Split keylime into subpackages

Related: rhbz#2045874 - Keylime subpackaging and agent alternatives
2022-02-07 19:44:19 -03:00 · 2022-02-07 19:44:19 -03:00 · 1295186eae
commit 1295186eae
parent 616454e3f1
2 changed files with 286 additions and 46 deletions
--- a/0001-revocation_notifier-fix-socket-path-permission-check.patch
+++ b/0001-revocation_notifier-fix-socket-path-permission-check.patch
@ -0,0 +1,32 @@
+From 5adb1f336dc88c081eaed13fc454e9601b34bc1e Mon Sep 17 00:00:00 2001
+From: Thore Sommer <mail@thson.de>
+Date: Thu, 27 Jan 2022 18:43:33 +0100
+Subject: [PATCH] revocation_notifier: fix socket path permission check
+
+If the path was already there, we checked if the socket has the right
+permissions not the directory. This fails because the file does not exists
+at that point.
+
+Signed-off-by: Thore Sommer <mail@thson.de>
+---
+ keylime/revocation_notifier.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/keylime/revocation_notifier.py b/keylime/revocation_notifier.py
+index e9e3b3f..1b74001 100644
+--- a/keylime/revocation_notifier.py
+++ b/keylime/revocation_notifier.py
+@@ -32,8 +32,8 @@ def start_broker():
+         if not os.path.exists(dir_name):
+             os.makedirs(dir_name, 0o700)
+         else:
+-            if os.stat(_SOCKET_PATH).st_mode & 0o777 != 0o700:
+-                msg = f"{_SOCKET_PATH} present with wrong permissions"
+            if os.stat(dir_name).st_mode & 0o777 != 0o700:
+                msg = f"{dir_name} present with wrong permissions"
+                 logger.error(msg)
+                 raise Exception(msg)
+ 
+-- 
+2.33.1
+
--- a/keylime.spec
+++ b/keylime.spec
@ -2,59 +2,205 @@

 Name:    keylime
 Version: 6.3.0
-Release: 2%{?dist}
+Release: 3%{?dist}
 Summary: Open source TPM software for Bootstrapping and Maintaining Trust

 BuildArch:      noarch

 URL:            https://github.com/keylime/keylime
-Source0:        https://github.com/keylime/keylime/archive/v%{version}.tar.gz
+Source0:        https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz
+
+Patch:  0001-revocation_notifier-fix-socket-path-permission-check.patch
+
 # Main program: BSD
 # Icons: MIT
 License: ASL 2.0 and MIT

+BuildRequires: git-core
 BuildRequires: swig
 BuildRequires: openssl-devel
-BuildRequires: python3-setuptools
 BuildRequires: python3-devel
 BuildRequires: python3-dbus
-BuildRequires: python3-pbr
-BuildRequires: systemd
+BuildRequires: python3-setuptools
 BuildRequires: systemd-rpm-macros

-Requires: efivar-devel
-Requires: procps-ng
-Requires: python3-alembic
-Requires: python3-gnupg
-Requires: python3-pyasn1
-Requires: python3-pyyaml
-Requires: python3-m2crypto
-Requires: python3-cryptography
-Requires: python3-tornado
-Requires: python3-simplejson
-Requires: python3-sqlalchemy
-Requires: python3-requests
-Requires: python3-zmq
-Requires: tpm2-tss
-Requires: tpm2-tools
-Requires: tpm2-abrmd
+Requires: python3-%{srcname} = %{version}-%{release}
+Requires: %{srcname}-base = %{version}-%{release}
+Requires: %{srcname}-verifier = %{version}-%{release}
+Requires: %{srcname}-registrar = %{version}-%{release}
+Requires: %{srcname}-tenant = %{version}-%{release}
+Requires: %{srcname}-webapp = %{version}-%{release}
+Requires: %{srcname}-tools = %{version}-%{release}

+# Agent.
+Requires: keylime-agent
+Suggests: python3-%{srcname}-agent
+
+# Conflicts with the monolithic versions of the package, before the split.
+Conflicts: keylime < 6.3.0-3
+
+%{?python_enable_dependency_generator}
 %description
 Keylime is a TPM based highly scalable remote boot attestation
 and runtime integrity measurement solution.

+%package base
+Summary: The base package contains the default configuration
+License: MIT
+
+Requires(pre): shadow-utils
+Requires: efivar-libs
+Requires: procps-ng
+Requires: tpm2-tss
+Requires: tpm2-tools
+
+
+%description base
+The base package contains the Keylime default configuration
+
+%package -n python3-%{srcname}
+Summary: The Python Keylime module
+License: MIT
+
+Requires: %{srcname}-base = %{version}-%{release}
+%{?python_provide:%python_provide python3-%{srcname}}
+
+
+%description -n python3-%{srcname}
+The python3-keylime module implements the functionality used
+by Keylime components.
+
+%package verifier
+Summary: The Python Keylime Verifier component
+License: MIT
+
+
+Requires: %{srcname}-base = %{version}-%{release}
+Requires: python3-%{srcname} = %{version}-%{release}
+
+Requires: python3-tornado
+Requires: python3-sqlalchemy
+Requires: python3-alembic
+Requires: python3-cryptography
+Requires: python3-pyyaml
+Requires: python3-packaging
+Requires: python3-requests
+Requires: python3-zmq
+Requires: python3-gnupg
+
+
+%description verifier
+The Keylime Verifier continuously verifies the integrity state
+of the machine that the agent is running on.
+
+%package registrar
+Summary: The Keylime Registrar component
+License: MIT
+Requires: %{srcname}-base = %{version}-%{release}
+Requires: python3-%{srcname} = %{version}-%{release}
+
+Requires: python3-tornado
+Requires: python3-sqlalchemy
+Requires: python3-alembic
+Requires: python3-cryptography
+Requires: python3-pyyaml
+Requires: python3-packaging
+Requires: python3-requests
+Requires: python3-zmq
+Requires: python3-gnupg
+
+
+%description registrar
+The Keylime Registrar is a database of all agents registered
+with Keylime and hosts the public keys of the TPM vendors.
+
+%package -n python3-%{srcname}-agent
+Summary: The Python Keylime Agent
+License: MIT
+
+Requires: %{srcname}-base = %{version}-%{release}
+Requires: python3-%{srcname} = %{version}-%{release}
+
+# Virtual Provides to support swapping between Python and Rust implementation.
+Provides:  keylime-agent
+Conflicts: keylime-agent
+
+Requires: python3-psutil
+Requires: python3-tornado
+Requires: python3-cryptography
+Requires: python3-pyyaml
+Requires: python3-packaging
+Requires: python3-requests
+Requires: python3-zmq
+Requires: python3-gnupg
+
+
+%description -n python3-%{srcname}-agent
+The Keylime Agent is deployed to the remote machine that is to be
+measured or provisioned with secrets stored within an encrypted
+payload released once trust is established.
+
+%package tenant
+Summary: The Python Keylime Tenant
+License: MIT
+
+Requires: %{srcname}-base = %{version}-%{release}
+Requires: python3-%{srcname} = %{version}-%{release}
+
+
+%description tenant
+The Keylime Tenant can be used to provision a Keylime Agent.
+
+%package webapp
+Summary: The Python Keylime WebApp GUI
+License: MIT
+
+Requires: %{srcname}-base = %{version}-%{release}
+Requires: python3-%{srcname} = %{version}-%{release}
+
+Requires: python3-tornado
+Requires: python3-cryptography
+Requires: python3-pyyaml
+Requires: python3-packaging
+Requires: python3-requests
+Requires: python3-zmq
+Requires: python3-gnupg
+
+
+%description webapp
+The Keylime WebApp GUI interface can be used to provision a Keylime Agent.
+
+%package tools
+Summary: Keylime tools
+License: MIT
+
+Requires: %{srcname}-base = %{version}-%{release}
+Requires: python3-%{srcname} = %{version}-%{release}
+
+Requires: python3-tornado
+Requires: python3-cryptography
+Requires: python3-pyyaml
+Requires: python3-packaging
+Requires: python3-requests
+Requires: python3-zmq
+Requires: python3-gnupg
+
+
+%description tools
+The keylime tools package includes tools like the IMA emulator.
+
 %prep
-%autosetup -n %{srcname}-%{version}
+%autosetup -S git -n %{srcname}-%{version}

 %build
-export PBR_VERSION=%{version}
 %py3_build

 %install
-export PBR_VERSION=%{version}
 %py3_install
 mkdir -p %{buildroot}%{_unitdir}
-mkdir -p %{buildroot}/%{_sharedstatedir}/keylime
+mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname}
+mkdir -p --mode=0700 %{buildroot}/%{_rundir}/%{srcname}
+mkdir -p --mode=0700 %{buildroot}/%{_localstatedir}/log/%{srcname}

 install -pm 644 %{srcname}.conf \
    %{buildroot}%{_sysconfdir}/%{srcname}.conf
@ -65,42 +211,104 @@ install -pm 644 ./services/%{srcname}_agent.service \
 install -pm 644 ./services/%{srcname}_verifier.service \
    %{buildroot}%{_unitdir}/%{srcname}_verifier.service

-install -pm 644 ./services/%{srcname}_agent.service \
+install -pm 644 ./services/%{srcname}_registrar.service \
    %{buildroot}%{_unitdir}/%{srcname}_registrar.service

 cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/keylime/

-%post
-%systemd_post %{srcname}_agent.service %{srcname}_verifier.service %{srcname}_registrar.service
+%pre base
+getent group %{srcname} >/dev/null || groupadd -r %{srcname} &>/dev/null
+getent passwd %{srcname} >/dev/null || \
+     useradd -r -g %{srcname} -d %{_localstatedir}/lib/%{srcname} -s /usr/sbin/nologin \
+     -c "Keylime agent unprivileged user" %{srcname} &>/dev/null
+# Add keylime user to tss group.
+if getent group tss >/dev/null && ! groups %{srcname} | grep -q "\btss\b"; then
+    usermod -a -G tss %{srcname} &>/dev/null
+fi
+exit 0

-%preun
-%systemd_preun %{srcname}_agent.service %{srcname}_verifier.service %{srcname}_registrar.service
+%post verifier
+%systemd_post %{srcname}_verifier.service

-%postun
-%systemd_postun_with_restart %{srcname}_agent.service %{srcname}_verifier.service %{srcname}_registrar.service
+%post registrar
+%systemd_post %{srcname}_registrar.service

-%files
-%license LICENSE keylime/static/icons/ICON-LICENSE
-%doc README.md
-%{python3_sitelib}/%{srcname}-*.egg-info/
-%{python3_sitelib}/%{srcname}
+%post -n python3-%{srcname}-agent
+%systemd_post %{srcname}_agent.service
+
+%preun verifier
+%systemd_preun %{srcname}_verifier.service
+
+%preun registrar
+%systemd_preun %{srcname}_registrar.service
+
+%preun -n python3-%{srcname}-agent
+%systemd_preun %{srcname}_agent.service
+
+%postun verifier
+%systemd_postun_with_restart %{srcname}_verifier.service
+
+%postun registrar
+%systemd_postun_with_restart %{srcname}_registrar.service
+
+%postun -n python3-%{srcname}-agent
+%systemd_postun_with_restart %{srcname}_agent.service
+
+%files verifier
+%license LICENSE
 %{_bindir}/%{srcname}_verifier
-%{_bindir}/%{srcname}_registrar
-%{_bindir}/%{srcname}_agent
-%{_bindir}/%{srcname}_tenant
 %{_bindir}/%{srcname}_ca
 %{_bindir}/%{srcname}_migrations_apply
-%{_bindir}/%{srcname}_provider_platform_init
+%{_unitdir}/keylime_verifier.service
+
+%files registrar
+%license LICENSE
+%{_bindir}/%{srcname}_registrar
 %{_bindir}/%{srcname}_provider_registrar
+%{_unitdir}/keylime_registrar.service
+
+%files -n python3-%{srcname}-agent
+%license LICENSE
+%{_bindir}/%{srcname}_agent
+%{_unitdir}/keylime_agent.service
+%{_bindir}/%{srcname}_ima_emulator
+
+%files tenant
+%license LICENSE
+%{_bindir}/%{srcname}_tenant
+
+%files webapp
+%license LICENSE
+%{_bindir}/%{srcname}_webapp
+
+%files -n python3-%{srcname}
+%license LICENSE
+%{python3_sitelib}/%{srcname}-*.egg-info/
+%{python3_sitelib}/%{srcname}
+
+%files tools
+%license LICENSE
+%{_bindir}/%{srcname}_provider_platform_init
 %{_bindir}/%{srcname}_provider_vtpm_add
 %{_bindir}/%{srcname}_userdata_encrypt
-%{_bindir}/%{srcname}_ima_emulator
-%{_bindir}/%{srcname}_webapp
-%config(noreplace) %attr(600,root,root) %{_sysconfdir}/%{srcname}.conf
-%{_unitdir}/*
-%{_sharedstatedir}/keylime/tpm_cert_store/*
+
+%files base
+%license LICENSE keylime/static/icons/ICON-LICENSE
+%doc README.md
+%config(noreplace) %attr(600,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}.conf
+%attr(700,%{srcname},%{srcname}) %dir %{_rundir}/%{srcname}
+%attr(700,%{srcname},%{srcname}) %dir %{_localstatedir}/log/%{srcname}
+%attr(700,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}
+
+
+%files
+%license LICENSE

 %changelog
+* Mon Feb 07 2022 Sergio Correia <scorreia@redhat.com> - 6.3.0-3
+- Split keylime into subpackages
+  Related: rhbz#2045874 - Keylime subpackaging and agent alternatives
+
 * Thu Jan 27 2022 Sergio Correia <scorreia@redhat.com> - 6.3.0-2
 - Fix permissions of config file