ima: Also apply signatures to config files
Even though config files may be close to what could be described as 'mutuable files', we now want to give the user control over the installation of signatures on these files as well. We enable this through a variable in the macro file. For this, we should be aware that the signatures of these files may become incorrect or missing once RPM post installation scripts or other programs have modified these configuration files. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com
This commit is contained in:
Stefan Berger
Panu Matilainen
parent
70b56c5022
commit
99887fec10
|
|
@ -744,6 +744,11 @@ package or when debugging this package.\
|
|||
# performance for rotational disks)
|
||||
#%_flush_io 0
|
||||
|
||||
# Set to 1 to have IMA signatures written also on %config files.
|
||||
# Note that %config files may be changed and therefore end up with
|
||||
# a wrong or missing signature.
|
||||
#%_ima_sign_config_files 0
|
||||
|
||||
#
|
||||
# Default output format string for rpm -qa
|
||||
#
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@
|
|||
#include <rpm/rpmtypes.h>
|
||||
#include <rpm/rpmlog.h>
|
||||
#include <rpmio/rpmstring.h>
|
||||
#include <rpmio/rpmmacro.h>
|
||||
|
||||
#include "lib/rpmfs.h"
|
||||
#include "lib/rpmplugin.h"
|
||||
|
|
@ -16,6 +17,8 @@
|
|||
|
||||
#define XATTR_NAME_IMA "security.ima"
|
||||
|
||||
static int write_signatures_on_config_files = 0;
|
||||
|
||||
/*
|
||||
* check_zero_hdr: Check the signature for a zero header
|
||||
*
|
||||
|
|
@ -54,11 +57,13 @@ static rpmRC ima_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
|
|||
goto exit;
|
||||
|
||||
/* Don't install signatures for (mutable) files marked
|
||||
* as config files unless they are also executable.
|
||||
* as config files unless they are also executable or
|
||||
* user specifically asks for it.
|
||||
*/
|
||||
if (rpmfiFFlags(fi) & RPMFILE_CONFIG) {
|
||||
if (!(rpmfiFMode(fi) & (S_IXUSR|S_IXGRP|S_IXOTH)))
|
||||
goto exit;
|
||||
if (!(rpmfiFMode(fi) & (S_IXUSR|S_IXGRP|S_IXOTH)) &&
|
||||
!write_signatures_on_config_files)
|
||||
goto exit;
|
||||
}
|
||||
|
||||
fsig = rpmfiFSignature(fi, &len);
|
||||
|
|
@ -75,6 +80,15 @@ exit:
|
|||
return rc;
|
||||
}
|
||||
|
||||
static rpmRC ima_init(rpmPlugin plugin, rpmts ts)
|
||||
{
|
||||
write_signatures_on_config_files =
|
||||
rpmExpandNumeric("%{?_ima_sign_config_files}");
|
||||
|
||||
return RPMRC_OK;
|
||||
}
|
||||
|
||||
struct rpmPluginHooks_s ima_hooks = {
|
||||
.init = ima_init,
|
||||
.fsm_file_prepare = ima_fsm_file_prepare,
|
||||
};
|
||||
|
|
|
|||
Loading…
Reference in New Issue