmRC processPackageFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags, - if (readFilesManifest(spec, pkg, *fp)) - return RPMRC_FAIL; - } -+ -+ /* Init the buffer containing the list of packaged files */ -+ check_fileList_bin_pkg = newStringBuf(); -+ - /* Init the file list structure */ - memset(&fl, 0, sizeof(fl)); - -@@ -2658,6 +2811,7 @@ exit: - FileListFree(&fl); - specialDirFree(specialDoc); - specialDirFree(specialLic); -+ freeStringBuf(check_fileList_bin_pkg); - return fl.processingFailed ? RPMRC_FAIL : RPMRC_OK; - } - -@@ -3126,6 +3280,7 @@ static void addPackageDeps(Package from, Package to, enum rpmTag_e tag) - rpmRC processBinaryFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags, - int didInstall, int test) - { -+ struct stat st; - Package pkg; - rpmRC rc = RPMRC_OK; - char *buildroot; -@@ -3142,7 +3297,14 @@ rpmRC processBinaryFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags, - check_fileList = newStringBuf(); - genSourceRpmName(spec); - buildroot = rpmGenPath(spec->rootDir, spec->buildRoot, NULL); -- -+ -+ digest_list_dir = rpmGenPath(buildroot, DIGEST_LIST_DIR, NULL); -+ if (!digest_list_dir) -+ goto exit; -+ -+ if (!stat(digest_list_dir, &st)) -+ rpmlog(RPMLOG_NOTICE, _("Ignoring files in: %s\n"), digest_list_dir); -+ - if (rpmExpandNumeric("%{?_debuginfo_subpackages}")) { - maindbg = findDebuginfoPackage(spec); - if (maindbg) { -@@ -3248,6 +3410,7 @@ exit: - check_fileList = freeStringBuf(check_fileList); - _free(buildroot); - _free(uniquearch); -- -+ _free(digest_list_dir); -+ - return rc; - } --- -2.33.0 - diff --git a/0002-Add-digest-list-plugin.patch b/0002-Add-digest-list-plugin.patch deleted file mode 100644 index 1505626..0000000 --- a/0002-Add-digest-list-plugin.patch +++ /dev/null @@ -1,582 +0,0 @@ -From 6d01e903dd47c852fc2b277b17195da92e5d3ffe Mon Sep 17 00:00:00 2001 -From: Roberto Sassu -Date: Wed, 26 Feb 2020 15:54:24 +0100 -Subject: [PATCH 02/13] Add digest list plugin - ---- - macros.in | 1 + - plugins/Makefile.am | 4 + - plugins/digest_list.c | 499 ++++++++++++++++++++++++++++++++++++++++ - rpmio/rpmpgp_internal.c | 5 +- - 4 files changed, 508 insertions(+), 1 deletion(-) - create mode 100644 plugins/digest_list.c - -diff --git a/macros.in b/macros.in -index 949fd7d..c00d270 100644 ---- a/macros.in -+++ b/macros.in -@@ -1135,6 +1135,7 @@ package or when debugging this package.\ - %__transaction_prioreset %{__plugindir}/prioreset.so - %__transaction_audit %{__plugindir}/audit.so - %__transaction_dbus_announce %{__plugindir}/dbus_announce.so -+%__transaction_digest_list %{__plugindir}/digest_list.so - - #------------------------------------------------------------------------------ - # Macros for further automated spec %setup and patch application -diff --git a/plugins/Makefile.am b/plugins/Makefile.am -index 822c7d2..161fe4c 100644 ---- a/plugins/Makefile.am -+++ b/plugins/Makefile.am -@@ -69,3 +69,7 @@ audit_la_sources = audit.c - audit_la_LIBADD = $(top_builddir)/lib/librpm.la $(top_builddir)/rpmio/librpmio.la @WITH_AUDIT_LIB@ - plugins_LTLIBRARIES += audit.la - endif -+ -+digest_list_la_sources = digest_list.c -+digest_list_la_LIBADD = $(top_builddir)/lib/librpm.la $(top_builddir)/rpmio/librpmio.la -+plugins_LTLIBRARIES += digest_list.la -diff --git a/plugins/digest_list.c b/plugins/digest_list.c -new file mode 100644 -index 0000000..293593f ---- /dev/null -+++ b/plugins/digest_list.c -@@ -0,0 +1,499 @@ -+#include "system.h" -+#include "errno.h" -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "lib/rpmplugin.h" -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "debug.h" -+ -+#define IMA_DIR "/sys/kernel/security/ima" -+#define DIGEST_LIST_DATA_PATH IMA_DIR "/digest_list_data" -+#define DIGEST_LIST_DATA_DEL_PATH IMA_DIR "/digest_list_data_del" -+#define DIGEST_LIST_COUNT IMA_DIR "/digests_count" -+#define DIGEST_LIST_DEFAULT_PATH "/etc/ima/digest_lists" -+#define RPM_PARSER "/usr/libexec/rpm_parser" -+ -+#define DIGEST_LIST_OP_ADD 0 -+#define DIGEST_LIST_OP_DEL 1 -+ -+enum hash_algo { -+ HASH_ALGO_MD4, -+ HASH_ALGO_MD5, -+ HASH_ALGO_SHA1, -+ HASH_ALGO_RIPE_MD_160, -+ HASH_ALGO_SHA256, -+ HASH_ALGO_SHA384, -+ HASH_ALGO_SHA512, -+ HASH_ALGO_SHA224, -+ HASH_ALGO_RIPE_MD_128, -+ HASH_ALGO_RIPE_MD_256, -+ HASH_ALGO_RIPE_MD_320, -+ HASH_ALGO_WP_256, -+ HASH_ALGO_WP_384, -+ HASH_ALGO_WP_512, -+ HASH_ALGO_TGR_128, -+ HASH_ALGO_TGR_160, -+ HASH_ALGO_TGR_192, -+ HASH_ALGO_SM3_256, -+ HASH_ALGO__LAST -+}; -+ -+#define PGPHASHALGO__LAST PGPHASHALGO_SHA224 + 1 -+enum hash_algo pgp_algo_mapping[PGPHASHALGO__LAST] = { -+ [PGPHASHALGO_MD5] = HASH_ALGO_MD5, -+ [PGPHASHALGO_SHA1] = HASH_ALGO_SHA1, -+ [PGPHASHALGO_SHA224] = HASH_ALGO_SHA224, -+ [PGPHASHALGO_SHA256] = HASH_ALGO_SHA256, -+ [PGPHASHALGO_SHA384] = HASH_ALGO_SHA384, -+ [PGPHASHALGO_SHA512] = HASH_ALGO_SHA512, -+}; -+ -+/* from integrity.h */ -+enum evm_ima_xattr_type { -+ IMA_XATTR_DIGEST = 0x01, -+ EVM_XATTR_HMAC, -+ EVM_IMA_XATTR_DIGSIG, -+ IMA_XATTR_DIGEST_NG, -+ EVM_XATTR_PORTABLE_DIGSIG, -+ EVM_IMA_XATTR_DIGEST_LIST, -+ IMA_XATTR_LAST -+}; -+ -+struct evm_ima_xattr_data { -+ uint8_t type; -+ uint8_t digest[SHA512_DIGEST_LENGTH + 1]; -+} __attribute__((packed)); -+ -+struct signature_v2_hdr { -+ uint8_t type; /* xattr type */ -+ uint8_t version; /* signature format version */ -+ uint8_t hash_algo; /* Digest algorithm [enum hash_algo] */ -+ __be32 keyid; /* IMA key identifier - not X509/PGP specific */ -+ __be16 sig_size; /* signature size */ -+ uint8_t sig[0]; /* signature payload */ -+} __attribute__((packed)); -+ -+static int upload_digest_list(char *path, int type, int digest_list_signed) -+{ -+ size_t size; -+ char buf[21]; -+ const char *ima_path = DIGEST_LIST_DATA_PATH; -+ struct stat st; -+ pid_t pid; -+ int ret = 0, fd; -+ -+ if (type == TR_REMOVED) -+ ima_path = DIGEST_LIST_DATA_DEL_PATH; -+ -+ if (stat(ima_path, &st) == -1) -+ return 0; -+ -+ /* First determine if kernel interface can accept new digest lists */ -+ fd = open(DIGEST_LIST_COUNT, O_RDONLY); -+ if (fd < 0) { -+ rpmlog(RPMLOG_ERR, "digest_list: could not open IMA interface " -+ "'%s': %s\n", DIGEST_LIST_COUNT, strerror(errno)); -+ return -EACCES; -+ } -+ -+ ret = read(fd, buf, sizeof(buf)); -+ close(fd); -+ -+ if (ret <= 0) { -+ rpmlog(RPMLOG_ERR, "digest_list: could not read from IMA " -+ "interface '%s': %s\n", DIGEST_LIST_COUNT, -+ strerror(errno)); -+ return -EACCES; -+ } -+ -+ /* Last character is newline */ -+ buf[ret - 1] = '\0'; -+ -+ rpmlog(RPMLOG_DEBUG, "digest_list: digests count %s\n", buf); -+ -+ if (*buf == '0') { -+ rpmlog(RPMLOG_DEBUG, "digest_list: not uploading '%s' to IMA " -+ "interface '%s'\n", path, ima_path); -+ return RPMRC_OK; -+ } -+ -+ /* If the digest list is not signed, execute the RPM parser */ -+ if (!digest_list_signed) { -+ if ((pid = fork()) == 0) { -+ execlp(RPM_PARSER, RPM_PARSER, (type == TR_ADDED) ? -+ "add" : "del", path, NULL); -+ _exit(EXIT_FAILURE); -+ } -+ -+ waitpid(pid, &ret, 0); -+ if (ret != 0) -+ rpmlog(RPMLOG_ERR, "digest_list: %s returned %d\n", -+ RPM_PARSER, ret); -+ return 0; -+ } -+ -+ fd = open(ima_path, O_WRONLY); -+ if (fd < 0) { -+ rpmlog(RPMLOG_ERR, "digest_list: could not open IMA interface " -+ "'%s': %s\n", ima_path, strerror(errno)); -+ return -EACCES; -+ } -+ -+ /* Write the path of the digest list to securityfs */ -+ size = write(fd, path, strlen(path)); -+ if (size != strlen(path)) { -+ rpmlog(RPMLOG_ERR, "digest_list: could not write '%s' to IMA " -+ "interface '%s': %s\n", path, ima_path, strerror(errno)); -+ ret = -EIO; -+ goto out; -+ } -+ -+ rpmlog(RPMLOG_DEBUG, "digest_list: written '%s' to '%s'\n", path, -+ ima_path); -+out: -+ close(fd); -+ return ret; -+} -+ -+static int write_rpm_digest_list(rpmte te, char *path) -+{ -+ FD_t fd; -+ ssize_t written; -+ Header rpm = rpmteHeader(te); -+ rpmtd immutable; -+ int ret = 0; -+ -+ immutable = rpmtdNew(); -+ headerGet(rpm, RPMTAG_HEADERIMMUTABLE, immutable, 0); -+ -+ fd = Fopen(path, "w.ufdio"); -+ if (fd == NULL || Ferror(fd)) { -+ ret = -EACCES; -+ goto out; -+ } -+ -+ written = Fwrite(rpm_header_magic, sizeof(uint8_t), -+ sizeof(rpm_header_magic), fd); -+ -+ if (written != sizeof(rpm_header_magic)) { -+ ret = -EIO; -+ goto out; -+ } -+ -+ written = Fwrite(immutable->data, sizeof(uint8_t), -+ immutable->count, fd); -+ if (written != immutable->count || Ferror(fd)) -+ ret = -EIO; -+out: -+ Fclose(fd); -+ rpmtdFree(immutable); -+ return ret; -+} -+ -+static int write_rpm_digest_list_ima_xattr(rpmte te, char *path) -+{ -+ rpmtd signature; -+ ssize_t written; -+ uint8_t sig[2048] = { 0 }; -+ pgpDigParams sigp = NULL; -+ struct signature_v2_hdr *sig_hdr = (struct signature_v2_hdr *)sig; -+ Header rpm = rpmteHeader(te); -+ FD_t fd; -+ int ret = 0, sig_size, sig_size_rounded; -+ -+ signature = rpmtdNew(); -+ headerGet(rpm, RPMTAG_RSAHEADER, signature, 0); -+ ret = pgpPrtParams(signature->data, signature->count, -+ PGPTAG_SIGNATURE, &sigp); -+ -+ if (ret) { -+ ret = -ENOENT; -+ goto out; -+ } -+ -+ fd = Fopen(path, "a.ufdio"); -+ if (fd == NULL || Ferror(fd)) { -+ ret = -EACCES; -+ goto out; -+ } -+ -+ written = Fwrite(sigp->hash, sizeof(uint8_t), -+ sigp->hashlen, fd); -+ if (written != sigp->hashlen || Ferror(fd)) { -+ ret = -EIO; -+ goto out; -+ } -+ -+ if (sigp->version == 4) { -+ /* V4 trailer is six octets long (rfc4880) */ -+ uint8_t trailer[6]; -+ uint32_t nb = sigp->hashlen; -+ nb = htonl(nb); -+ trailer[0] = sigp->version; -+ trailer[1] = 0xff; -+ memcpy(trailer+2, &nb, 4); -+ -+ written = Fwrite(trailer, sizeof(uint8_t), sizeof(trailer), fd); -+ if (written != sizeof(trailer) || Ferror(fd)) { -+ ret = -EIO; -+ goto out; -+ } -+ } -+ -+ Fclose(fd); -+ -+ sig_hdr->type = EVM_IMA_XATTR_DIGSIG; -+ sig_hdr->version = 2; -+ sig_hdr->hash_algo = pgp_algo_mapping[sigp->hash_algo]; -+ memcpy((void *)&sig_hdr->keyid, sigp->signid + sizeof(uint32_t), -+ sizeof(uint32_t)); -+ -+ sig_size = (pgpMpiBits(sigp->data) + 7) >> 3; -+ if (sizeof(sig_hdr) + sig_size > sizeof(sig)) { -+ rpmlog(RPMLOG_ERR, -+ "digest_list: signature in %s too big\n", path); -+ ret = -E2BIG; -+ goto out; -+ } -+ -+ sig_size_rounded = ((sig_size + 7) >> 3) * 8; -+ sig_hdr->sig_size = __cpu_to_be16(sig_size_rounded); -+ -+ memcpy(sig_hdr->sig + sig_size_rounded - sig_size, -+ (uint8_t *)sigp->data + 2, sig_size); -+ -+ ret = lsetxattr(path, XATTR_NAME_IMA, -+ sig, sizeof(*sig_hdr) + sig_size_rounded, 0); -+ if (ret < 0) -+ rpmlog(RPMLOG_ERR, "digest_list: could not apply security.ima " -+ "on '%s': %s\n", path, strerror(errno)); -+ else -+ rpmlog(RPMLOG_DEBUG, "digest_list: security.ima successfully " -+ "applied on '%s'\n", path); -+out: -+ pgpDigParamsFree(sigp); -+ rpmtdFree(signature); -+ return ret; -+} -+ -+static int write_digest_list_ima_xattr(rpmte te, char *path, char *path_sig) -+{ -+ rpmtd signature; -+ uint8_t sig[2048] = { 0 }; -+ pgpDigParams sigp = NULL; -+ struct signature_v2_hdr *sig_hdr = (struct signature_v2_hdr *)sig; -+ Header rpm = rpmteHeader(te); -+ FD_t fd; -+ struct stat st; -+ int ret = 0, sig_size; -+ -+ signature = rpmtdNew(); -+ headerGet(rpm, RPMTAG_RSAHEADER, signature, 0); -+ ret = pgpPrtParams(signature->data, signature->count, -+ PGPTAG_SIGNATURE, &sigp); -+ -+ if (ret) { -+ ret = -ENOENT; -+ goto out; -+ } -+ -+ sig_hdr->type = EVM_IMA_XATTR_DIGSIG; -+ sig_hdr->version = 2; -+ sig_hdr->hash_algo = HASH_ALGO_SHA256; -+ memcpy((void *)&sig_hdr->keyid, sigp->signid + sizeof(uint32_t), -+ sizeof(uint32_t)); -+ -+ if (stat(path_sig, &st) == -1) { -+ ret = -EACCES; -+ goto out; -+ } -+ -+ if (sizeof(sig_hdr) + st.st_size > sizeof(sig)) { -+ rpmlog(RPMLOG_ERR, "digest_list: signature in %s too big\n", -+ path); -+ ret = -E2BIG; -+ goto out; -+ } -+ -+ fd = Fopen(path_sig, "r.ufdio"); -+ if (fd < 0) { -+ rpmlog(RPMLOG_ERR, "digest_list: could not open '%s': %s\n", -+ path_sig, strerror(errno)); -+ ret = -EACCES; -+ goto out; -+ } -+ -+ sig_size = Fread(sig_hdr->sig, sizeof(uint8_t), st.st_size, fd); -+ if (sig_size != st.st_size || Ferror(fd)) { -+ rpmlog(RPMLOG_ERR, "digest_list: could not read '%s': %s\n", -+ path_sig, strerror(errno)); -+ Fclose(fd); -+ ret = -EIO; -+ goto out; -+ } -+ -+ sig_hdr->sig_size = __cpu_to_be16(sig_size); -+ -+ rpmlog(RPMLOG_DEBUG, -+ "digest_list: read signature of %d bytes from '%s'\n", -+ sig_size, path_sig); -+ -+ ret = lsetxattr(path, XATTR_NAME_IMA, -+ sig, sizeof(*sig_hdr) + sig_size, 0); -+ if (ret < 0) -+ rpmlog(RPMLOG_ERR, "digest_list: could not apply security.ima " -+ "on '%s': %s\n", path, strerror(errno)); -+ else -+ rpmlog(RPMLOG_DEBUG, "digest_list: security.ima successfully " -+ "applied on '%s'\n", path); -+out: -+ pgpDigParamsFree(sigp); -+ rpmtdFree(signature); -+ return ret; -+} -+ -+static int process_digest_list(rpmte te, int parser) -+{ -+ char *path = NULL, *path_sig = NULL; -+ int digest_list_signed = 0; -+ struct stat st; -+ ssize_t size; -+ rpmRC ret = RPMRC_OK; -+ -+ path = malloc(PATH_MAX); -+ if (!path) { -+ ret = RPMRC_FAIL; -+ goto out; -+ } -+ -+ path_sig = malloc(PATH_MAX); -+ if (!path_sig) { -+ ret = RPMRC_FAIL; -+ goto out; -+ } -+ -+ if (parser) -+ snprintf(path_sig, PATH_MAX, -+ "%s.sig/0-parser_list-compact-libexec.sig", -+ DIGEST_LIST_DEFAULT_PATH); -+ else -+ snprintf(path_sig, PATH_MAX, -+ "%s.sig/0-metadata_list-compact-%s-%s-%s.%s.sig", -+ DIGEST_LIST_DEFAULT_PATH, rpmteN(te), rpmteV(te), -+ rpmteR(te), rpmteA(te)); -+ -+ if (!stat(path_sig, &st)) -+ digest_list_signed = 1; -+ -+ if (parser && !digest_list_signed) -+ goto out; -+ -+ if (parser) -+ snprintf(path, PATH_MAX, "%s/0-parser_list-compact-libexec", -+ DIGEST_LIST_DEFAULT_PATH); -+ else -+ snprintf(path, PATH_MAX, -+ "%s/0-metadata_list-compact-%s-%s-%s.%s", -+ DIGEST_LIST_DEFAULT_PATH, rpmteN(te), rpmteV(te), -+ rpmteR(te), rpmteA(te)); -+ -+ if (stat(path, &st) == -1) -+ goto out; -+ -+ if (!parser && !digest_list_signed) -+ snprintf(path, PATH_MAX, "%s/0-metadata_list-rpm-%s-%s-%s.%s", -+ DIGEST_LIST_DEFAULT_PATH, rpmteN(te), rpmteV(te), -+ rpmteR(te), rpmteA(te)); -+ -+ size = lgetxattr(path, XATTR_NAME_IMA, NULL, 0); -+ -+ /* Don't upload again if digest list was already processed */ -+ if ((rpmteType(te) == TR_ADDED && size > 0) || -+ (rpmteType(te) == TR_REMOVED && size < 0)) { -+ rpmlog(RPMLOG_DEBUG, "digest_list: '%s' already processed, " -+ "nothing to do\n", path); -+ goto out; -+ } -+ -+ if (rpmteType(te) == TR_ADDED) { -+ if (!digest_list_signed) { -+ /* Write RPM header to the disk */ -+ ret = write_rpm_digest_list(te, path); -+ if (ret < 0) { -+ ret = RPMRC_FAIL; -+ goto out; -+ } -+ -+ /* Write RPM header sig to security.ima */ -+ ret = write_rpm_digest_list_ima_xattr(te, path); -+ } else { -+ ret = write_digest_list_ima_xattr(te, path, path_sig); -+ } -+ -+ if (ret < 0) { -+ ret = RPMRC_FAIL; -+ goto out; -+ } -+ } -+ -+ /* Upload digest list to securityfs */ -+ upload_digest_list(path, rpmteType(te), digest_list_signed); -+ -+ if (rpmteType(te) == TR_REMOVED) { -+ if (!digest_list_signed) { -+ unlink(path); -+ goto out; -+ } -+ -+ ret = lremovexattr(path, XATTR_NAME_IMA); -+ if (ret < 0) -+ rpmlog(RPMLOG_ERR, "digest_list: cannot remove " -+ "security.ima from '%s'\n", path); -+ else -+ rpmlog(RPMLOG_DEBUG, "digest_list: security.ima " -+ "successfully removed from '%s'\n", path); -+ } -+out: -+ free(path); -+ free(path_sig); -+ return ret; -+} -+ -+static rpmRC digest_list_psm_pre(rpmPlugin plugin, rpmte te) -+{ -+ process_digest_list(te, 0); -+ if (!strcmp(rpmteN(te), "digest-list-tools")) -+ process_digest_list(te, 1); -+ -+ return RPMRC_OK; -+} -+ -+static rpmRC digest_list_psm_post(rpmPlugin plugin, rpmte te, int res) -+{ -+ if (res != RPMRC_OK) -+ return RPMRC_OK; -+ -+ process_digest_list(te, 0); -+ if (!strcmp(rpmteN(te), "digest-list-tools")) -+ process_digest_list(te, 1); -+ -+ return RPMRC_OK; -+} -+ -+struct rpmPluginHooks_s digest_list_hooks = { -+ .psm_pre = digest_list_psm_pre, -+ .psm_post = digest_list_psm_post, -+}; -diff --git a/rpmio/rpmpgp_internal.c b/rpmio/rpmpgp_internal.c -index 19947be..11b6855 100644 ---- a/rpmio/rpmpgp_internal.c -+++ b/rpmio/rpmpgp_internal.c -@@ -25,6 +25,7 @@ static int _print = 0; - struct pgpDigParams_s { - char * userid; - uint8_t * hash; -+ const uint8_t * data; - uint8_t tag; - - uint8_t key_flags; /*!< key usage flags */ -@@ -484,6 +485,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen, - } - - p = ((uint8_t *)v) + sizeof(*v); -+ _digp->data = p; - rc = tag ? pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp) : 0; - } break; - case 4: -@@ -545,7 +547,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen, - p += 2; - if (p > hend) - return 1; -- -+ _digp->data = p; - rc = tag ? pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp) : 0; - } break; - default: -@@ -636,6 +638,7 @@ static int pgpPrtKey(pgpTag tag, const uint8_t *h, size_t hlen, - } - - p = ((uint8_t *)v) + sizeof(*v); -+ _digp->data = p; - rc = pgpPrtPubkeyParams(v->pubkey_algo, p, h, hlen, _digp); - } - } break; --- -2.33.0 - diff --git a/0003-Don-t-add-dist-to-release-if-it-is-already-there.patch b/0003-Don-t-add-dist-to-release-if-it-is-already-there.patch deleted file mode 100644 index 16d8818..0000000 --- a/0003-Don-t-add-dist-to-release-if-it-is-already-there.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 9c7c63275682c36d6adff90b4b4436ed546ee268 Mon Sep 17 00:00:00 2001 -From: Roberto Sassu -Date: Wed, 22 Jul 2020 17:24:58 +0200 -Subject: [PATCH 03/13] Don't add dist to release if it is already there - ---- - build/parsePreamble.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/build/parsePreamble.c b/build/parsePreamble.c -index 729fd4f..306a029 100644 ---- a/build/parsePreamble.c -+++ b/build/parsePreamble.c -@@ -801,7 +801,8 @@ static rpmRC handlePreambleTag(rpmSpec spec, Package pkg, rpmTagVal tag, - SINGLE_TOKEN_ONLY; - if (tag == RPMTAG_RELEASE) { - char *dist = rpmExpand("%{?dist}",NULL); -- rasprintf(&field,"%s%s",field,dist); -+ rasprintf(&field,"%s%s",field, -+ (dist && strstr(field, dist)) ? "" : dist); - free(dist); - } - if (rpmCharCheck(spec, field, ALLOWED_CHARS_VERREL, NULL)) -diff --git a/plugins/digest_list.c b/plugins/digest_list.c -index 293593f..f68ec8c 100644 ---- a/plugins/digest_list.c -+++ b/plugins/digest_list.c -@@ -5,8 +5,8 @@ - #include - #include - #include --#include --#include -+#include -+#include "rpmio/rpmpgp_internal.h" - #include - #include "lib/rpmplugin.h" - #include -diff --git a/rpmio/rpmpgp_internal.c b/rpmio/rpmpgp_internal.c -index 11b6855..16bf57e 100644 ---- a/rpmio/rpmpgp_internal.c -+++ b/rpmio/rpmpgp_internal.c -@@ -19,35 +19,6 @@ - - static int _print = 0; - --/** \ingroup rpmio -- * Values parsed from OpenPGP signature/pubkey packet(s). -- */ --struct pgpDigParams_s { -- char * userid; -- uint8_t * hash; -- const uint8_t * data; -- uint8_t tag; -- -- uint8_t key_flags; /*!< key usage flags */ -- uint8_t version; /*!< version number. */ -- uint32_t time; /*!< key/signature creation time. */ -- uint8_t pubkey_algo; /*!< public key algorithm. */ -- -- uint8_t hash_algo; -- uint8_t sigtype; -- uint32_t hashlen; -- uint8_t signhash16[2]; -- pgpKeyID_t signid; -- uint8_t saved; /*!< Various flags. `PGPDIG_SAVED_*` are never reset. -- * `PGPDIG_SIG_HAS_*` are reset for each signature. */ --#define PGPDIG_SAVED_TIME (1 << 0) --#define PGPDIG_SAVED_ID (1 << 1) --#define PGPDIG_SIG_HAS_CREATION_TIME (1 << 2) --#define PGPDIG_SIG_HAS_KEY_FLAGS (1 << 3) -- -- pgpDigAlg alg; --}; -- - /** \ingroup rpmio - * Container for values parsed from an OpenPGP signature and public key. - */ -diff --git a/rpmio/rpmpgp_internal.h b/rpmio/rpmpgp_internal.h -index 64b50de..67fecb0 100644 ---- a/rpmio/rpmpgp_internal.h -+++ b/rpmio/rpmpgp_internal.h -@@ -10,6 +10,35 @@ typedef int (*verifyfunc)(pgpDigAlg pgpkey, pgpDigAlg pgpsig, - uint8_t *hash, size_t hashlen, int hash_algo); - typedef void (*freefunc)(pgpDigAlg digp); - -+/** \ingroup rpmio -+ * Values parsed from OpenPGP signature/pubkey packet(s). -+ */ -+struct pgpDigParams_s { -+ char * userid; -+ uint8_t * hash; -+ const uint8_t * data; -+ uint8_t tag; -+ -+ uint8_t key_flags; /*!< key usage flags */ -+ uint8_t version; /*!< version number. */ -+ uint32_t time; /*!< key/signature creation time. */ -+ uint8_t pubkey_algo; /*!< public key algorithm. */ -+ -+ uint8_t hash_algo; -+ uint8_t sigtype; -+ uint32_t hashlen; -+ uint8_t signhash16[2]; -+ pgpKeyID_t signid; -+ uint8_t saved; /*!< Various flags. `PGPDIG_SAVED_*` are never reset. -+ * `PGPDIG_SIG_HAS_*` are reset for each signature. */ -+#define PGPDIG_SAVED_TIME (1 << 0) -+#define PGPDIG_SAVED_ID (1 << 1) -+#define PGPDIG_SIG_HAS_CREATION_TIME (1 << 2) -+#define PGPDIG_SIG_HAS_KEY_FLAGS (1 << 3) -+ -+ pgpDigAlg alg; -+}; -+ - struct pgpDigAlg_s { - setmpifunc setmpi; - verifyfunc verify; --- -2.33.0 - diff --git a/0004-Generate-digest-lists-before-calling-genCpioListAndH.patch b/0004-Generate-digest-lists-before-calling-genCpioListAndH.patch deleted file mode 100644 index 0dd7447..0000000 --- a/0004-Generate-digest-lists-before-calling-genCpioListAndH.patch +++ /dev/null @@ -1,256 +0,0 @@ -From 670d639bfde427a4f3bb9a9f0350d581cacf6fdb Mon Sep 17 00:00:00 2001 -From: Roberto Sassu -Date: Wed, 12 Aug 2020 18:23:42 +0200 -Subject: [PATCH 04/13] Generate digest lists before calling - genCpioListAndHeader() - -Signed-off-by: luhuaxin ---- - build/files.c | 182 ++++++++++++++++++++++++++++++++++++++++---------- - 1 file changed, 147 insertions(+), 35 deletions(-) - -diff --git a/build/files.c b/build/files.c -index dbac22f..84858b6 100644 ---- a/build/files.c -+++ b/build/files.c -@@ -999,20 +999,149 @@ static int seenHardLink(FileRecords files, FileListRec flp, rpm_ino_t *fileid) - * @param pkg (sub) package - * @param isSrc pass 1 for source packages 0 otherwise - */ --static void genCpioListAndHeader(FileList fl, Package pkg, int isSrc) -+static void genDigestListInput(FileList fl, Package pkg, int isSrc) - { - FileListRec flp; - char buf[BUFSIZ]; - char file_info[BUFSIZ]; - char file_digest[128 * 2 + 1]; -+ int i; -+ uint32_t defaultalgo = PGPHASHALGO_MD5, digestalgo; -+ Header h = pkg->header; /* just a shortcut */ -+ -+ /* -+ * See if non-md5 file digest algorithm is requested. If not -+ * specified, quietly assume md5. Otherwise check if supported type. -+ */ -+ digestalgo = rpmExpandNumeric(isSrc ? "%{_source_filedigest_algorithm}" : -+ "%{_binary_filedigest_algorithm}"); -+ if (digestalgo == 0) { -+ digestalgo = defaultalgo; -+ } -+ -+ if (rpmDigestLength(digestalgo) == 0) { -+ rpmlog(RPMLOG_WARNING, -+ _("Unknown file digest algorithm %u, falling back to MD5\n"), -+ digestalgo); -+ digestalgo = defaultalgo; -+ } -+ -+ /* Sort the big list */ -+ if (fl->files.recs) { -+ qsort(fl->files.recs, fl->files.used, -+ sizeof(*(fl->files.recs)), compareFileListRecs); -+ } -+ -+ /* Generate the header. */ -+ for (i = 0, flp = fl->files.recs; i < fl->files.used; i++, flp++) { -+ /* Merge duplicate entries. */ -+ while (i < (fl->files.used - 1) && -+ rstreq(flp->cpioPath, flp[1].cpioPath)) { -+ -+ /* Two entries for the same file found, merge the entries. */ -+ /* Note that an %exclude is a duplication of a file reference */ -+ -+ /* file flags */ -+ flp[1].flags |= flp->flags; -+ -+ if (!(flp[1].flags & RPMFILE_EXCLUDE)) -+ rpmlog(RPMLOG_WARNING, _("File listed twice: %s\n"), -+ flp->cpioPath); -+ -+ /* file mode */ -+ if (S_ISDIR(flp->fl_mode)) { -+ if ((flp[1].specdFlags & (SPECD_DIRMODE | SPECD_DEFDIRMODE)) < -+ (flp->specdFlags & (SPECD_DIRMODE | SPECD_DEFDIRMODE))) -+ flp[1].fl_mode = flp->fl_mode; -+ } else { -+ if ((flp[1].specdFlags & (SPECD_FILEMODE | SPECD_DEFFILEMODE)) < -+ (flp->specdFlags & (SPECD_FILEMODE | SPECD_DEFFILEMODE))) -+ flp[1].fl_mode = flp->fl_mode; -+ } -+ -+ /* uid */ -+ if ((flp[1].specdFlags & (SPECD_UID | SPECD_DEFUID)) < -+ (flp->specdFlags & (SPECD_UID | SPECD_DEFUID))) -+ { -+ flp[1].fl_uid = flp->fl_uid; -+ flp[1].uname = flp->uname; -+ } -+ -+ /* gid */ -+ if ((flp[1].specdFlags & (SPECD_GID | SPECD_DEFGID)) < -+ (flp->specdFlags & (SPECD_GID | SPECD_DEFGID))) -+ { -+ flp[1].fl_gid = flp->fl_gid; -+ flp[1].gname = flp->gname; -+ } -+ -+ /* verify flags */ -+ if ((flp[1].specdFlags & (SPECD_VERIFY | SPECD_DEFVERIFY)) < -+ (flp->specdFlags & (SPECD_VERIFY | SPECD_DEFVERIFY))) -+ flp[1].verifyFlags = flp->verifyFlags; -+ -+ /* XXX to-do: language */ -+ -+ flp++; i++; -+ } -+ -+ /* Skip files that were marked with %exclude. */ -+ if (flp->flags & RPMFILE_EXCLUDE) -+ { -+ argvAdd(&pkg->fileExcludeList, flp->cpioPath); -+ continue; -+ } -+ -+ buf[0] = '\0'; -+ if (S_ISREG(flp->fl_mode) && !(flp->flags & RPMFILE_GHOST)) -+ (void) rpmDoDigest(digestalgo, flp->diskPath, 1, -+ (unsigned char *)buf); -+ headerPutString(h, RPMTAG_FILEDIGESTS, buf); -+ snprintf(file_digest, sizeof(file_digest), "%s", buf); -+ -+ if (check_fileList_bin_pkg && S_ISREG(flp->fl_mode) && -+ !(flp->flags & RPMFILE_GHOST)) { -+ appendStringBuf(check_fileList_bin_pkg, "path="); -+ appendStringBuf(check_fileList_bin_pkg, flp->diskPath); -+ snprintf(file_info, sizeof(file_info), -+ "|digestalgopgp=%d|digest=%s|mode=%d" -+ "|uname=%s|gname=%s|caps=%s\n", -+ digestalgo, file_digest, flp->fl_mode, -+ rpmstrPoolStr(fl->pool, flp->uname), -+ rpmstrPoolStr(fl->pool, flp->gname), flp->caps && -+ strlen(flp->caps) ? flp->caps : ""); -+ appendStringBuf(check_fileList_bin_pkg, file_info); -+ } -+ } -+ -+ if (genDigestList(pkg->header, fl, check_fileList_bin_pkg) > 0) -+ fl->processingFailed = 1; -+} -+ -+/** -+ * Add file entries to header. -+ * @todo Should directories have %doc/%config attributes? (#14531) -+ * @todo Remove RPMTAG_OLDFILENAMES, add dirname/basename instead. -+ * @param fl package file tree walk data -+ * @param pkg (sub) package -+ * @param isSrc pass 1 for source packages 0 otherwise -+ */ -+static void genCpioListAndHeader(FileList fl, Package pkg, int isSrc) -+{ -+ FileListRec flp; -+ char buf[BUFSIZ]; - int i, npaths = 0; - int fail_on_dupes = rpmExpandNumeric("%{?_duplicate_files_terminate_build}") > 0; - uint32_t defaultalgo = RPM_HASH_MD5, digestalgo; - rpm_loff_t totalFileSize = 0; - Header h = pkg->header; /* just a shortcut */ -- int processed = 0; - time_t source_date_epoch = 0; - char *srcdate = getenv("SOURCE_DATE_EPOCH"); -+ struct rpmtd_s oldfiledigests; -+ -+ headerGet(h, RPMTAG_FILEDIGESTS, &oldfiledigests, HEADERGET_ALLOC); -+ headerDel(h, RPMTAG_FILEDIGESTS); -+ rpmtdInit(&oldfiledigests); - - /* Limit the maximum date to SOURCE_DATE_EPOCH if defined - * similar to the tar --clamp-mtime option -@@ -1079,9 +1208,8 @@ static void genCpioListAndHeader(FileList fl, Package pkg, int isSrc) - - pkg->dpaths = xmalloc((fl->files.used + 1) * sizeof(*pkg->dpaths)); - --process_files: - /* Generate the header. */ -- for (i = processed, flp = fl->files.recs + processed; i < fl->files.used; i++, flp++) { -+ for (i = 0, flp = fl->files.recs; i < fl->files.used; i++, flp++) { - rpm_ino_t fileid = flp - fl->files.recs; - - /* Merge duplicate entries. */ -@@ -1211,13 +1339,17 @@ process_files: - if (fl->haveCaps) { - headerPutString(h, RPMTAG_FILECAPS, flp->caps); - } -- -+ - buf[0] = '\0'; -- if (S_ISREG(flp->fl_mode) && !(flp->flags & RPMFILE_GHOST)) -- (void) rpmDoDigest(digestalgo, flp->diskPath, 1, -- (unsigned char *)buf); -- headerPutString(h, RPMTAG_FILEDIGESTS, buf); -- snprintf(file_digest, sizeof(file_digest), "%s", buf); -+ if (strstr(flp->diskPath, DIGEST_LIST_DIR) || !oldfiledigests.count) { -+ if (S_ISREG(flp->fl_mode) && !(flp->flags & RPMFILE_GHOST)) -+ (void) rpmDoDigest(digestalgo, flp->diskPath, 1, -+ (unsigned char *)buf); -+ headerPutString(h, RPMTAG_FILEDIGESTS, buf); -+ } else { -+ headerPutString(h, RPMTAG_FILEDIGESTS, -+ rpmtdNextString(&oldfiledigests)); -+ } - - buf[0] = '\0'; - if (S_ISLNK(flp->fl_mode)) { -@@ -1258,31 +1390,6 @@ process_files: - flp->flags &= PARSEATTR_MASK; - - headerPutUint32(h, RPMTAG_FILEFLAGS, &(flp->flags) ,1); -- -- if (!processed && check_fileList_bin_pkg && S_ISREG(flp->fl_mode) && -- !(flp->flags & RPMFILE_GHOST)) { -- appendStringBuf(check_fileList_bin_pkg, "path="); -- appendStringBuf(check_fileList_bin_pkg, flp->diskPath); -- snprintf(file_info, sizeof(file_info), -- "|digestalgopgp=%d|digest=%s|mode=%d" -- "|uname=%s|gname=%s|caps=%s\n", -- digestalgo, file_digest, flp->fl_mode, -- rpmstrPoolStr(fl->pool, flp->uname), -- rpmstrPoolStr(fl->pool, flp->gname), flp->caps && -- strlen(flp->caps) ? flp->caps : ""); -- appendStringBuf(check_fileList_bin_pkg, file_info); -- } -- } -- -- if (!processed) { -- if (genDigestList(pkg->header, fl, check_fileList_bin_pkg) > 0) { -- fl->processingFailed = 1; -- } else if (i < fl->files.used) { -- pkg->dpaths = xrealloc(pkg->dpaths, -- (fl->files.used + 1) * sizeof(*pkg->dpaths)); -- processed = i; -- goto process_files; -- } - } - - pkg->dpaths[npaths] = NULL; -@@ -1323,6 +1430,7 @@ process_files: - /* Binary packages with dirNames cannot be installed by legacy rpm. */ - (void) rpmlibNeedsFeature(pkg, "CompressedFileNames", "3.0.4-1"); - } -+ rpmtdFreeData(&oldfiledigests); - } - - static FileRecords FileRecordsFree(FileRecords files) -@@ -2805,6 +2913,10 @@ static rpmRC processPackageFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags, - if (checkHardLinks(&fl.files)) - (void) rpmlibNeedsFeature(pkg, "PartialHardlinkSets", "4.0.4-1"); - -+ genDigestListInput(&fl, pkg, 0); -+ if (fl.processingFailed) -+ goto exit; -+ - genCpioListAndHeader(&fl, pkg, 0); - - exit: --- -2.33.0 - diff --git a/0005-call-process_digest_list-after-files-are-added.patch b/0005-call-process_digest_list-after-files-are-added.patch deleted file mode 100644 index 597616b..0000000 --- a/0005-call-process_digest_list-after-files-are-added.patch +++ /dev/null @@ -1,115 +0,0 @@ -From f7b95fc722d8ef438872b270039b24e8ddd9fc0d Mon Sep 17 00:00:00 2001 -From: Roberto Sassu -Date: Mon, 26 Oct 2020 12:10:31 +0800 -Subject: [PATCH 05/13] call process_digest_list after files are added - -Signed-off-by: Anakin Zhang ---- - plugins/digest_list.c | 78 ++++++++++++++++++++++++++++++++++++++----- - 1 file changed, 69 insertions(+), 9 deletions(-) - -diff --git a/plugins/digest_list.c b/plugins/digest_list.c -index 293593f..1f50394 100644 ---- a/plugins/digest_list.c -+++ b/plugins/digest_list.c -@@ -472,28 +472,88 @@ out: - return ret; - } - -+rpmte cur_te; -+int digest_list_counter; -+ - static rpmRC digest_list_psm_pre(rpmPlugin plugin, rpmte te) - { -- process_digest_list(te, 0); -- if (!strcmp(rpmteN(te), "digest-list-tools")) -- process_digest_list(te, 1); -+ Header rpm = rpmteHeader(te); -+ rpmtd dirnames; -+ int i; -+ -+ digest_list_counter = 0; -+ -+ dirnames = rpmtdNew(); -+ headerGet(rpm, RPMTAG_DIRNAMES, dirnames, 0); -+ -+ while ((i = rpmtdNext(dirnames)) >= 0) { -+ char *dirname = (char *) rpmtdGetString(dirnames); -+ if (!strncmp(dirname, DIGEST_LIST_DEFAULT_PATH, -+ sizeof(DIGEST_LIST_DEFAULT_PATH) - 1)) -+ digest_list_counter++; -+ } - -+ rpmtdFree(dirnames); -+ -+ cur_te = te; - return RPMRC_OK; - } - --static rpmRC digest_list_psm_post(rpmPlugin plugin, rpmte te, int res) -+static rpmRC digest_list_file_common(rpmPlugin plugin, rpmfi fi, -+ const char* path, mode_t file_mode, -+ rpmFsmOp op, int pre, int res) - { -- if (res != RPMRC_OK) -+ rpmFileAction action = XFO_ACTION(op); -+ -+ if (!digest_list_counter) -+ return RPMRC_OK; -+ -+ if (!cur_te) -+ return RPMRC_OK; -+ -+ if (!pre && res != RPMRC_OK) -+ return res; -+ -+ if ((pre && action != FA_ERASE) || -+ (!pre && action != FA_CREATE)) - return RPMRC_OK; - -- process_digest_list(te, 0); -- if (!strcmp(rpmteN(te), "digest-list-tools")) -- process_digest_list(te, 1); -+ if (digest_list_counter) { -+ if (!pre) { -+ if (!strncmp(path, DIGEST_LIST_DEFAULT_PATH, -+ sizeof(DIGEST_LIST_DEFAULT_PATH) - 1)) -+ digest_list_counter--; -+ } else { -+ digest_list_counter = 0; -+ } -+ -+ if (digest_list_counter) -+ return RPMRC_OK; -+ } -+ -+ process_digest_list(cur_te, 0); -+ if (!strcmp(rpmteN(cur_te), "digest-list-tools")) -+ process_digest_list(cur_te, 1); - - return RPMRC_OK; - } - -+static rpmRC digest_list_file_pre(rpmPlugin plugin, rpmfi fi, -+ const char* path, mode_t file_mode, -+ rpmFsmOp op) -+{ -+ return digest_list_file_common(plugin, fi, path, file_mode, op, 1, 0); -+} -+ -+static rpmRC digest_list_file_post(rpmPlugin plugin, rpmfi fi, -+ const char* path, mode_t file_mode, -+ rpmFsmOp op, int res) -+{ -+ return digest_list_file_common(plugin, fi, path, file_mode, op, 0, res); -+} -+ - struct rpmPluginHooks_s digest_list_hooks = { - .psm_pre = digest_list_psm_pre, -- .psm_post = digest_list_psm_post, -+ .fsm_file_pre = digest_list_file_pre, -+ .fsm_file_post = digest_list_file_post, - }; --- -2.33.0 - diff --git a/0006-fix-lsetxattr-error-in-container.patch b/0006-fix-lsetxattr-error-in-container.patch deleted file mode 100644 index d3f1152..0000000 --- a/0006-fix-lsetxattr-error-in-container.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 28f6a9c80b721344fa9682bb0236ae02e0f4f2e5 Mon Sep 17 00:00:00 2001 -From: Zhang Tianxing -Date: Mon, 13 Sep 2021 17:32:11 +0800 -Subject: [PATCH 06/13] fix lsetxattr error in container - -The digest list plugin in rpm will set security.ima xattr to IMA digest lists -when installing or updating an rpm package. However, in a container without -CAP_SYS_ADMIN, we'll get error messages when calling lsetxattr. - -This patch is to skip lsetxattr when CAP_SYS_ADMIN is missing. - -Signed-off-by: Zhang Tianxing ---- - plugins/digest_list.c | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -diff --git a/plugins/digest_list.c b/plugins/digest_list.c -index 1f50394..23f911a 100644 ---- a/plugins/digest_list.c -+++ b/plugins/digest_list.c -@@ -13,6 +13,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -371,6 +372,10 @@ static int process_digest_list(rpmte te, int parser) - int digest_list_signed = 0; - struct stat st; - ssize_t size; -+ struct __user_cap_header_struct cap_header_data; -+ cap_user_header_t cap_header = &cap_header_data; -+ struct __user_cap_data_struct cap_data_data; -+ cap_user_data_t cap_data = &cap_data_data; - rpmRC ret = RPMRC_OK; - - path = malloc(PATH_MAX); -@@ -436,7 +441,21 @@ static int process_digest_list(rpmte te, int parser) - ret = RPMRC_FAIL; - goto out; - } -+ } - -+ /* don't call lsetxattr without CAP_SYS_ADMIN */ -+ cap_header->pid = getpid(); -+ cap_header->version = _LINUX_CAPABILITY_VERSION_1; -+ if (capget(cap_header, cap_data) < 0) { -+ ret = -ENOENT; -+ goto out; -+ } -+ if (!(cap_data->effective & CAP_TO_MASK(CAP_SYS_ADMIN))) { -+ ret = -EPERM; -+ goto out; -+ } -+ -+ if (!digest_list_signed) { - /* Write RPM header sig to security.ima */ - ret = write_rpm_digest_list_ima_xattr(te, path); - } else { --- -2.33.0 - diff --git a/0007-rpm-selinux-plugin-check-context-file-exist.patch b/0007-rpm-selinux-plugin-check-context-file-exist.patch deleted file mode 100644 index 7cc7c55..0000000 --- a/0007-rpm-selinux-plugin-check-context-file-exist.patch +++ /dev/null @@ -1,26 +0,0 @@ -From cc9c53b97b56238320319ed8a0780ba327e4cef2 Mon Sep 17 00:00:00 2001 -From: luhuaxin <1539327763@qq.com> -Date: Tue, 26 Oct 2021 18:39:46 +0800 -Subject: [PATCH 07/13] rpm selinux plugin check context file exist - ---- - plugins/selinux.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/plugins/selinux.c b/plugins/selinux.c -index 316ff88..ac1e354 100644 ---- a/plugins/selinux.c -+++ b/plugins/selinux.c -@@ -64,7 +64,8 @@ static rpmRC selinux_tsm_pre(rpmPlugin plugin, rpmts ts) - rpmRC rc = RPMRC_OK; - - /* If SELinux isn't enabled on the system, dont mess with it */ -- if (!is_selinux_enabled()) { -+ if (!is_selinux_enabled() || selinux_file_context_path() == NULL || -+ access(selinux_file_context_path(), F_OK)) { - rpmtsSetFlags(ts, (rpmtsFlags(ts) | RPMTRANS_FLAG_NOCONTEXTS)); - } - --- -2.33.0 - diff --git a/0008-Fix-digest_list_counter.patch b/0008-Fix-digest_list_counter.patch deleted file mode 100644 index feed1ee..0000000 --- a/0008-Fix-digest_list_counter.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 943c1848f6aeadbe913f88466a9fdddc42ec51c5 Mon Sep 17 00:00:00 2001 -From: Roberto Sassu -Date: Wed, 10 Mar 2021 12:22:39 +0100 -Subject: [PATCH 08/13] Fix digest_list_counter - ---- - plugins/digest_list.c | 38 +++++++++++++++++++++++--------------- - 1 file changed, 23 insertions(+), 15 deletions(-) - -diff --git a/plugins/digest_list.c b/plugins/digest_list.c -index 23f911a..4142caf 100644 ---- a/plugins/digest_list.c -+++ b/plugins/digest_list.c -@@ -497,8 +497,8 @@ int digest_list_counter; - static rpmRC digest_list_psm_pre(rpmPlugin plugin, rpmte te) - { - Header rpm = rpmteHeader(te); -- rpmtd dirnames; -- int i; -+ rpmtd dirnames, dirindexes; -+ int i = -1; - - digest_list_counter = 0; - -@@ -507,13 +507,26 @@ static rpmRC digest_list_psm_pre(rpmPlugin plugin, rpmte te) - - while ((i = rpmtdNext(dirnames)) >= 0) { - char *dirname = (char *) rpmtdGetString(dirnames); -+ - if (!strncmp(dirname, DIGEST_LIST_DEFAULT_PATH, -- sizeof(DIGEST_LIST_DEFAULT_PATH) - 1)) -- digest_list_counter++; -+ sizeof(DIGEST_LIST_DEFAULT_PATH) - 1) && -+ dirname[sizeof(DIGEST_LIST_DEFAULT_PATH) - 1] == '/') -+ break; - } - - rpmtdFree(dirnames); - -+ if (i == -1) -+ return RPMRC_OK; -+ -+ dirindexes = rpmtdNew(); -+ headerGet(rpm, RPMTAG_DIRINDEXES, dirindexes, 0); -+ while (rpmtdNext(dirindexes) >= 0) -+ if (rpmtdGetNumber(dirindexes) == i) -+ digest_list_counter++; -+ -+ rpmtdFree(dirindexes); -+ - cur_te = te; - return RPMRC_OK; - } -@@ -537,18 +550,13 @@ static rpmRC digest_list_file_common(rpmPlugin plugin, rpmfi fi, - (!pre && action != FA_CREATE)) - return RPMRC_OK; - -- if (digest_list_counter) { -- if (!pre) { -- if (!strncmp(path, DIGEST_LIST_DEFAULT_PATH, -- sizeof(DIGEST_LIST_DEFAULT_PATH) - 1)) -- digest_list_counter--; -- } else { -- digest_list_counter = 0; -- } -+ if (strncmp(path, DIGEST_LIST_DEFAULT_PATH, -+ sizeof(DIGEST_LIST_DEFAULT_PATH) - 1) || -+ path[sizeof(DIGEST_LIST_DEFAULT_PATH) - 1] != '/') -+ return RPMRC_OK; - -- if (digest_list_counter) -- return RPMRC_OK; -- } -+ if (!pre && --digest_list_counter) -+ return RPMRC_OK; - - process_digest_list(cur_te, 0); - if (!strcmp(rpmteN(cur_te), "digest-list-tools")) --- -2.33.0 - diff --git a/0009-Check-rpm-parser.patch b/0009-Check-rpm-parser.patch deleted file mode 100644 index 127964f..0000000 --- a/0009-Check-rpm-parser.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 218a3e2bca1c48b4338939cf01941e5231513300 Mon Sep 17 00:00:00 2001 -From: Roberto Sassu -Date: Wed, 10 Mar 2021 12:23:32 +0100 -Subject: [PATCH 09/13] Check rpm parser - ---- - plugins/digest_list.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/plugins/digest_list.c b/plugins/digest_list.c -index 4142caf..ca77282 100644 ---- a/plugins/digest_list.c -+++ b/plugins/digest_list.c -@@ -133,6 +133,12 @@ static int upload_digest_list(char *path, int type, int digest_list_signed) - - /* If the digest list is not signed, execute the RPM parser */ - if (!digest_list_signed) { -+ if (stat(RPM_PARSER, &st) == -1) { -+ rpmlog(RPMLOG_DEBUG, "digest_list: %s not found, " -+ "not uploading digest list\n", RPM_PARSER); -+ return 0; -+ } -+ - if ((pid = fork()) == 0) { - execlp(RPM_PARSER, RPM_PARSER, (type == TR_ADDED) ? - "add" : "del", path, NULL); --- -2.33.0 - diff --git a/0010-Remove-digest-list-from-the-kernel-during-package-re.patch b/0010-Remove-digest-list-from-the-kernel-during-package-re.patch deleted file mode 100644 index de4486f..0000000 --- a/0010-Remove-digest-list-from-the-kernel-during-package-re.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 3c3e44171146c5c78287635e71c7adaea26fab3e Mon Sep 17 00:00:00 2001 -From: Roberto Sassu -Date: Thu, 11 Mar 2021 11:59:45 +0100 -Subject: [PATCH 10/13] Remove digest list from the kernel during package - reinstallation - -Signed-off-by: luhuaxin ---- - plugins/digest_list.c | 36 +++++++++++++++++------------------- - 1 file changed, 17 insertions(+), 19 deletions(-) - -diff --git a/plugins/digest_list.c b/plugins/digest_list.c -index ca77282..63f8f1c 100644 ---- a/plugins/digest_list.c -+++ b/plugins/digest_list.c -@@ -27,9 +27,6 @@ - #define DIGEST_LIST_DEFAULT_PATH "/etc/ima/digest_lists" - #define RPM_PARSER "/usr/libexec/rpm_parser" - --#define DIGEST_LIST_OP_ADD 0 --#define DIGEST_LIST_OP_DEL 1 -- - enum hash_algo { - HASH_ALGO_MD4, - HASH_ALGO_MD5, -@@ -372,12 +369,13 @@ out: - return ret; - } - --static int process_digest_list(rpmte te, int parser) -+static int process_digest_list(rpmte te, int parser, int pre) - { - char *path = NULL, *path_sig = NULL; - int digest_list_signed = 0; - struct stat st; - ssize_t size; -+ int type = rpmteType(te); - struct __user_cap_header_struct cap_header_data; - cap_user_header_t cap_header = &cap_header_data; - struct __user_cap_data_struct cap_data_data; -@@ -431,15 +429,7 @@ static int process_digest_list(rpmte te, int parser) - - size = lgetxattr(path, XATTR_NAME_IMA, NULL, 0); - -- /* Don't upload again if digest list was already processed */ -- if ((rpmteType(te) == TR_ADDED && size > 0) || -- (rpmteType(te) == TR_REMOVED && size < 0)) { -- rpmlog(RPMLOG_DEBUG, "digest_list: '%s' already processed, " -- "nothing to do\n", path); -- goto out; -- } -- -- if (rpmteType(te) == TR_ADDED) { -+ if (type == TR_ADDED && !pre && size < 0) { - if (!digest_list_signed) { - /* Write RPM header to the disk */ - ret = write_rpm_digest_list(te, path); -@@ -472,12 +462,18 @@ static int process_digest_list(rpmte te, int parser) - ret = RPMRC_FAIL; - goto out; - } -+ } else if (type == TR_ADDED && pre) { -+ if (size < 0) -+ goto out; -+ -+ /* rpm is overwriting the digest list, remove from the kernel */ -+ type = TR_REMOVED; - } - - /* Upload digest list to securityfs */ -- upload_digest_list(path, rpmteType(te), digest_list_signed); -+ upload_digest_list(path, type, digest_list_signed); - -- if (rpmteType(te) == TR_REMOVED) { -+ if (type == TR_REMOVED) { - if (!digest_list_signed) { - unlink(path); - goto out; -@@ -552,8 +548,10 @@ static rpmRC digest_list_file_common(rpmPlugin plugin, rpmfi fi, - if (!pre && res != RPMRC_OK) - return res; - -- if ((pre && action != FA_ERASE) || -- (!pre && action != FA_CREATE)) -+ if (!pre && rpmteType(cur_te) != TR_ADDED) -+ return RPMRC_OK; -+ -+ if (pre && action == FA_SKIP) - return RPMRC_OK; - - if (strncmp(path, DIGEST_LIST_DEFAULT_PATH, -@@ -564,9 +562,9 @@ static rpmRC digest_list_file_common(rpmPlugin plugin, rpmfi fi, - if (!pre && --digest_list_counter) - return RPMRC_OK; - -- process_digest_list(cur_te, 0); -+ process_digest_list(cur_te, 0, pre); - if (!strcmp(rpmteN(cur_te), "digest-list-tools")) -- process_digest_list(cur_te, 1); -+ process_digest_list(cur_te, 1, pre); - - return RPMRC_OK; - } --- -2.33.0 - diff --git a/0011-Add-license-to-digest_list.c.patch b/0011-Add-license-to-digest_list.c.patch deleted file mode 100644 index 6346fd1..0000000 --- a/0011-Add-license-to-digest_list.c.patch +++ /dev/null @@ -1,34 +0,0 @@ -From e33dee894957fabb5d229d9f02b9e308bf79eb70 Mon Sep 17 00:00:00 2001 -From: Roberto Sassu -Date: Fri, 12 Mar 2021 10:57:24 +0100 -Subject: [PATCH 11/13] Add license to digest_list.c - ---- - plugins/digest_list.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/plugins/digest_list.c b/plugins/digest_list.c -index 63f8f1c..0692b5b 100644 ---- a/plugins/digest_list.c -+++ b/plugins/digest_list.c -@@ -1,3 +1,17 @@ -+/* -+ * Copyright (C) 2020-2021 Huawei Technologies Duesseldorf GmbH -+ * -+ * Author: Roberto Sassu -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License as -+ * published by the Free Software Foundation, version 2 of the -+ * License. -+ * -+ * File: digest_list.c -+ * Plugin to load digest lists in the Linux kernel. -+ */ -+ - #include "system.h" - #include "errno.h" - --- -2.33.0 - diff --git a/0012-Avoid-generating-digest-lists-if-they-are-already-pa.patch b/0012-Avoid-generating-digest-lists-if-they-are-already-pa.patch deleted file mode 100644 index 6fe9fa3..0000000 --- a/0012-Avoid-generating-digest-lists-if-they-are-already-pa.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 1cd90e4828c52919e103bebd3c4e37fba2749d11 Mon Sep 17 00:00:00 2001 -From: Roberto Sassu -Date: Wed, 17 Mar 2021 17:25:46 +0100 -Subject: [PATCH 12/13] Avoid generating digest lists if they are already - packaged - ---- - build/files.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/build/files.c b/build/files.c -index 84858b6..7312029 100644 ---- a/build/files.c -+++ b/build/files.c -@@ -51,6 +51,7 @@ - #define DEBUG_ID_DIR "/usr/lib/debug/.build-id" - #define DEBUG_DWZ_DIR "/usr/lib/debug/.dwz" - #define DIGEST_LIST_DIR "/.digest_lists" -+#define DEST_DIGEST_LIST_DIR "/etc/ima/digest_lists" - - #undef HASHTYPE - #undef HTKEYTYPE -@@ -1005,7 +1006,7 @@ static void genDigestListInput(FileList fl, Package pkg, int isSrc) - char buf[BUFSIZ]; - char file_info[BUFSIZ]; - char file_digest[128 * 2 + 1]; -- int i; -+ int i, gen_digest_lists = 1; - uint32_t defaultalgo = PGPHASHALGO_MD5, digestalgo; - Header h = pkg->header; /* just a shortcut */ - -@@ -1112,9 +1113,15 @@ static void genDigestListInput(FileList fl, Package pkg, int isSrc) - strlen(flp->caps) ? flp->caps : ""); - appendStringBuf(check_fileList_bin_pkg, file_info); - } -+ -+ if (S_ISREG(flp->fl_mode) && -+ !strncmp(flp->cpioPath, DEST_DIGEST_LIST_DIR, -+ sizeof(DEST_DIGEST_LIST_DIR) - 1)) -+ gen_digest_lists = 0; - } - -- if (genDigestList(pkg->header, fl, check_fileList_bin_pkg) > 0) -+ if (gen_digest_lists && -+ genDigestList(pkg->header, fl, check_fileList_bin_pkg) > 0) - fl->processingFailed = 1; - } - --- -2.33.0 - diff --git a/0013-dont-remove-ima-xattr-of-parser-when-upgrading.patch b/0013-dont-remove-ima-xattr-of-parser-when-upgrading.patch deleted file mode 100644 index 491c023..0000000 --- a/0013-dont-remove-ima-xattr-of-parser-when-upgrading.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 44af19d23061b73e35a5d65a743f23333da1f22c Mon Sep 17 00:00:00 2001 -From: luhuaxin -Date: Tue, 15 Mar 2022 20:54:06 +0800 -Subject: [PATCH 13/13] dont remove ima xattr of parser when upgrading - -Signed-off-by: luhuaxin ---- - plugins/digest_list.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/plugins/digest_list.c b/plugins/digest_list.c -index 0692b5b..1d7ef92 100644 ---- a/plugins/digest_list.c -+++ b/plugins/digest_list.c -@@ -576,9 +576,16 @@ static rpmRC digest_list_file_common(rpmPlugin plugin, rpmfi fi, - if (!pre && --digest_list_counter) - return RPMRC_OK; - -+ rpmlog(RPMLOG_DEBUG, "process ima digest, pre: %d, action: %d, teType: %d\n", -+ pre, action, rpmteType(cur_te)); - process_digest_list(cur_te, 0, pre); -- if (!strcmp(rpmteN(cur_te), "digest-list-tools")) -+ if (!strcmp(rpmteN(cur_te), "digest-list-tools")) { -+ if (pre && rpmteType(cur_te) == TR_REMOVED) -+ return RPMRC_OK; -+ -+ rpmlog(RPMLOG_DEBUG, "process parser digest\n"); - process_digest_list(cur_te, 1, pre); -+ } - - return RPMRC_OK; - } --- -2.33.0 - diff --git a/rpm.spec b/rpm.spec index 6556f25..17df5be 100644 --- a/rpm.spec +++ b/rpm.spec @@ -1,6 +1,6 @@ Name: rpm Version: 4.18.0 -Release: 5 +Release: 6 Summary: RPM Package Manager License: GPLv2+ URL: http://www.rpm.org/ @@ -34,19 +34,6 @@ Patch6012: backport-Fix-fileleak-and-memleak-in-rpmInstall.patch Patch6013: backport-Fix-fileleak-when-urlGetFile-fails-in-rpmInstall.patch Patch9000: rpm-fix-rpm-is-blocked-when-open-fifo-file.patch -Patch9001: 0001-Generate-digest-lists.patch -Patch9002: 0002-Add-digest-list-plugin.patch -Patch9003: 0003-Don-t-add-dist-to-release-if-it-is-already-there.patch -Patch9004: 0004-Generate-digest-lists-before-calling-genCpioListAndH.patch -Patch9005: 0005-call-process_digest_list-after-files-are-added.patch -Patch9006: 0006-fix-lsetxattr-error-in-container.patch -Patch9007: 0007-rpm-selinux-plugin-check-context-file-exist.patch -Patch9008: 0008-Fix-digest_list_counter.patch -Patch9009: 0009-Check-rpm-parser.patch -Patch9010: 0010-Remove-digest-list-from-the-kernel-during-package-re.patch -Patch9011: 0011-Add-license-to-digest_list.c.patch -Patch9012: 0012-Avoid-generating-digest-lists-if-they-are-already-pa.patch -Patch9013: 0013-dont-remove-ima-xattr-of-parser-when-upgrading.patch BuildRequires: gcc autoconf automake libtool make gawk popt-devel openssl-devel readline-devel BuildRequires: zlib-devel zstd-devel >= 1.3.8 xz-devel bzip2-devel libarchive-devel ima-evm-utils-devel @@ -333,6 +320,9 @@ make clean %exclude %{_mandir}/man8/rpmspec.8.gz %changelog +* Wed Feb 08 2023 gaoyusong - 4.18.0-6 +- Revert digest list patches + * Wed Feb 08 2023 gaoyusong - 4.18.0-5 - Sync IMA related patches