Even though config files may be close to what could be described as
'mutuable files', we now want to give the user control over the
installation of signatures on these files as well. We enable this
through a variable in the macro file. For this, we should be aware
that the signatures of these files may become incorrect or missing
once RPM post installation scripts or other programs have modified
these configuration files.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com
Currently, there is no harm if config.h is not included in these files
because they are not sensitive to macros defined in config.h, but any
code added later or any plugin created using these plugins as examples
might be affected by these macros and therefore has to include config.h.
An example of bug when this header is not included properly can be seen
in the previous commit.
Signed-off-by: Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>
Since newly installed files may be invoked by post install scriptlets,
we need to have them signed before the scriptlets are executed.
Therefore, we now move the IMA plugin to the fsm_file_prepare hook.
This way we can also correctly handle skipped files without silencing
away any errors from lsetxattr().
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Some configuration files are executables and so they require the
signature in the extended attribute. If they are not executable,
they can be skipped.
Examples for configuration files that are also executables are
the grub files in /etc/grub.d.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Do not try to convert a zero-length file digest to a binary representation.
Zero-length file digests may stem from directory entries and symbolic links.
Return an empty signature in this case.
Returning an empty signature results in the ima.so plugin getting a sequence
of zeroes that it would write into security.ima xattr. Check for a signature
header consisting of only zeroes and do not write it into the filesystem.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Only the first file signature was getting installed. rpmfiNext returns
the next file iterator index and -1 on termination. Now the loop correctly
terminates only when rpmfiNext return value is negative.
This plugin extracts file signatures from rpmfiles and writes them to
security.ima xattr. Only non-config file signatures are installed.
Changelog:
- use rpmfi instead of rpmfiles
- use rpmfiFN instead of fsmFsPath
Signed-off-by: Lubos Kardos <lkardos@redhat.com>
Stefan Berger