import UBI ima-evm-utils-1.5-2.el9

2024-11-12 10:51:06 +00:00 · 2024-11-12 10:51:06 +00:00 · 3b7cb665a1
commit 3b7cb665a1
parent 09ea83a089
11 changed files with 358 additions and 146 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,3 @@
-SOURCES/ima-evm-utils-1.3.2.tar.gz
+SOURCES/centosimarelease-9.der
-SOURCES/ima-evm-utils-1.4.tar.gz
+SOURCES/ima-evm-utils-1.5.tar.gz
 SOURCES/redhatimarelease-9.der
--- a/.ima-evm-utils.metadata
+++ b/.ima-evm-utils.metadata
@ -1,2 +1,3 @@
-034d163533ae5f9c06001b375ec7e5a1b09a3853 SOURCES/ima-evm-utils-1.3.2.tar.gz
+61d5a223ff0c79189505abae77e0087c4b2d2b47 SOURCES/centosimarelease-9.der
-f23d8a406759a469b0223b0bfb302ada4407a1d1 SOURCES/ima-evm-utils-1.4.tar.gz
+87b19af821da481a50e820958f75104878442472 SOURCES/ima-evm-utils-1.5.tar.gz
 99e571f9de4188f3b5fdf1f84ff73f6cc4bb6a0e SOURCES/redhatimarelease-9.der
--- a/SOURCES/0001-evmctl-fix-memory-leak-in-get_password.patch
+++ b/SOURCES/0001-evmctl-fix-memory-leak-in-get_password.patch
@ -1,38 +0,0 @@
 From 2f1740eab432abc8e85172531d97eba33342474c Mon Sep 17 00:00:00 2001
 From: Bruno Meneguele <bmeneg@redhat.com>
 Date: Mon, 16 Aug 2021 12:11:15 -0300
 Subject: [PATCH] evmctl: fix memory leak in get_password
 The variable "password" is not freed nor returned in case get_password()
 succeeds. Return it instead of the intermediary variable "pwd". Issue found
 by Coverity scan tool.
 src/evmctl.c:2565: leaked_storage: Variable "password" going out of scope
    leaks the storage it points to.
 Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
 ---
 src/evmctl.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)
 diff --git a/src/evmctl.c b/src/evmctl.c
 index a8065bbe124a..ab7173723095 100644
 --- a/src/evmctl.c
 +++ b/src/evmctl.c
@@ -2625,7 +2625,12 @@ static char *get_password(void)
 		return NULL;
 	}
 -	return pwd;
 +	if (pwd == NULL) {
 +		free(password);
 +		return NULL;
 +	}
 +
 +	return password;
 }
 int main(int argc, char *argv[])
 -- 
 2.31.1
--- a/SOURCES/0001-libimaevm-make-SHA-256-the-default-hash-algorithm.patch
+++ b/SOURCES/0001-libimaevm-make-SHA-256-the-default-hash-algorithm.patch
@ -1,61 +0,0 @@
 From 916a0f97fd244a48fde429a63ddc04ed1ed94f8b Mon Sep 17 00:00:00 2001
 From: Bruno Meneguele <bmeneg@redhat.com>
 Date: Mon, 16 Aug 2021 17:58:35 -0300
 Subject: [PATCH] libimaevm: make SHA-256 the default hash algorithm
 The SHA-1 algorithm is considered a weak hash algorithm and there has been
 some movement within certain distros to drop its support completely or at
 least drop it from the default behavior. ima-evm-utils uses it as the
 default algorithm in case the user doesn't explicitly ask for another
 through the --hashalgo/-a option. With that, make SHA-256 the default hash
 algorithm instead.
 Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
 ---
 README          | 2 +-
 src/evmctl.c    | 2 +-
 src/libimaevm.c | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)
 diff --git a/README b/README
 index 87cd3b5cd7da..0dc02f551673 100644
 --- a/README
 +++ b/README
@@ -41,7 +41,7 @@ COMMANDS
 OPTIONS
 -------
 -  -a, --hashalgo     sha1 (default), sha224, sha256, sha384, sha512
 +  -a, --hashalgo     sha1, sha224, sha256 (default), sha384, sha512
   -s, --imasig       make IMA signature
   -d, --imahash      make IMA hash
   -f, --sigfile      store IMA signature in .sig file instead of xattr
 diff --git a/src/evmctl.c b/src/evmctl.c
 index a8065bbe124a..e0e55bc0b122 100644
 --- a/src/evmctl.c
 +++ b/src/evmctl.c
@@ -2496,7 +2496,7 @@ static void usage(void)
 	printf(
 		"\n"
 -		"  -a, --hashalgo     sha1 (default), sha224, sha256, sha384, sha512, streebog256, streebog512\n"
 +		"  -a, --hashalgo     sha1, sha224, sha256 (default), sha384, sha512, streebog256, streebog512\n"
 		"  -s, --imasig       make IMA signature\n"
 		"  -d, --imahash      make IMA hash\n"
 		"  -f, --sigfile      store IMA signature in .sig file instead of xattr\n"
 diff --git a/src/libimaevm.c b/src/libimaevm.c
 index 8e9615796153..f6c72b878d88 100644
 --- a/src/libimaevm.c
 +++ b/src/libimaevm.c
@@ -88,7 +88,7 @@ static const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = {
 struct libimaevm_params imaevm_params = {
 	.verbose = LOG_INFO,
 	.x509 = 1,
 -	.hash_algo = "sha1",
 +	.hash_algo = "sha256",
 };
 static void __attribute__ ((constructor)) libinit(void);
 -- 
 2.31.1
--- a/SOURCES/dracut-98-integrity.conf
+++ b/SOURCES/dracut-98-integrity.conf
@ -0,0 +1 @@
 add_dracutmodules+=" integrity "
--- a/SOURCES/ima-add-sigs.sh
+++ b/SOURCES/ima-add-sigs.sh
@ -0,0 +1,97 @@
 #!/bin/bash
 #
 # This script add IMA signatures to installed RPM package files
 # Usage: add_ima_sigs.sh [--package=PACKAGE_NAME|ALL] [--ima-cert=IMA_CERT_PATH] [--reinstall_threshold=NUM]
 #
 # By default, it will add IMA sigantures to all installed package files. Or you
 # can provide a package name to only add IMA signature for files of specicifed
 # package.  If it detects >=20 packages (or 1 package if you specify a package
 # name) missing signatures in the RPM database, it will reinstall the packages
 # in order to get the IMA signatures.
 #
 # With the signing IMA cert path specified, it will also try to verify
 # the added IMA signature.
 for _opt in "$@"; do
 	case "$_opt" in
 	--reinstall_threshold=*)
 		reinstall_threshold=${_opt#*=}
 		;;
 	--package=*)
 		package=${_opt#*=}
 		;;
 	--ima_cert=*)
 		ima_cert=${_opt#*=}
 		;;
 	*)
 		usage
 		;;
 	esac
 done
 if [[ -z $package ]] || [[ $package == ALL ]]; then
 	package="--all"
 fi
 abort() {
 	echo "$1"
 	exit 1
 }
 # Add IMA signatures from RPM database
 add_from_rpm_db() {
 	if ! command -v setfattr &>/dev/null; then
 			abort "Please install attr"
 	fi
 	# use "|" as deliminator since it won't be used in a filename or signature
 	while IFS="|" read -r path sig; do
 		# [[ -z "$sig" ]] somehow doesn't work for some files that don't have IMA
 		# signatures. This may be a issue of rpm
 		if [[ "$sig" != "0"* ]]; then
 			continue
 		fi
 		# Skip directory, soft links, non-existent files and vfat fs
 		if [[ -d "$path" || -L "$path" || ! -f "$path" || "$path" == "/boot/efi/EFI/"* ]]; then
 			continue
 		fi
 		if ! setfattr -n security.ima "$path" -v "0x$sig"; then
 			echo "Failed to add IMA sig for $path"
 		fi
 		[[ -e "$ima_cert" ]] || continue
 		# TODO
 		# don't verify the modified files like /etc?
 		if ! evmctl ima_verify -k "$ima_cert" "$path" &>/dev/null; then
 			echo "Failed to verify $path"
 		fi
 	done < <(rpm -q --queryformat "[%{FILENAMES}|%{FILESIGNATURES}\n]" "$package")
 }
 # Add IMA signatures by reinstalling all packages
 add_by_reinstall() {
 	[[ $package == "--all" ]] && package='*'
 	dnf reinstall "$package" -yq >/dev/null
 }
 if [[ -z $reinstall_threshold ]]; then
 	if [[ $package == "--all" ]]; then
 		reinstall_threshold=20
 	else
 		if ! rpm -q --quiet $package; then
 			dnf install "$package" -yq >/dev/null
 			exit 0
 		fi
 		reinstall_threshold=1
 	fi
 fi
 unsigned_packages_in_rpm_db=$(rpm -q --queryformat "%{SIGPGP:pgpsig}\n" $package | grep "^(none)$" | wc -l)
 if [[ $unsigned_packages_in_rpm_db -ge $reinstall_threshold ]]; then
 	add_by_reinstall
 else
 	add_from_rpm_db
 fi
--- a/SOURCES/ima-setup.sh
+++ b/SOURCES/ima-setup.sh
@ -0,0 +1,141 @@
 #!/bin/bash
 #
 # This script helps set up IMA.
 #
 IMA_SYSTEMD_POLICY=/etc/ima/ima-policy
 IMA_POLICY_SYSFS=/sys/kernel/security/ima/policy
 usage() {
 	echo "Set up IMA."
 	cat <<EOF
 usage: $0 --policy=IMA_POLICY_PATH [--reinstall_threshold=NUM]
       --policy
       The path of IMA policy to be loaded. Sample polices are inside
       /usr/share/ima/policies or you can use your own IMA policy
       The path of IMA policy to be loaded.  Sample polices are inside
       /usr/share/ima/policies or you can use your own IMA policy
       --reinstall_threshold
       When there are >reinstall_threshold packages in the RPM DB missing IMA signatures, reinstalling the packages to add IMA signatures to the packages.
       By default, IMA sigatures will be obtained from the RPM DB. However the RPM DB may not have the signatures. Dectect this case by checking if there are >reinstall_threshold package missing IMA signatures.
 EOF
 	exit 1
 }
 for _opt in "$@"; do
 	case "$_opt" in
 	--policy=*)
 		ima_policy_path=${_opt#*=}
 		if [[ ! -e $ima_policy_path ]]; then
 			echo "$policy_file doesn't exist"
 			exit 1
 		fi
 		;;
 	--reinstall_threshold=*)
 		reinstall_threshold=${_opt#*=}
 		;;
 	*)
 		usage
 		;;
 	esac
 done
 if [[ $# -eq 0 ]]; then
 	usage
 fi
 echo "Installing prerequisite package rpm-plugin-ima"
 if ! dnf install rpm-plugin-ima -yq; then
 	echo "Failed to install rpm-plugin-ima, abort"
 	exit 1
 fi
 # Add IMA signatures
 if test -f /run/ostree-booted; then
 	echo "You are using OSTree, please enable IMA signatures as part of the OSTree creation process."
 else
 	echo "Adding IMA signatures to installed package files"
 	if ! ima-add-sigs; then
 		echo "Failed to add IMA signatures, abort"
 		exit 1
 	fi
 fi
 load_ima_keys() {
 	local _key_loaded
 	if line=$(keyctl describe %keyring:.ima); then
 		_ima_id=${line%%:*}
 	else
 		echo "Failed to get ID of the .ima  keyring"
 		exit 1
 	fi
 	for i in /etc/keys/ima/*; do
 		if [ ! -f "${i}" ]; then
 			echo "No IMA key exist"
 			exit 1
 		fi
 		if ! evmctl import "${i}" "${_ima_id}" &>/dev/null; then
 			echo "Failed to load IMA key ${i}"
 		else
 			_key_loaded=yes
 		fi
 	done
 	if [[ $_key_loaded != yes ]]; then
 		echo "No IMA key loaded"
 		exit 1
 	fi
 }
 load_ima_policy() {
 	local ima_policy_path
 	ima_policy_path=$1
 	if ! test -f "$ima_policy_path"; then
 		echo "$ima_policy_path doesn't exist"
 		return 1
 	fi
 	if ! echo "$ima_policy_path" >"$IMA_POLICY_SYSFS"; then
 		echo "$ima_policy_path can't be loaded"
 		return 1
 	fi
 	# Let systemd load the IMA policy which will load LSM rules first so IMA
 	# policy containing rules like "appraise obj_type=ifconfig_exec_t" can be
 	# loaded
 	[[ -e /etc/ima ]] || mkdir -p /etc/ima/
 	if ! cp --preserve=xattr "$ima_policy_path" "$IMA_SYSTEMD_POLICY"; then
 		echo "Failed to copy $ima_policy_path to $IMA_SYSTEMD_POLICY"
 		return 1
 	fi
 }
 echo "Loading IMA keys"
 load_ima_keys
 # Include the dracut integrity module to load the IMA keys and policy
 # automatically when there is a system reboot
 if ! lsinitrd --mod | grep -q integrity; then
 	cp --preserve=xattr /usr/share/ima/dracut-98-integrity.conf /etc/dracut.conf.d/98-integrity.conf
 	echo "Rebuilding the initramfs of kernel-$(uname -r) to include the dracut integrity module"
 	dracut -f
 	if command -v grubby >/dev/null; then
 		_default_kernel=$(grubby --default-kernel | sed -En "s/.*vmlinuz-(.*)/\1/p")
 		if [[ $_default_kernel != $(uname -r) ]]; then
 			echo "Current kernel is not the default kernel ($_default_kernel), include dracut integrity for it as well"
 			dracut -f --kver "$_default_kernel"
 		fi
 	fi
 fi
 if ! load_ima_policy "$ima_policy_path"; then
 	echo "Failed to load IMA policy $ima_policy_path!"
 	exit 1
 fi
--- a/SOURCES/policy-01-appraise-exectuables-and-lib-signatures
+++ b/SOURCES/policy-01-appraise-exectuables-and-lib-signatures
@ -0,0 +1,2 @@
 appraise func=MMAP_CHECK mask=MAY_EXEC appraise_type=imasig
 appraise func=BPRM_CHECK appraise_type=imasig
--- a/SOURCES/policy-02-keylime-remote-attestation
+++ b/SOURCES/policy-02-keylime-remote-attestation
@ -0,0 +1,37 @@
 # PROC_SUPER_MAGIC
 dont_measure fsmagic=0x9fa0
 # SYSFS_MAGIC
 dont_measure fsmagic=0x62656572
 # DEBUGFS_MAGIC
 dont_measure fsmagic=0x64626720
 # TMPFS_MAGIC
 dont_measure fsmagic=0x01021994
 # DEVPTS_SUPER_MAGIC
 dont_measure fsmagic=0x1cd1
 # BINFMTFS_MAGIC
 dont_measure fsmagic=0x42494e4d
 # SECURITYFS_MAGIC
 dont_measure fsmagic=0x73636673
 # SELINUX_MAGIC
 dont_measure fsmagic=0xf97cff8c
 # SMACK_MAGIC
 dont_measure fsmagic=0x43415d53
 # CGROUP_SUPER_MAGIC
 dont_measure fsmagic=0x27e0eb
 # CGROUP2_SUPER_MAGIC
 dont_measure fsmagic=0x63677270
 # NSFS_MAGIC
 dont_measure fsmagic=0x6e736673
 # EFIVARFS_MAGIC
 dont_measure fsmagic=0xde5e81e4
 # OVERLAYFS_MAGIC
 # when containers are used we almost always want to ignore them
 dont_measure fsmagic=0x794c7630
 # Measure and log keys loaded onto the .ima keyring
 measure func=KEY_CHECK keyrings=.ima
 # Measure and log executables
 measure func=BPRM_CHECK
 # Measure and log shared libraries
 measure func=FILE_MMAP mask=MAY_EXEC
--- a/SOURCES/policy_list
+++ b/SOURCES/policy_list
@ -0,0 +1,2 @@
 01-appraise-exectuables-and-lib-signatures
 02-keylime-remote-attestation
--- a/SPECS/ima-evm-utils.spec
+++ b/SPECS/ima-evm-utils.spec
@ -1,31 +1,34 @@
-%bcond_with compat
+# If the soname gets bumped we need to ship a compat library to be able
 # to bootstrap and rebuild rpm else we end up with chicken and egg problem.
 %global bootstrap 0
-# For cases where the soname requires a bump we need to define with_compat,
+%if 0%{bootstrap}
-# update the package into the side-tag, update RPM (rpm-sign) into side-tag,
+%global compat_soversion 3
 # _then_ undefine with_compat and rebuild the package into the side-tag. This
 # is required to workaround the chiken-egg situation with the rpm-sign update.
 # The compat pkg must not make the compose, it's only a buildrequirement for
 # rpm-sign in a soname bump.
 %if ! %{with compat}
 %undefine with_compat
 %endif
 %if %{with compat}
 %global compat_soversion 2
 %endif
 Name:    ima-evm-utils
-Version: 1.4
+Version: 1.5
-Release: 4%{?dist}
+Release: 2%{?dist}
 Summary: IMA/EVM support utilities
 License: GPLv2
 Url:     http://linux-ima.sourceforge.net/
-Source:  http://sourceforge.net/projects/linux-ima/files/ima-evm-utils/%{name}-%{version}.tar.gz
+Source0:  https://github.com/mimizohar/ima-evm-utils/releases/download/v%{version}/%{name}-%{version}.tar.gz
 # IMA setup tools
 Source2: dracut-98-integrity.conf
 Source3: ima-add-sigs.sh
 Source4: ima-setup.sh
 Source100: policy-01-appraise-exectuables-and-lib-signatures
 Source101: policy-02-keylime-remote-attestation
 Source200: policy_list
 Source300: redhatimarelease-9.der
 Source301: centosimarelease-9.der
 %if 0%{bootstrap}
 # compat source and patches
-Source10: ima-evm-utils-1.3.2.tar.gz
+Source10: ima-evm-utils-1.4.tar.gz
-Patch10:  0001-evmctl-fix-memory-leak-in-get_password.patch
+%endif
 Patch11:  0001-libimaevm-make-SHA-256-the-default-hash-algorithm.patch
 BuildRequires: asciidoc
 BuildRequires: autoconf
@ -37,6 +40,8 @@ BuildRequires: libxslt
 BuildRequires: make
 BuildRequires: openssl-devel
 BuildRequires: tpm2-tss-devel
 Requires: keyutils
 Requires: attr
 %description
 The Trusted Computing Group(TCG) run-time Integrity Measurement Architecture
@ -53,23 +58,14 @@ Requires: %{name} = %{version}-%{release}
 %description devel
 This package provides the header files for %{name}
 %if %{with compat}
 %package -n %{name}%{compat_soversion}
 Summary: Compatibility package of %{name}
 %description -n %{name}%{compat_soversion}
 This package provides the libimaevm.so.%{compat_soversion} relative to %{name}-1.3
 %endif
 %prep
 %setup -q
-%if %{with compat}
+%if 0%{bootstrap}
 mkdir compat/
-tar -zxf %{SOURCE10} --strip-components=1 -C compat/
+pushd compat/
-cd compat/
+tar -zxf %{SOURCE10} --strip-components=1
-%patch10 -p1
+popd
 %patch11 -p1
 %endif
 %build
@ -77,10 +73,10 @@ autoreconf -vif
 %configure --disable-static
 %make_build
-%if %{with compat}
+%if 0%{bootstrap}
 pushd compat/
 autoreconf -vif
-%configure --disable-static
+%configure --disable-static --disable-engine
 %make_build
 popd
 %endif
@ -89,7 +85,7 @@ popd
 %make_install
 find %{buildroot} -type f -name "*.la" -print -delete
-%if %{with compat}
+%if 0%{bootstrap}
 pushd compat/src/.libs/
 install -p libimaevm.so.%{compat_soversion}.0.0 %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}.0.0
 ln -s -f %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}.0.0 %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}
@ -98,26 +94,59 @@ popd
 %ldconfig_scriptlets
 # IMA setup tools
 install -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_datadir}/ima/dracut-98-integrity.conf
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/ima/policies
 while IFS= read -r policy_file
 do
  install -m 644 %{_sourcedir}/policy-"$policy_file" $RPM_BUILD_ROOT%{_datadir}/ima/policies/"$policy_file"
 done < %{SOURCE200}
 install -D %{SOURCE3} $RPM_BUILD_ROOT%{_bindir}/ima-add-sigs
 install -D %{SOURCE4} $RPM_BUILD_ROOT%{_bindir}/ima-setup
 # IMA code-signing certs
 install -d -m 755 $RPM_BUILD_ROOT/etc/keys/ima
 install -m 644 %{SOURCE300} %{SOURCE301} $RPM_BUILD_ROOT/etc/keys/ima/
 %files
 %license COPYING
 %doc NEWS README AUTHORS
 %{_bindir}/evmctl
 # if you need to bump the soname version, coordinate with dependent packages
 %{_libdir}/libimaevm.so.3*
 %{_mandir}/man1/evmctl*
 # IMA setup tools
 %{_datadir}/ima/policies
 %{_datadir}/ima/dracut-98-integrity.conf
 %{_bindir}/ima-add-sigs
 %{_bindir}/ima-setup
 # if you need to bump the soname version, coordinate with dependent packages
 %{_libdir}/libimaevm.so.4*
 %if 0%{bootstrap}
 %{_libdir}/libimaevm.so.%{compat_soversion}
 %{_libdir}/libimaevm.so.%{compat_soversion}.0.0
 %endif
 # IMA code-signing certs
 /etc/keys/ima/*.der
 %files devel
 %{_pkgdocdir}/*.sh
 %{_includedir}/imaevm.h
 %{_libdir}/libimaevm.so
 %if %{with compat}
 %files -n %{name}%{compat_soversion}
 %{_libdir}/libimaevm.so.%{compat_soversion}
 %{_libdir}/libimaevm.so.%{compat_soversion}.0.0
 %endif
 %changelog
 * Fri Jun 07 2024 Coiby Xu <coxu@redhat.com> - 1.5-2
 - add some IMA setup tools (RHEL-33751)
 * Tue Jun 04 2024 Coiby Xu <coxu@redhat.com> - 1.5-1
 - Disable compat build (RHEL-2969)
 * Fri Apr 12 2024 Coiby Xu <coxu@redhat.com> - 1.5-0.1
 - Update to upstream 1.5 (RHEL-2969)
 * Mon Dec 13 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.4-4
 - Fix compat bcond_with value check.
		`@ -0,0 +1,2 @@`
							`appraise func=MMAP_CHECK mask=MAY_EXEC appraise_type=imasig`
							`appraise func=BPRM_CHECK appraise_type=imasig`
		`@ -0,0 +1,2 @@`
							`01-appraise-exectuables-and-lib-signatures`
							`02-keylime-remote-attestation`