rpms
/
keylime
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import keylime-6.5.2-4.el9

This commit is contained in:
CentOS Sources 2023-03-28 10:45:40 +00:00 committed by Stepan Oksanichenko
parent 85e3bc95f3
commit 25f2287717
9 changed files with 424 additions and 237 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -1 +1,2 @@
SOURCES/v6.4.3.tar.gz
SOURCES/keylime-selinux-1.0.0.tar.gz
SOURCES/v6.5.2.tar.gz

3
.keylime.metadata
View File

@ -1 +1,2 @@
097e4062bdb09385bf9679f6411a42825e4f6bec SOURCES/v6.4.3.tar.gz
a1154fc19d2ae6f52b6b77a39e62d2420c0f4c5e SOURCES/keylime-selinux-1.0.0.tar.gz
1c311bc1d3ab6c8050fd819410c593392187c2fa SOURCES/v6.5.2.tar.gz

130
SOURCES/0001-Do-not-use-default-values-that-need-reading-the-conf.patch Normal file
View File

@ -0,0 +1,130 @@
From d6dd71e3a3fe8e822fbcaa0d88f19a0c3332cacd Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Tue, 15 Nov 2022 07:09:13 -0300
Subject: [PATCH] Do not use default values that need reading the config in
methods
Following up from the recent refactoring that moved the EK validation
to cert_utils, in a few places were added default method values that
were reading the configuration files directly.
It was not such a great idea becasue it then made those config files as
required to even import the modules.
Example "from keylime import cert_utils" now also requires that the
tenant configuration be available for getting the path for the TPM
cert store.
Let's stop doing that.
Signed-off-by: Sergio Correia <scorreia@redhat.com>
---
keylime/cert_utils.py | 5 +++--
keylime/tenant.py | 2 +-
keylime/tpm/tpm_abstract.py | 2 +-
keylime/tpm/tpm_main.py | 4 ++--
keylime/tpm_ek_ca.py | 6 +++---
5 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/keylime/cert_utils.py b/keylime/cert_utils.py
index d2fc54d..3576c64 100644
--- a/keylime/cert_utils.py
+++ b/keylime/cert_utils.py
@@ -12,7 +12,7 @@ from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
from pyasn1.codec.der import decoder, encoder
from pyasn1_modules import pem, rfc2459
-from keylime import config, keylime_logging, tpm_ek_ca
+from keylime import keylime_logging, tpm_ek_ca
# Issue #944 -- python-cryptography won't parse malformed certs,
# such as some Nuvoton ones we have encountered in the field.
@@ -56,9 +56,10 @@ def x509_pem_cert(pem_cert_data: str):
return x509.load_der_x509_certificate(data=encoder.encode(pyasn1_cert), backend=default_backend())
-def verify_ek(ekcert, tpm_cert_store=config.get("tenant", "tpm_cert_store")):
+def verify_ek(ekcert: bytes, tpm_cert_store: str) -> bool:
"""Verify that the provided EK certificate is signed by a trusted root
:param ekcert: The Endorsement Key certificate in DER format
+ :param tpm_cert_store: The path for the TPM certificate store
:returns: True if the certificate can be verified, False otherwise
"""
try:
diff --git a/keylime/tenant.py b/keylime/tenant.py
index b574d04..076b849 100644
--- a/keylime/tenant.py
+++ b/keylime/tenant.py
@@ -430,7 +430,7 @@ class Tenant:
elif ekcert is None:
logger.warning("No EK cert provided, require_ek_cert option in config set to True")
return False
- elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert)):
+ elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert), config.get("tenant", "tpm_cert_store")):
logger.warning("Invalid EK certificate")
return False
diff --git a/keylime/tpm/tpm_abstract.py b/keylime/tpm/tpm_abstract.py
index ff41837..df6222c 100644
--- a/keylime/tpm/tpm_abstract.py
+++ b/keylime/tpm/tpm_abstract.py
@@ -97,7 +97,7 @@ class AbstractTPM(metaclass=ABCMeta):
pass
@abstractmethod
- def verify_ek(self, ekcert):
+ def verify_ek(self, ekcert, tpm_cert_store):
pass
@abstractmethod
diff --git a/keylime/tpm/tpm_main.py b/keylime/tpm/tpm_main.py
index e1d1cf8..e244dfa 100644
--- a/keylime/tpm/tpm_main.py
+++ b/keylime/tpm/tpm_main.py
@@ -776,12 +776,12 @@ class tpm(tpm_abstract.AbstractTPM):
os.remove(sesspath)
return key
- def verify_ek(self, ekcert):
+ def verify_ek(self, ekcert, tpm_cert_store):
"""Verify that the provided EK certificate is signed by a trusted root
:param ekcert: The Endorsement Key certificate in DER format
:returns: True if the certificate can be verified, false otherwise
"""
- return cert_utils.verify_ek(ekcert)
+ return cert_utils.verify_ek(ekcert, tpm_cert_store)
def get_tpm_manufacturer(self, output=None):
vendorStr = None
diff --git a/keylime/tpm_ek_ca.py b/keylime/tpm_ek_ca.py
index fb66c07..bc84571 100644
--- a/keylime/tpm_ek_ca.py
+++ b/keylime/tpm_ek_ca.py
@@ -1,13 +1,13 @@
import glob
import os
-from keylime import config, keylime_logging
+from keylime import keylime_logging
logger = keylime_logging.init_logging("tpm_ek_ca")
trusted_certs = {}
-def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")):
+def check_tpm_cert_store(tpm_cert_store):
if not os.path.isdir(tpm_cert_store):
logger.error("The directory %s does not exist.", tpm_cert_store)
raise Exception(f"The directory {tpm_cert_store} does not exist.")
@@ -20,7 +20,7 @@ def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")):
raise Exception(f"The directory {tpm_cert_store} does not contain " f"any .pem files")
-def cert_loader(tpm_cert_store=config.get("tenant", "tpm_cert_store")):
+def cert_loader(tpm_cert_store):
file_list = glob.glob(os.path.join(tpm_cert_store, "*.pem"))
my_trusted_certs = {}
for file_path in file_list:
--
2.38.1

67
SOURCES/0002-Switch-to-sha256-hashes-for-signatures.patch Normal file
View File

@ -0,0 +1,67 @@
From 1f9ee7437f5b712a892c6d13ac8d75e128c1a16f Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Tue, 22 Nov 2022 10:56:43 -0500
Subject: [PATCH] tests: Switch to sha256 hashes for signatures
Resolves: https://github.com/keylime/keylime/issues/1202
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
test/test_ima_ast.py | 4 ++--
test/test_ima_verification.py | 12 ++++++------
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/test/test_ima_ast.py b/test/test_ima_ast.py
index cd54f95f9..e7d3841a7 100644
--- a/test/test_ima_ast.py
+++ b/test/test_ima_ast.py
@@ -14,11 +14,11 @@
VALID_ENTRIES = {
"ima-sig-rsa": (
ast.ImaSig,
- "10 50873c47693cf9458e87eb4a02dd4f594f7a0c0f ima-sig sha1:1350320e5f7f51553bac8aa403489a1b135bc101 /usr/bin/dd 030202f3452d23010084c2a6cf7de1aeefa119220df0da265a7c44d34380f0d97002e7c778d09cfcf88c018e6595df3ee70eda926851f159332f852e7981a8fca1bc5e959958d06d234a0896861f13cc60da825905c8ed234df26c1deecfa816d5aa9bfb11b905e2814084a86b588be60423afada8dd0dd5a143774c6d890b64195ac42fb47ef5a9a00f0d6c80711d8e0c2b843ec38c02f60fd46bc46c7b4c329ad2dbb1b7625293703f9c739dc4c2bf0769126a2f3cb2cd031d1881cd0af64bf20fd474a993b48620f103a5c14999a2f17d60721bcc019a896b4138a688a59f50cb6cd94a4cfe3b8052e82dec025fef4feabb08c7ce412e3de850f903797e293ec27c329f57fd84e0",
+ "10 1e70a3e1af66f42826ad63b761b4cb9c4df195e1 ima-sig sha256:d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef /usr/bin/dd 030204f3452d2301009dd340c852f37e35748363586939d4199b6684be27e7c1236ca1528f708372ed9cd52a0d991f66448790f5616ed5bd7f9bbd22193b1e3e54f6bf29a1497945a34d1b418b24f4cbeaef897bf3cebca27065ebb8761b46bc2662fe76f141245b9186a5ac8493c7f4976cf0d6dfc085c3e503e3f771bc3ccb121230db76fd8aba4f45f060ad64ab3afd99b4e52824b9eba12e93e46f9dcb2fa01d9cef89f298a0da02a82a4fb56924afd3e3c277a1302d99f770d488449df2d43eb5b174a0a528827e6877b965c2f0b7c89cf1aa26a7417a892df4c2294e2872d62748b72ea04ecb0689b5d792e615a9bf9d56f6e0f298560bf9441df0a22729c5f23389f028c25f",
),
"ima-sig-ec": (
ast.ImaSig,
- "10 06e804489a77ddab51b9ef27e17053c0e5d503bd ima-sig sha1:1cb84b12db45d7da8de58ba6744187db84082f0e /usr/bin/zmore 030202531f402500483046022100bff9c02dc7b270c83cc94bfec10eecd42831de2cdcb04f024369a14623bc3a91022100cc4d015ae932fb98d6846645ed7d1bb1afd4621ec9089bc087126f191886dd31",
+ "10 5d4d5141ccd5066d50dc3f21d79ba02fedc24256 ima-sig sha256:b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b /usr/bin/zmore 030204531f402500483046022100fe24678d21083ead47660e1a2d553a592d777c478d1b0466de6ed484b54956b3022100cad3adb37f277bbb03544d6107751b4cd4f2289d8353fa36257400a99334d5c3",
),
"ima-sig-missing": (
ast.ImaSig,
diff --git a/test/test_ima_verification.py b/test/test_ima_verification.py
index bdb929c9c..d2fc9ef16 100644
--- a/test/test_ima_verification.py
+++ b/test/test_ima_verification.py
@@ -27,8 +27,8 @@
"/lib/modules/5.4.48-openpower1/kernel/drivers/gpu/drm/drm_panel_orientation_quirks.ko": [
"cd026b58efdf66658685430ff526490d54a430a3f0066a35ac26a8acab66c55d"
],
- "/usr/bin/dd": ["1350320e5f7f51553bac8aa403489a1b135bc101"],
- "/usr/bin/zmore": ["1cb84b12db45d7da8de58ba6744187db84082f0e"],
+ "/usr/bin/dd": ["d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef"],
+ "/usr/bin/zmore": ["b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b"],
"/usr/bin/zless": ["233ad3a8e77c63a7d9a56063ec2cad1eafa58850"],
},
"keyrings": {
@@ -50,8 +50,8 @@
"version": 1,
},
"hashes": {
- "/usr/bin/dd": ["1350320e5f7f51553bac8aa403489a1b135bc102"],
- "/usr/bin/zmore": ["1cb84b12db45d7da8de58ba6744187db84082f01"],
+ "/usr/bin/dd": ["bad05d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef"],
+ "/usr/bin/zmore": ["bad00b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b"],
},
}
@@ -73,8 +73,8 @@
# 1st signature: RSA
# 2nd signature: EC
SIGNATURES = (
- "10 50873c47693cf9458e87eb4a02dd4f594f7a0c0f ima-sig sha1:1350320e5f7f51553bac8aa403489a1b135bc101 /usr/bin/dd 030202f3452d23010084c2a6cf7de1aeefa119220df0da265a7c44d34380f0d97002e7c778d09cfcf88c018e6595df3ee70eda926851f159332f852e7981a8fca1bc5e959958d06d234a0896861f13cc60da825905c8ed234df26c1deecfa816d5aa9bfb11b905e2814084a86b588be60423afada8dd0dd5a143774c6d890b64195ac42fb47ef5a9a00f0d6c80711d8e0c2b843ec38c02f60fd46bc46c7b4c329ad2dbb1b7625293703f9c739dc4c2bf0769126a2f3cb2cd031d1881cd0af64bf20fd474a993b48620f103a5c14999a2f17d60721bcc019a896b4138a688a59f50cb6cd94a4cfe3b8052e82dec025fef4feabb08c7ce412e3de850f903797e293ec27c329f57fd84e0\n"
- "10 06e804489a77ddab51b9ef27e17053c0e5d503bd ima-sig sha1:1cb84b12db45d7da8de58ba6744187db84082f0e /usr/bin/zmore 030202531f402500483046022100bff9c02dc7b270c83cc94bfec10eecd42831de2cdcb04f024369a14623bc3a91022100cc4d015ae932fb98d6846645ed7d1bb1afd4621ec9089bc087126f191886dd31\n"
+ "10 1e70a3e1af66f42826ad63b761b4cb9c4df195e1 ima-sig sha256:d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef /usr/bin/dd 030204f3452d2301009dd340c852f37e35748363586939d4199b6684be27e7c1236ca1528f708372ed9cd52a0d991f66448790f5616ed5bd7f9bbd22193b1e3e54f6bf29a1497945a34d1b418b24f4cbeaef897bf3cebca27065ebb8761b46bc2662fe76f141245b9186a5ac8493c7f4976cf0d6dfc085c3e503e3f771bc3ccb121230db76fd8aba4f45f060ad64ab3afd99b4e52824b9eba12e93e46f9dcb2fa01d9cef89f298a0da02a82a4fb56924afd3e3c277a1302d99f770d488449df2d43eb5b174a0a528827e6877b965c2f0b7c89cf1aa26a7417a892df4c2294e2872d62748b72ea04ecb0689b5d792e615a9bf9d56f6e0f298560bf9441df0a22729c5f23389f028c25f\n"
+ "10 5d4d5141ccd5066d50dc3f21d79ba02fedc24256 ima-sig sha256:b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b /usr/bin/zmore 030204531f402500483046022100fe24678d21083ead47660e1a2d553a592d777c478d1b0466de6ed484b54956b3022100cad3adb37f277bbb03544d6107751b4cd4f2289d8353fa36257400a99334d5c3\n"
)
COMBINED = MEASUREMENTS + SIGNATURES

136
SOURCES/0003-logging-remove-option-to-log-into-separate-file.patch Normal file
View File

@ -0,0 +1,136 @@
From eb5112dd597336b566378b3a157e76fe3cbbbfee Mon Sep 17 00:00:00 2001
From: Thore Sommer <mail@thson.de>
Date: Mon, 16 Jan 2023 07:26:08 -0300
Subject: [PATCH 3/3] logging: remove option to log into separate file
The implementation had the issue that only the main loggers were added and that
the permissions were not set strict enough. Users should use the logging
provided by systemd instead.
Signed-off-by: Thore Sommer <mail@thson.de>
---
keylime.conf | 10 ----------
keylime/keylime_logging.py | 31 ------------------------------
scripts/templates/2.0/registrar.j2 | 9 ---------
scripts/templates/2.0/verifier.j2 | 9 ---------
4 files changed, 59 deletions(-)
diff --git a/keylime.conf b/keylime.conf
index d896f9f..043b6a8 100644
--- a/keylime.conf
+++ b/keylime.conf
@@ -342,11 +342,6 @@ tomtou_errors = False
# signature check before storing them in the database.
require_allow_list_signatures = False
-# Destination for log output, in addition to console. Values can be 'file',
-# with the file being named after the "service" - cloud_verifier - created under
-# /var/log/keylime), 'stream' or it can be left empty (which results in
-# logging to console only, recommended when running inside a container)
-log_destination = file
#=============================================================================
[tenant]
@@ -595,11 +590,6 @@ auto_migrate_db = True
# The file to use for SQLite persistence of provider hypervisor data.
prov_db_filename = provider_reg_data.sqlite
-# Destination for log output, in addition to console. Values can be 'file',
-# with the file being named after the "service" - registrar - created under
-# /var/log/keylime), 'stream' or it can be left empty (which results in
-# logging to console only, recommended when running inside a container)
-log_destination = file
#=============================================================================
[ca]
diff --git a/keylime/keylime_logging.py b/keylime/keylime_logging.py
index bc8a11d..f7c7a8f 100644
--- a/keylime/keylime_logging.py
+++ b/keylime/keylime_logging.py
@@ -1,17 +1,10 @@
import logging
-import os
from logging import Logger
from logging import config as logging_config
from typing import Any, Callable, Dict
from keylime import config
-LOG_TO_FILE = set()
-LOG_TO_STREAM = set()
-LOGDIR = os.getenv("KEYLIME_LOGDIR", "/var/log/keylime")
-# not clear that this works right. console logging may not work
-LOGSTREAM = os.path.join(LOGDIR, "keylime-stream.log")
-
logging_config.fileConfig(config.get_config("logging"))
@@ -50,31 +43,7 @@ def log_http_response(logger: Logger, loglevel: int, response_body: Dict[str, An
def init_logging(loggername: str) -> Logger:
-
- if loggername in ("verifier", "registrar"):
- logdest = config.get(loggername, "log_destination", fallback="")
- if logdest == "file":
- LOG_TO_FILE.add(loggername)
- if logdest == "stream":
- LOG_TO_STREAM.add(loggername)
-
logger = logging.getLogger(f"keylime.{loggername}")
logging.getLogger("requests").setLevel(logging.WARNING)
- mainlogger = logging.getLogger("keylime")
- basic_formatter = logging.Formatter("%(asctime)s %(name)s %(levelname)s %(message)s")
- if loggername in LOG_TO_FILE:
- logfilename = os.path.join(LOGDIR, f"{loggername}.log")
- if not os.path.exists(LOGDIR):
- os.makedirs(LOGDIR, 0o750)
- fh = logging.FileHandler(logfilename)
- fh.setLevel(logger.getEffectiveLevel())
- fh.setFormatter(basic_formatter)
- mainlogger.addHandler(fh)
-
- if loggername in LOG_TO_STREAM:
- fh = logging.FileHandler(filename=LOGSTREAM, mode="w")
- fh.setLevel(logger.getEffectiveLevel())
- fh.setFormatter(basic_formatter)
- mainlogger.addHandler(fh)
return logger
diff --git a/scripts/templates/2.0/registrar.j2 b/scripts/templates/2.0/registrar.j2
index 3d92303..8de7a50 100644
--- a/scripts/templates/2.0/registrar.j2
+++ b/scripts/templates/2.0/registrar.j2
@@ -71,12 +71,3 @@ auto_migrate_db = {{ registrar.auto_migrate_db }}
# The file to use for SQLite persistence of provider hypervisor data.
prov_db_filename: {{ registrar.prov_db_filename }}
-
-# Destination for log output, in addition to console. If left empty, the log
-# output will only be printed to console (recommended for containers to avoid
-# filling data storage). The accepted values are:
-# 'file': The log output will also be written to a file named after the
-# component in '/var/log/keylime/registrar.log'
-# 'stream': The log output will be written to a common file in
-# 'var/log/keylime/keylime-stream.log'
-log_destination = {{ registrar.log_destination }}
diff --git a/scripts/templates/2.0/verifier.j2 b/scripts/templates/2.0/verifier.j2
index d1584df..7a66cb1 100644
--- a/scripts/templates/2.0/verifier.j2
+++ b/scripts/templates/2.0/verifier.j2
@@ -196,12 +196,3 @@ zmq_port = {{ verifier.zmq_port }}
# Webhook url for revocation notifications.
webhook_url = {{ verifier.webhook_url }}
-
-# Destination for log output, in addition to console. If left empty, the log
-# output will only be printed to console (recommended for containers to avoid
-# filling data storage). The accepted values are:
-# 'file': The log output will also be written to a file named after the
-# component in '/var/log/keylime/verifier.log'
-# 'stream': The log output will be written to a common file in
-# 'var/log/keylime/keylime-stream.log'
-log_destination = {{ verifier.log_destination }}
--
2.38.1

24
SOURCES/keylime.fc
View File

@ -1,24 +0,0 @@
/usr/bin/keylime_agent -- gen_context(system_u:object_r:keylime_agent_exec_t,s0)
/usr/bin/keylime_ima_emulator -- gen_context(system_u:object_r:keylime_agent_exec_t,s0)
/usr/bin/keylime_userdata_encrypt -- gen_context(system_u:object_r:keylime_agent_exec_t,s0)
/usr/bin/keylime_ca -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
/usr/bin/keylime_migrations_apply -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
/usr/bin/keylime_registrar -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
/usr/bin/keylime_verifier -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
/usr/bin/keylime_tenant -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
/usr/local/bin/keylime_agent -- gen_context(system_u:object_r:keylime_agent_exec_t,s0)
/usr/local/bin/keylime_ima_emulator -- gen_context(system_u:object_r:keylime_agent_exec_t,s0)
/usr/local/bin/keylime_userdata_encrypt -- gen_context(system_u:object_r:keylime_agent_exec_t,s0)
/usr/local/bin/keylime_ca -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
/usr/local/bin/keylime_migrations_apply -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
/usr/local/bin/keylime_registrar -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
/usr/local/bin/keylime_verifier -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
/usr/local/bin/keylime_tenant -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
/var/lib/keylime(/.*)? gen_context(system_u:object_r:keylime_var_lib_t,s0)
/var/lib/keylime-agent(/.*)? gen_context(system_u:object_r:keylime_var_lib_t,s0)
/var/log/keylime(/.*)? gen_context(system_u:object_r:keylime_log_t,s0)

37
SOURCES/keylime.if
View File

@ -1,37 +0,0 @@
## <summary>policy for keylime</summary>
########################################
## <summary>
## Add to specified type to keylime_type attribute .
## </summary>
## <param name="type">
## <summary>
## Type to be used for keylime domains.
## </summary>
## </param>
#
interface(`keylime_use_keylime_domain',`
gen_require(`
attribute keylime_domain;
')
typeattribute $1 keylime_domain;
')
########################################
## <summary>
## Mounton keylime lib directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`keylime_mounton_var_lib',`
gen_require(`
type keylime_var_lib_t;
')
allow $1 keylime_var_lib_t:dir mounton;
')

140
SOURCES/keylime.te
View File

@ -1,140 +0,0 @@
policy_module(keylime, 1.0.0)
########################################
#
# Declarations
#
attribute keylime_domain;
type keylime_agent_t;
keylime_use_keylime_domain(keylime_agent_t)
type keylime_agent_exec_t;
init_daemon_domain(keylime_agent_t, keylime_agent_exec_t)
type keylime_server_t;
keylime_use_keylime_domain(keylime_server_t)
type keylime_server_exec_t;
init_daemon_domain(keylime_server_t, keylime_server_exec_t)
type keylime_log_t;
logging_log_file(keylime_log_t)
type keylime_var_lib_t;
files_type(keylime_var_lib_t)
type keylime_tmp_t;
files_tmp_file(keylime_tmp_t)
########################################
#
# keylime domain policy
#
allow keylime_domain self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(keylime_domain, keylime_tmp_t, keylime_tmp_t)
manage_files_pattern(keylime_domain, keylime_tmp_t, keylime_tmp_t)
files_tmp_filetrans(keylime_domain, keylime_tmp_t, { dir file })
manage_dirs_pattern(keylime_domain, keylime_var_lib_t, keylime_var_lib_t)
manage_files_pattern(keylime_domain, keylime_var_lib_t, keylime_var_lib_t)
files_var_lib_filetrans(keylime_domain, keylime_var_lib_t, { dir file lnk_file })
corecmd_exec_bin(keylime_domain)
corenet_tcp_bind_generic_node(keylime_domain)
corenet_tcp_bind_all_ports(keylime_domain)
corenet_tcp_connect_all_unreserved_ports(keylime_domain)
dev_read_sysfs(keylime_domain)
fs_tmpfs_filetrans(keylime_domain, keylime_var_lib_t, { dir file })
init_named_socket_activation(keylime_domain, keylime_var_lib_t, "keylime")
miscfiles_read_generic_certs(keylime_domain)
sysnet_read_config(keylime_domain)
userdom_exec_user_tmp_files(keylime_domain)
userdom_manage_user_tmp_dirs(keylime_domain)
userdom_manage_user_tmp_files(keylime_domain)
########################################
#
# keylime server policy
#
allow keylime_server_t self:netlink_route_socket { create_stream_socket_perms nlmsg_read };
allow keylime_server_t self:udp_socket create_stream_socket_perms;
manage_dirs_pattern(keylime_server_t, keylime_log_t, keylime_log_t)
manage_files_pattern(keylime_server_t, keylime_log_t, keylime_log_t)
fs_rw_inherited_tmpfs_files(keylime_server_t)
optional_policy(`
gpg_exec(keylime_server_t)
')
optional_policy(`
kerberos_read_config(keylime_server_t)
kerberos_read_keytab(keylime_server_t)
')
optional_policy(`
sssd_run_stream_connect(keylime_server_t)
')
########################################
#
# keylime agent policy
#
#work with /var/lib/keylime/secure
allow keylime_agent_t self:capability { chown dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
allow keylime_agent_t self:chr_file getattr;
#FIX ME, add to tabrmd policy interface related with this
allow keylime_agent_t domain:unix_stream_socket rw_stream_socket_perms; #selint-disable:W-001
dev_rw_tpm(keylime_agent_t)
exec_files_pattern(keylime_agent_t, keylime_var_lib_t, keylime_var_lib_t)
files_read_var_lib_files(keylime_agent_t)
fs_dontaudit_search_cgroup_dirs(keylime_agent_t)
fs_getattr_cgroup(keylime_agent_t)
fs_mount_tmpfs(keylime_agent_t)
fs_setattr_tmpfs_dirs(keylime_agent_t)
init_dontaudit_stream_connect(keylime_agent_t)
kernel_read_all_proc(keylime_agent_t)
userdom_dontaudit_search_user_home_dirs(keylime_agent_t)
auth_read_passwd(keylime_agent_t)
keylime_mounton_var_lib(keylime_agent_t)
mount_domtrans(keylime_agent_t)
selinux_read_policy(keylime_agent_t)
optional_policy(`
#FIX ME, add to tabrmd policy interface related with this
#https://github.com/tpm2-software/tpm2-abrmd/blob/master/selinux
dbus_chat_system_bus(keylime_agent_t)
')
optional_policy(`
dbus_stream_connect_system_dbusd(keylime_agent_t)
dbus_system_bus_client(keylime_agent_t)
')
optional_policy(`
systemd_userdbd_stream_connect(keylime_agent_t)
systemd_machined_stream_connect(keylime_agent_t)
')

121
SPECS/keylime.spec
View File

@ -1,4 +1,5 @@
%global srcname keylime
%global policy_version 1.0.0
%global with_selinux 1
%global selinuxtype targeted
@ -7,18 +8,18 @@
%global debug_package %{nil}
Name: keylime
Version: 6.4.3
Release: 1%{?dist}
Version: 6.5.2
Release: 4%{?dist}
Summary: Open source TPM software for Bootstrapping and Maintaining Trust
URL: https://github.com/keylime/keylime
Source0: https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz
Source1: %{srcname}.sysusers
%if 0%{?with_selinux}
Source2: %{srcname}.te
Source3: %{srcname}.if
Source4: %{srcname}.fc
%endif
Source2: https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%{policy_version}/keylime-selinux-%{policy_version}.tar.gz
Patch: 0001-Do-not-use-default-values-that-need-reading-the-conf.patch
Patch: 0002-Switch-to-sha256-hashes-for-signatures.patch
Patch: 0003-logging-remove-option-to-log-into-separate-file.patch
License: ASL 2.0 and MIT
@ -27,6 +28,7 @@ BuildRequires: swig
BuildRequires: openssl-devel
BuildRequires: python3-devel
BuildRequires: python3-dbus
BuildRequires: python3-jinja2
BuildRequires: python3-setuptools
BuildRequires: systemd-rpm-macros
@ -57,7 +59,7 @@ Requires: tpm2-tss
%if 0%{?with_selinux}
# This ensures that the *-selinux package and all its dependencies are not pulled
# into containers and other systems that do not use SELinux
Requires: (%{srcname}-selinux if selinux-policy-%{selinuxtype})
Recommends: (%{srcname}-selinux if selinux-policy-%{selinuxtype})
%endif
%ifarch %efi
@ -87,6 +89,7 @@ Requires: python3-lark-parser
Requires: python3-pyasn1
Requires: python3-pyasn1-modules
Requires: tpm2-tools
Requires: openssl
%description -n python3-%{srcname}
The python3-keylime module implements the functionality used
@ -140,15 +143,12 @@ Requires: python3-%{srcname} = %{version}-%{release}
The Keylime Tenant can be used to provision a Keylime Agent.
%prep
%autosetup -S git -n %{srcname}-%{version}
%autosetup -S git -n %{srcname}-%{version} -a2
%if 0%{?with_selinux}
# SELinux policy (originally from selinux-policy-contrib)
# this policy module will override the production module
mkdir selinux
cp -p %{SOURCE2} selinux/
cp -p %{SOURCE3} selinux/
cp -p %{SOURCE4} selinux/
make -f %{_datadir}/selinux/devel/Makefile %{srcname}.pp
bzip2 -9 %{srcname}.pp
@ -163,37 +163,38 @@ mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname}
mkdir -p --mode=0700 %{buildroot}/%{_rundir}/%{srcname}
mkdir -p --mode=0700 %{buildroot}/%{_localstatedir}/log/%{srcname}
# Remove agent and webapp.
mkdir -p --mode=0700 %{buildroot}/%{_sysconfdir}/%{srcname}/
for comp in "verifier" "tenant" "registrar" "ca" "logging"; do
mkdir -p --mode=0700 %{buildroot}/%{_sysconfdir}/%{srcname}/${comp}.conf.d
install -Dpm 400 config/${comp}.conf %{buildroot}/%{_sysconfdir}/%{srcname}
done
# Remove agent.
rm -f %{buildroot}/%{_bindir}/%{srcname}_agent
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/%{srcname}_agent*
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/__pycache__/agent.*
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/agent.*
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/%{srcname}_agent.*
rm -f %{buildroot}/%{_bindir}/%{srcname}_webapp
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/tenant_webapp.*
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/__pycache__/webapp.*
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/webapp.*
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/tenant_webapp.*
rm -rf %{buildroot}%{python3_sitelib}/%{srcname}/static/
# Remove misc progs.
rm -f %{buildroot}/%{_bindir}/%{srcname}_ima_emulator
rm -f %{buildroot}/%{_bindir}/%{srcname}_userdata_encrypt
# Setting up the agent to use keylime:keylime user/group after dropping privileges.
sed -e 's/^run_as[[:space:]]*=.*/run_as = keylime:keylime/g' -i %{srcname}.conf
# Using sha256 for tpm_hash_alg.
sed -e 's/^tpm_hash_alg[[:space:]]*=.*/tpm_hash_alg = sha256/g' -i %{srcname}.conf
# Ship some scripts.
mkdir -p %{buildroot}/%{_datadir}/%{srcname}/scripts
for s in create_allowlist.sh \
create_mb_refstate \
create_policy \
ek-openssl-verify; do
install -Dpm 755 scripts/${s} \
%{buildroot}/%{_datadir}/%{srcname}/scripts/${s}
done
%if 0%{?with_selinux}
install -D -m 0644 %{srcname}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2
install -D -p -m 0644 selinux/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if
install -D -p -m 0644 keylime-selinux-%{policy_version}/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if
%endif
install -Dpm 600 %{srcname}.conf \
%{buildroot}%{_sysconfdir}/%{srcname}.conf
install -Dpm 644 ./services/%{srcname}_verifier.service \
%{buildroot}%{_unitdir}/%{srcname}_verifier.service
@ -201,7 +202,8 @@ install -Dpm 644 ./services/%{srcname}_verifier.service \
install -Dpm 644 ./services/%{srcname}_registrar.service \
%{buildroot}%{_unitdir}/%{srcname}_registrar.service
cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/keylime/
cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/
chmod 400 %{buildroot}%{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
install -p -d %{buildroot}/%{_tmpfilesdir}
cat > %{buildroot}/%{_tmpfilesdir}/%{srcname}.conf << EOF
@ -215,11 +217,24 @@ install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/%{srcname}.conf
exit 0
%posttrans base
[ -f %{_sysconfdir}/%{srcname}.conf ] && \
chmod 600 %{_sysconfdir}/%{srcname}.conf && \
chown %{srcname} %{_sysconfdir}/%{srcname}.conf
if [ -d %{_sysconfdir}/%{srcname} ]; then
chmod 500 %{_sysconfdir}/%{srcname}
chown -R %{srcname}:%{srcname} %{_sysconfdir}/%{srcname}
for comp in "verifier" "tenant" "registrar" "ca" "logging"; do
[ -d %{_sysconfdir}/%{srcname}/${comp}.conf.d ] && \
chmod 500 %{_sysconfdir}/%{srcname}/${comp}.conf.d
done
fi
[ -d %{_sharedstatedir}/%{srcname} ] && \
chown -R %{srcname} %{_sharedstatedir}/%{srcname}/
[ -d %{_sharedstatedir}/%{srcname}/tpm_cert_store ] && \
chmod 400 %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem && \
chmod 500 %{_sharedstatedir}/%{srcname}/tpm_cert_store/
[ -d %{_localstatedir}/log/%{srcname} ] && \
chown -R %{srcname} %{_localstatedir}/log/%{srcname}/
exit 0
@ -272,6 +287,8 @@ fi
%files verifier
%license LICENSE
%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/verifier.conf.d
%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/verifier.conf
%{_bindir}/%{srcname}_verifier
%{_bindir}/%{srcname}_ca
%{_bindir}/%{srcname}_migrations_apply
@ -279,6 +296,8 @@ fi
%files registrar
%license LICENSE
%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/registrar.conf.d
%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/registrar.conf
%{_bindir}/%{srcname}_registrar
%{_unitdir}/keylime_registrar.service
@ -291,27 +310,61 @@ fi
%files tenant
%license LICENSE
%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/tenant.conf.d
%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/tenant.conf
%{_bindir}/%{srcname}_tenant
%files -n python3-%{srcname}
%license LICENSE
%{python3_sitelib}/%{srcname}-*.egg-info/
%{python3_sitelib}/%{srcname}
%{_datadir}/%{srcname}/scripts/create_mb_refstate
%{_datadir}/%{srcname}/scripts/create_policy
%{_bindir}/keylime_convert_ima_policy
%files base
%license LICENSE
%doc README.md
%config(noreplace) %attr(600,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}.conf
%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/{ca,logging}.conf.d
%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/ca.conf
%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/logging.conf
%attr(700,%{srcname},%{srcname}) %dir %{_rundir}/%{srcname}
%attr(700,%{srcname},%{srcname}) %dir %{_localstatedir}/log/%{srcname}
%attr(700,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}
%attr(700,%{srcname},%{srcname}) %dir %{_sharedstatedir}/%{srcname}
%attr(500,%{srcname},%{srcname}) %dir %{_sharedstatedir}/%{srcname}/tpm_cert_store
%attr(400,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
%{_tmpfilesdir}/%{srcname}.conf
%{_sysusersdir}/%{srcname}.conf
%{_datadir}/%{srcname}/scripts/create_allowlist.sh
%{_datadir}/%{srcname}/scripts/ek-openssl-verify
%files
%license LICENSE
%changelog
* Fri Jan 13 2023 Sergio Correia <scorreia@redhat.com> - 6.5.2-4
- Backport upstream PR#1240 - logging: remove option to log into separate file
Resolves: rhbz#2154584 - keylime verifier is not logging to /var/log/keylime
* Thu Dec 1 2022 Sergio Correia <scorreia@redhat.com> - 6.5.2-3
- Remove leftover policy file
Related: rhbz#2152135
* Thu Dec 1 2022 Patrik Koncity <pkoncity@redhat.com> - 6.5.2-2
- Use keylime selinux policy from upstream.
Resolves: rhbz#2152135
* Mon Nov 14 2022 Sergio Correia <scorreia@redhat.com> - 6.5.2-1
- Update to 6.5.2
Resolves: CVE-2022-3500
Resolves: rhbz#2138167 - agent fails IMA attestation when one scripts is executed quickly after the other
Resolves: rhbz#2140670 - Segmentation fault in /usr/share/keylime/create_mb_refstate script
Resolves: rhbz#142009 - Registrar may crash during EK validation when require_ek_cert is enabled
* Tue Sep 13 2022 Sergio Correia <scorreia@redhat.com> - 6.5.0-1
- Update to 6.5.0
Resolves: rhbz#2120686 - Keylime configuration is too complex
* Fri Aug 26 2022 Sergio Correia <scorreia@redhat.com> - 6.4.3-1
- Update to 6.4.3
Resolves: rhbz#2121044 - Error parsing EK ASN.1 certificate of Nuvoton HW TPM