For a pre hook function display an error message and for a post hook
function display just a warning message. This corresponds with
the way how error/warning messages are displayed for scriptlets.
Also add a debug message into selinux plugin.
We really should not suspend or hibernate during rpm operations. Chances are
too high to not wake up properly and damage the system (see rhbz#1297984).
Only the first file signature was getting installed. rpmfiNext returns
the next file iterator index and -1 on termination. Now the loop correctly
terminates only when rpmfiNext return value is negative.
This plugin extracts file signatures from rpmfiles and writes them to
security.ima xattr. Only non-config file signatures are installed.
Changelog:
- use rpmfi instead of rpmfiles
- use rpmfiFN instead of fsmFsPath
Signed-off-by: Lubos Kardos <lkardos@redhat.com>
This function was factored out from rpm_execcon() upstream to make it
easier to use by its users, by making it not call execve() directly. It
is now also used by dpkg since 1.17.11.
Preserve the ad-hoc code for now so that it can be compiled against old
libselinux versions.
- The basic concept is not without merit but what was implemented here
has been stuck in experimental state in middle of two sorta conflicting
goals for four years now, and world has moved onward in the meanwhile.
The sepolicy part is better handled in the new selinux plugin, and other
action business belongs to packages (in the form of some trigger-like
scripts or such) rather than rpm plugins.
- Deleted here, but the sepolicy plugin functionality still needs
merging into the new selinux plugin...
- RPMTAG_COLLECTIONS left in place but tagged unimplemented as per policy
to never actually remove tags
- Unowned directories obviously do not exist in rpmfi, so plugins
still need to be passed path and mode separately, but for all
the rest rpmfi is there and contains valuable additional information
that's been unavailable to plugins until now
- This is what rpm_execcon() in libselinux always did, and trying to
be more strict causes things to blow up on install to an empty
chroot where /proc and /sys/fs/selinux are not mounted.
- Now that the hook functions in plugins no longer need to be uniformly
named, rename them to more "natural" pluginname_hookname style so
__func__ (and gdb etc) give meaningful, distinct values for them.
No functional changes unless I typoed something.
- Some previously required things probably no longer make no sense
now, and OTOH this isn't all that important for the logging
plugin but just to test the stuff with something...
- Change all plugin hooks to take plugin itself as the first argument,
adjust our existing plugins
- Further steps towards making plugins "instances" instead of
just semi-global blobs
- rpmplugins.[ch] implements the rpm internal plugin management
infrastructure, which is no business of anybody else. Mark the
symbols internal while at it.
- rpmplugin.h describes the API for the actual plugins, this is
to be made public once the API is considered stable enough (which
it certainly is not yet ;)
- Adjust our plugins to include the right header
- Having the cleanup hook return an error code is almost like free()
returned an error code you're supposed to check and if it fails
then ... what? :) Make it "return" void instead, fixup plugins.
- The in-rpm selinux code always ignored errors from selabel_lookup_raw(),
but the plugin version does. Apparently it can occasionally return
ENOENT as in "no context for this thingie here" for something which
causes the plugin version to return an error (I'm seeing this on
/var/lib/nfs/rpc_pipefs from nfs-utils)
- It's not rpm's business to say everything needs to have a label,
although this does seem a bit peculiar: for an arbitrary unknown
directory selabel_lookup() seems to normally return a "default"
context. Why that is not happening here I haven't got the slightest
idea, but then restorecon isn't complaining on this, why should we?
- Make the hook functions static now that its possible
- Directly include what the plugins need, dont include plugin.h
- Eliminate now unnecessary plugin.h
- Add a struct containing all hook function pointers to plugins,
let plugins populate it by themselves and call the hooks by the
hook struct, avoiding repeated dlsym() discovery on each call etc.
- Eliminate now unnecessary PLUGINHOOK_FOO typedefs, defines and the
"supported hooks" bitfield: supported hooks are whatever a plugin
declares in the struct. This also means the number of possible
plugin hooks is not limited by number of bits in an integer.
- This means the only symbol plugins need to export is <name>_hooks,
the actual functions can be static. This is not the case yet but
to avoid changing everything at once... this is already a fairly
big commit.
- This also fixes the nasty issue where in presence of multiple
(non-collection) plugins, supported hooks would not get called if
another plugin didn't support that hook because of
RPMPLUGINS_SET_HOOK_FUNC() using "return" on several cases,
which doesn't go very well with loops.
- Log transaction start + finish, package install/erase and scriptlet
failures. In case of failures, log a failure summary at transaction
end.
- Plenty of room for improvement here, such making the logging and
package identifiers configurable + emitting different messages
for install/upgrade/erase/cleanup. Its a starting point, nothing
more...
- We hereby unceremoniously declare that from now on, SELinux and
other similar mechanisms are to live in plugins, rpm doesn't need
to know about every possible security etc mechanism there might be.
Its a big commit but as its really just removals...
- We need to disable sepolicy collection plugin for now as it relies on
built-in support for selinux, this not only makes no sense but
wont work now that there is no built-in support. The sepolicy
plugin needs to be merged into the selinux base plugin now.
- Another "breakage" is that --rebuilddb no longer relabels the database,
this needs plugins to called in a place where they currently cannot
be called. This needs to be resolved before next actual release.
- This gets called after a file or directory has been unpacked and
its permissions etc set, but before it gets moved to final location.
Because of that we need to pass two paths: current path and final
destination (which can be different or the same). Final path
can be needed for looking up labels from system policy etc.
- Currently this is only called for installations, but eventually
should be done for erasures too in case plugins want to strip
permissions similar to removeSBITS() etc.
Two hooks are currently added:
FSM_FILE_OPEN
called after fsmInit() has been called for the file during installation or erase.
FSM_FILE_CLOSE
called after fsmCommit() for the file during installation or after file has been removed on uninstallation
In addition FSM_FILE_CLOSE is called for each directory that isn't included in the package and was created by rpm
Signed-off-by: Panu Matilainen <pmatilai@redhat.com>
- This is highly systemd-specific functionality so it makes sense to
name the plugin in a way that makes it (more) obvious. No other
changes besides renaming.
- We wouldn't want anybody to shutdown (or reboot) the system while a
transaction is in progress, it's just that there hasn't been a whole lot
that could've been done about it. Recent systemd versions provide an API to
prevent shutdowns however:
http://www.freedesktop.org/wiki/Software/systemd/inhibit
- Add a simple plugin which, if enabled, tries to acquire a shutdown
inhibitor lock from systemd for the duration of transactionsd. This
could use better error handling and all... but its a start at least.
- Note that D-BUS is required, but only for the plugin, not (lib)rpm.
-All post hooks take an additional rc argument that indicates general return code from operation.
-All post hooks are always called if correspoding pre hook has been called.
-The return value from post hooks is curently ignored
Signed-off-by: Panu Matilainen <pmatilai@redhat.com>
Three new hooks added:
PLUGINHOOK_SCRIPTLET_PRE_FUNC
Called before scriptlet execution
PLUGINHOOK_SCRIPTLET_FORK_POST_FUNC
Called after fork() but before scriptlet execution
PLUGINHOOK_SCRIPTLET_POST_FUNC
Called after scriptlet execution
Currently pre and post hooks are called for externals and internal lua scripts.
post hook is called even if scriptlet execution has failed and
the return code is given as an argument.
fork_post hook is only called for external scriptlets,
because for internal scriptlets no fork() is currently performed.
Signed-off-by: Panu Matilainen <pmatilai@redhat.com>
Two new hooks added:
PLUGINHOOK_SCRIPT_PRE_FUNC
Called before script execution
PLUGINHOOK_SCRIPT_POST_FUNC
Called after script execution
Both hooks are called for externals and internal lua scripts.
POST hook is called even if script execution has failed and
the return code is given as an argument.
Signed-off-by: Panu Matilainen <pmatilai@redhat.com>
This change adds a new type of the rpm plugin, called transaction plugin
and a set of initial hooks for this plugin. The hooks are:
PLUGINHOOK_TSM_PRE
Pre-transaction hook that is called before an rpm transaction begins
PLUGINHOOK_TSM_POST
Post-transaction hook that is called after an rpm transaction ends
PLUGINHOOK_PSM_PRE
Pre-transaction-element hook that is called before an rpm
transaction-element is processed
PLUGINHOOK_PSM_POST
Post-transaction-element hook that is called after an rpm
transaction-element is processed
PLUGINHOOK_SCRIPT_SETUP
Per-script hook that is called once for each rpm mainainers script
that is present in the package
Each hook is called for every plugin that have this hook registered.
The avaliable transaction plugins can be specified in macros.in via
transaction_plugins element.
Signed-off-by: Panu Matilainen <pmatilai@redhat.com>
- Base64 is present in headers and all, it's only reasonable that
our API users have access to this functionality without having
to link to other libraries. Even if we didn't want to carry the
implementation forever in our codebase, we should provide a wrapping
for this (much like the other crypto stuff) for the reason stated above.
- A bigger issue is that our dirty little (badly hidden) secret was using
non-namespaced function names, clashing with at least beecrypt. And we
couldn't have made these internal-only symbols even on platforms that
support it, because they are used all over the place outside rpmio.
So... rename the b64 functions to rpmLikeNamingStyle and make 'em public.
No functional changes, just trivial renaming despite touching numerous
places.
- Having an err label which we fall through on success too seems
a bit funny, rename the label to exit
- Initialize the sepoltrans at declaration already
- Remove redundant RPMRC_FAIL assignment on sepoltransNew() fail
case, this already assumes failure
- Remove redundant jump to exit from sepoltransCommit() error
- Eliminate trailing dead NULL assignment of the local pt variable
- The sepolicy plugin needs them so the symbols can't be hidden, but
these are not something external API-users should be messing with.
- Ultimately we'll want to push the actual labeling from FSM to
the plugin, insulating rpm from all SELinux specifics, this is
just a band-aid temporary "solution" to keep this out of the API.
- Plugins are by their very nature arch specific, while /usr/lib/rpm
is a hodgepodge of all sorts of ... stuff, most of which is
arch-independent and all. Use %{_libdir}/rpm-plugins to cleanly
differentiate 32 vs 64bit plugin paths
This adds a new plugin specifically for a collection to load SELinux
policy. This implements the post_add and pre_remove plugin hooks. The
only time anything happens during the pre_remove hook is if post_add was
not called (i.e. if the transaction only removes policies).
This plugin extracts all the policy information from packages in the
sepolicy collection during the open te hook. It then determines which
policies should be installed/removed based on if the package is being
installed/removed and the type of the policy and the system policy. It
then executes semodule (or uses libsemanage if semodule cannot be
executed or installing in a chroot) to remove and install the necessary
policies. It then reloads the selinux state, reloads the file contexts,
and if necessary, relabels the file system.
Lubos Kardos