Updating for Keylime release v6.5.3

.gitignore

@@ -19,3 +19,4 @@
 /v6.4.2.tar.gz
 /v6.4.3.tar.gz
 /keylime-selinux-1.0.0.tar.gz
+/v6.5.3.tar.gz

0001-Proper-exception-handling-in-tornado_requests.patch

@@ -1,37 +0,0 @@
-From 6c015819dffaafd6450916ac3028b446e9e36313 Mon Sep 17 00:00:00 2001
-From: George Almasi <gheorghe@us.ibm.com>
-Date: Sat, 8 Oct 2022 14:10:00 +0000
-Subject: [PATCH] Proper exception handling in tornado_requests
-
-Signed-off-by: George Almasi <gheorghe@us.ibm.com>
----
- keylime/tornado_requests.py | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/keylime/tornado_requests.py b/keylime/tornado_requests.py
-index 67c03ab..9485c33 100644
---- a/keylime/tornado_requests.py
-+++ b/keylime/tornado_requests.py
-@@ -32,7 +32,6 @@ async def request(method, url, params=None, data=None, context=None, headers=Non
-     except httpclient.HTTPError as e:
-         if e.response is None:
-             return TornadoResponse(500, str(e))
--
-         return TornadoResponse(e.response.code, e.response.body)
-     except ConnectionError as e:
-         return TornadoResponse(599, f"Connection error: {str(e)}")
-@@ -40,8 +39,10 @@ async def request(method, url, params=None, data=None, context=None, headers=Non
-         return TornadoResponse(599, f"SSL connection error: {str(e)}")
-     except OSError as e:
-         return TornadoResponse(599, f"TCP/IP Connection error: {str(e)}")
-+    except Exception as e:
-+        return TornadoResponse(599, f"General communication failure: {str(e)}")
-     if response is None:
--        return None
-+        return TornadoResponse(599, "Unspecified failure in tornado (empty http response)")
-     return TornadoResponse(response.code, response.body)
- 
- 
--- 
-2.38.1
-

01-duplicate-str-to-version.patch

@@ -0,0 +1,74 @@
+diff --git a/keylime/cmd/convert_config.py b/keylime/cmd/convert_config.py
+index ab51332..3db8092 100755
+--- a/keylime/cmd/convert_config.py
++++ b/keylime/cmd/convert_config.py
+@@ -84,13 +84,33 @@ import importlib.util
+ import itertools
+ import json
+ import os
++import re
+ import shutil
+ from configparser import RawConfigParser
+-from typing import List, Optional, Tuple
++from typing import List, Optional, Tuple, Union
+ 
+ from jinja2 import Template
+ 
+-from keylime.common.version import str_to_version
++
++def str_to_version(v_str: str) -> Union[Tuple[int, int], None]:
++    """
++    Validates the string format and converts the provided string to a tuple of
++    ints which can be sorted and compared.
++
++    :returns: Tuple with version number parts converted to int. In case of
++    invalid version string, returns None
++    """
++
++    # Strip to remove eventual quotes and spaces
++    v_str = v_str.strip('" ')
++
++    m = re.match(r"^(\d+)\.(\d+)$", v_str)
++
++    if not m:
++        return None
++
++    return (int(m.group(1)), int(m.group(2)))
++
+ 
+ COMPONENTS = ["agent", "verifier", "tenant", "registrar", "ca", "logging"]
+ 
+diff --git a/templates/2.0/adjust.py b/templates/2.0/adjust.py
+index 312b790..c1e582a 100644
+--- a/templates/2.0/adjust.py
++++ b/templates/2.0/adjust.py
+@@ -2,9 +2,27 @@ import ast
+ import configparser
+ import re
+ from configparser import RawConfigParser
+-from typing import Dict, List, Optional, Tuple
++from typing import Dict, List, Optional, Tuple, Union
+ 
+-from keylime.common.version import str_to_version
++
++def str_to_version(v_str: str) -> Union[Tuple[int, int], None]:
++    """
++    Validates the string format and converts the provided string to a tuple of
++    ints which can be sorted and compared.
++
++    :returns: Tuple with version number parts converted to int. In case of
++    invalid version string, returns None
++    """
++
++    # Strip to remove eventual quotes and spaces
++    v_str = v_str.strip('" ')
++
++    m = re.match(r"^(\d+)\.(\d+)$", v_str)
++
++    if not m:
++        return None
++
++    return (int(m.group(1)), int(m.group(2)))
+ 
+ 
+ def adjust(config: RawConfigParser, mapping: Dict) -> None:  # pylint: disable=unused-argument

keylime.spec

@@ -8,7 +8,7 @@
 %global selinuxtype targeted
 
 Name:    keylime
-Version: 6.4.3
+Version: 6.5.3
 Release: %autorelease
 Summary: Open source TPM software for Bootstrapping and Maintaining Trust
 
@@ -18,7 +18,7 @@ Source1:        %{srcname}.sysusers
 # The selinux policy for keylime is distributed via this repo: https://github.com/RedHat-SP-Security/keylime-selinux
 Source2:        https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%{policy_version}/keylime-selinux-%{policy_version}.tar.gz
 
-Patch: 0001-Proper-exception-handling-in-tornado_requests.patch
+Patch: 01-duplicate-str-to-version.patch
 
 # Main program: BSD
 # Icons: MIT
@@ -29,6 +29,7 @@ BuildRequires: swig
 BuildRequires: openssl-devel
 BuildRequires: python3-devel
 BuildRequires: python3-dbus
+BuildRequires: python3-jinja2
 BuildRequires: python3-setuptools
 BuildRequires: systemd-rpm-macros
 
@@ -64,6 +65,7 @@ Conflicts: keylime < 6.3.0-3
 Requires(pre): shadow-utils
 Requires: procps-ng
 Requires: tpm2-tss
+Requires: python3-jinja2
 
 %if 0%{?with_selinux}
 # This ensures that the *-selinux package and all it’s dependencies are not pulled
@@ -215,22 +217,41 @@ bzip2 -9 %{srcname}.pp
 %py3_install
 mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname}
 mkdir -p --mode=0700 %{buildroot}/%{_rundir}/%{srcname}
-mkdir -p --mode=0700 %{buildroot}/%{_localstatedir}/log/%{srcname}
+
+mkdir -p --mode=0700 %{buildroot}/%{_sysconfdir}/%{srcname}/
+for comp in "agent" "verifier" "tenant" "registrar" "ca" "logging"; do
+    mkdir -p --mode=0700  %{buildroot}/%{_sysconfdir}/%{srcname}/${comp}.conf.d
+done
+
+# Ship some scripts.
+mkdir -p %{buildroot}/%{_datadir}/%{srcname}/scripts
+for s in create_allowlist.sh \
+         create_mb_refstate \
+         create_policy \
+         ek-openssl-verify; do
+    install -Dpm 755 scripts/${s} \
+        %{buildroot}/%{_datadir}/%{srcname}/scripts/${s}
+done
+
+# Ship configuration templates.
+cp -r ./templates %{buildroot}%{_datadir}/%{srcname}/templates/
 
 # Setting up the agent to use keylime user/group.
-sed -e 's/^run_as.*/run_as = %{srcname}:%{srcname}/g' -i %{srcname}.conf
+printf '[agent]\nrun_as = %s:%s\n' "%{srcname}" "%{srcname}" \
+    > %{buildroot}/%{_sysconfdir}/%{srcname}/agent.conf.d/run_as.conf
 
 # rhbz#2114485 - using sha256 for tpm_hash_alg.
-sed -e 's/^tpm_hash_alg[[:space:]]*=.*/tpm_hash_alg = sha256/g' -i %{srcname}.conf
+printf '[agent]\ntpm_hash_alg = sha256\n' \
+    > %{buildroot}/%{_sysconfdir}/%{srcname}/agent.conf.d/bz2114485.conf
+
+mkdir -p --mode=0755 %{buildroot}/%{_bindir}
+cp -a ./keylime/cmd/convert_config.py %{buildroot}/%{_bindir}/keylime_upgrade_config
 
 %if 0%{?with_selinux}
 install -D -m 0644 %{srcname}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2
 install -D -p -m 0644 keylime-selinux-%{policy_version}/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if
 %endif
 
-install -Dpm 600 %{srcname}.conf \
-    %{buildroot}%{_sysconfdir}/%{srcname}.conf
-
 install -Dpm 644 ./services/%{srcname}_agent.service \
     %{buildroot}%{_unitdir}/%{srcname}_agent.service
 
@@ -243,7 +264,7 @@ install -Dpm 644 ./services/%{srcname}_verifier.service \
 install -Dpm 644 ./services/%{srcname}_registrar.service \
     %{buildroot}%{_unitdir}/%{srcname}_registrar.service
 
-cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/keylime/
+cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/
 
 install -p -d %{buildroot}/%{_tmpfilesdir}
 cat > %{buildroot}/%{_tmpfilesdir}/%{srcname}.conf << EOF
@@ -256,12 +277,44 @@ install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/%{srcname}.conf
 %sysusers_create_compat %{SOURCE1}
 exit 0
 
+%post base
+/usr/bin/keylime_upgrade_config
+exit 0
+
+%pre verifier
+/usr/bin/keylime_upgrade_config
+exit 0
+
+%pre registrar
+/usr/bin/keylime_upgrade_config
+exit 0
+
+%pre -n python3-%{srcname}-agent
+/usr/bin/keylime_upgrade_config
+exit 0
+
+%pre tenant
+/usr/bin/keylime_upgrade_config
+exit 0
+
 %posttrans base
-[ -f %{_sysconfdir}/%{srcname}.conf ] && \
-    chmod 600 %{_sysconfdir}/%{srcname}.conf && \
-    chown %{srcname} %{_sysconfdir}/%{srcname}.conf
+if [ -d %{_sysconfdir}/%{srcname} ]; then
+    chmod 500 %{_sysconfdir}/%{srcname}
+    chown -R %{srcname}:%{srcname} %{_sysconfdir}/%{srcname}
+
+    for comp in "agent" "verifier" "tenant" "registrar" "ca" "logging"; do
+        [ -d %{_sysconfdir}/%{srcname}/${comp}.conf.d ] && \
+            chmod 500 %{_sysconfdir}/%{srcname}/${comp}.conf.d
+    done
+fi
+
 [ -d %{_sharedstatedir}/%{srcname} ] && \
     chown -R %{srcname} %{_sharedstatedir}/%{srcname}/
+
+[ -d %{_sharedstatedir}/%{srcname}/tpm_cert_store ] && \
+    chmod 400 %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem && \
+    chmod 500 %{_sharedstatedir}/%{srcname}/tpm_cert_store/
+
 [ -d %{_localstatedir}/log/%{srcname} ] && \
     chown -R %{srcname} %{_localstatedir}/log/%{srcname}/
 exit 0
@@ -312,6 +365,9 @@ fi
 %preun -n python3-%{srcname}-agent
 %systemd_preun %{srcname}_agent.service
 
+%preun tenant
+%systemd_preun %{srcname}_registrar.service
+
 %postun verifier
 %systemd_postun_with_restart %{srcname}_verifier.service
 
@@ -323,22 +379,26 @@ fi
 
 %files verifier
 %license LICENSE
+%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/verifier.conf.d
 %{_bindir}/%{srcname}_verifier
 %{_bindir}/%{srcname}_ca
-%{_bindir}/%{srcname}_migrations_apply
 %{_unitdir}/keylime_verifier.service
 
 %files registrar
 %license LICENSE
+%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/registrar.conf.d
 %{_bindir}/%{srcname}_registrar
 %{_unitdir}/keylime_registrar.service
 
 %files -n python3-%{srcname}-agent
 %license LICENSE
-%{_bindir}/%{srcname}_agent
+%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/agent.conf.d
 %{_unitdir}/%{srcname}_agent.service
 %{_unitdir}/%{srcname}_agent_secure.mount
+%{_bindir}/%{srcname}_agent
 %{_bindir}/%{srcname}_ima_emulator
+%{_sysconfdir}/%{srcname}/agent.conf.d/bz2114485.conf
+%{_sysconfdir}/%{srcname}/agent.conf.d/run_as.conf
 
 %if 0%{?with_selinux}
 %files selinux
@@ -349,12 +409,17 @@ fi
 
 %files tenant
 %license LICENSE
+%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/tenant.conf.d
 %{_bindir}/%{srcname}_tenant
 
 %files -n python3-%{srcname}
 %license LICENSE
 %{python3_sitelib}/%{srcname}-*.egg-info/
 %{python3_sitelib}/%{srcname}
+%{_datadir}/%{srcname}/scripts/create_mb_refstate
+%{_datadir}/%{srcname}/scripts/create_policy
+%{_bindir}/keylime_convert_ima_policy
+%{_bindir}/keylime_attest
 
 %files tools
 %license LICENSE
@@ -363,12 +428,17 @@ fi
 %files base
 %license LICENSE
 %doc README.md
-%config(noreplace) %attr(600,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}.conf
+%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/{ca,logging}.conf.d
 %attr(700,%{srcname},%{srcname}) %dir %{_rundir}/%{srcname}
-%attr(700,%{srcname},%{srcname}) %dir %{_localstatedir}/log/%{srcname}
-%attr(700,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}
+%attr(700,%{srcname},%{srcname}) %dir %{_sharedstatedir}/%{srcname}
+%attr(500,%{srcname},%{srcname}) %dir %{_sharedstatedir}/%{srcname}/tpm_cert_store
+%attr(400,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
 %{_tmpfilesdir}/%{srcname}.conf
 %{_sysusersdir}/%{srcname}.conf
+%{_datadir}/%{srcname}/scripts/create_allowlist.sh
+%{_datadir}/%{srcname}/scripts/ek-openssl-verify
+%{_datadir}/%{srcname}/templates
+%{_bindir}/keylime_upgrade_config
 
 %files
 %license LICENSE

sources

@@ -1,2 +1,2 @@
-SHA512 (v6.4.3.tar.gz) = fbc66d1b8677606bf382f03056b05edd6117dd5d845506365d96fd3ee8b5b291870ee672fe3cb17e9cc89b1acd29c99661a45826425e3bba45204f03f538c37f
+SHA512 (v6.5.3.tar.gz) = 770eb12b38e90d2055f1487e5d523553d1de74ff2f85deb9348a1681234aaa9e329f74cf64429116fd2cd30a64f30ade0fe6429afc1f74f797de7245d16c17ff
 SHA512 (keylime-selinux-1.0.0.tar.gz) = d0b4fea7407ad493b08e6f087e8f32b1a65acbee59bf6e20a0e26aaa139f56c1206c7e707898fd8a2e11468cd918f76cb6985f68b8a2faa8a2a4b7a9ba4c3674