diff --git a/.gitignore b/.gitignore index fa4c569..333b933 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -SOURCES/v6.4.3.tar.gz +SOURCES/keylime-selinux-1.0.0.tar.gz +SOURCES/v6.5.2.tar.gz diff --git a/.keylime.metadata b/.keylime.metadata index b62d99d..d577a83 100644 --- a/.keylime.metadata +++ b/.keylime.metadata @@ -1 +1,2 @@ -097e4062bdb09385bf9679f6411a42825e4f6bec SOURCES/v6.4.3.tar.gz +a1154fc19d2ae6f52b6b77a39e62d2420c0f4c5e SOURCES/keylime-selinux-1.0.0.tar.gz +1c311bc1d3ab6c8050fd819410c593392187c2fa SOURCES/v6.5.2.tar.gz diff --git a/SOURCES/0001-Do-not-use-default-values-that-need-reading-the-conf.patch b/SOURCES/0001-Do-not-use-default-values-that-need-reading-the-conf.patch new file mode 100644 index 0000000..2c4ace1 --- /dev/null +++ b/SOURCES/0001-Do-not-use-default-values-that-need-reading-the-conf.patch @@ -0,0 +1,130 @@ +From d6dd71e3a3fe8e822fbcaa0d88f19a0c3332cacd Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Tue, 15 Nov 2022 07:09:13 -0300 +Subject: [PATCH] Do not use default values that need reading the config in + methods + +Following up from the recent refactoring that moved the EK validation +to cert_utils, in a few places were added default method values that +were reading the configuration files directly. + +It was not such a great idea becasue it then made those config files as +required to even import the modules. + +Example "from keylime import cert_utils" now also requires that the +tenant configuration be available for getting the path for the TPM +cert store. + +Let's stop doing that. + +Signed-off-by: Sergio Correia +--- + keylime/cert_utils.py | 5 +++-- + keylime/tenant.py | 2 +- + keylime/tpm/tpm_abstract.py | 2 +- + keylime/tpm/tpm_main.py | 4 ++-- + keylime/tpm_ek_ca.py | 6 +++--- + 5 files changed, 10 insertions(+), 9 deletions(-) + +diff --git a/keylime/cert_utils.py b/keylime/cert_utils.py +index d2fc54d..3576c64 100644 +--- a/keylime/cert_utils.py ++++ b/keylime/cert_utils.py +@@ -12,7 +12,7 @@ from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey + from pyasn1.codec.der import decoder, encoder + from pyasn1_modules import pem, rfc2459 + +-from keylime import config, keylime_logging, tpm_ek_ca ++from keylime import keylime_logging, tpm_ek_ca + + # Issue #944 -- python-cryptography won't parse malformed certs, + # such as some Nuvoton ones we have encountered in the field. +@@ -56,9 +56,10 @@ def x509_pem_cert(pem_cert_data: str): + return x509.load_der_x509_certificate(data=encoder.encode(pyasn1_cert), backend=default_backend()) + + +-def verify_ek(ekcert, tpm_cert_store=config.get("tenant", "tpm_cert_store")): ++def verify_ek(ekcert: bytes, tpm_cert_store: str) -> bool: + """Verify that the provided EK certificate is signed by a trusted root + :param ekcert: The Endorsement Key certificate in DER format ++ :param tpm_cert_store: The path for the TPM certificate store + :returns: True if the certificate can be verified, False otherwise + """ + try: +diff --git a/keylime/tenant.py b/keylime/tenant.py +index b574d04..076b849 100644 +--- a/keylime/tenant.py ++++ b/keylime/tenant.py +@@ -430,7 +430,7 @@ class Tenant: + elif ekcert is None: + logger.warning("No EK cert provided, require_ek_cert option in config set to True") + return False +- elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert)): ++ elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert), config.get("tenant", "tpm_cert_store")): + logger.warning("Invalid EK certificate") + return False + +diff --git a/keylime/tpm/tpm_abstract.py b/keylime/tpm/tpm_abstract.py +index ff41837..df6222c 100644 +--- a/keylime/tpm/tpm_abstract.py ++++ b/keylime/tpm/tpm_abstract.py +@@ -97,7 +97,7 @@ class AbstractTPM(metaclass=ABCMeta): + pass + + @abstractmethod +- def verify_ek(self, ekcert): ++ def verify_ek(self, ekcert, tpm_cert_store): + pass + + @abstractmethod +diff --git a/keylime/tpm/tpm_main.py b/keylime/tpm/tpm_main.py +index e1d1cf8..e244dfa 100644 +--- a/keylime/tpm/tpm_main.py ++++ b/keylime/tpm/tpm_main.py +@@ -776,12 +776,12 @@ class tpm(tpm_abstract.AbstractTPM): + os.remove(sesspath) + return key + +- def verify_ek(self, ekcert): ++ def verify_ek(self, ekcert, tpm_cert_store): + """Verify that the provided EK certificate is signed by a trusted root + :param ekcert: The Endorsement Key certificate in DER format + :returns: True if the certificate can be verified, false otherwise + """ +- return cert_utils.verify_ek(ekcert) ++ return cert_utils.verify_ek(ekcert, tpm_cert_store) + + def get_tpm_manufacturer(self, output=None): + vendorStr = None +diff --git a/keylime/tpm_ek_ca.py b/keylime/tpm_ek_ca.py +index fb66c07..bc84571 100644 +--- a/keylime/tpm_ek_ca.py ++++ b/keylime/tpm_ek_ca.py +@@ -1,13 +1,13 @@ + import glob + import os + +-from keylime import config, keylime_logging ++from keylime import keylime_logging + + logger = keylime_logging.init_logging("tpm_ek_ca") + trusted_certs = {} + + +-def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")): ++def check_tpm_cert_store(tpm_cert_store): + if not os.path.isdir(tpm_cert_store): + logger.error("The directory %s does not exist.", tpm_cert_store) + raise Exception(f"The directory {tpm_cert_store} does not exist.") +@@ -20,7 +20,7 @@ def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")): + raise Exception(f"The directory {tpm_cert_store} does not contain " f"any .pem files") + + +-def cert_loader(tpm_cert_store=config.get("tenant", "tpm_cert_store")): ++def cert_loader(tpm_cert_store): + file_list = glob.glob(os.path.join(tpm_cert_store, "*.pem")) + my_trusted_certs = {} + for file_path in file_list: +-- +2.38.1 + diff --git a/SOURCES/0002-Switch-to-sha256-hashes-for-signatures.patch b/SOURCES/0002-Switch-to-sha256-hashes-for-signatures.patch new file mode 100644 index 0000000..6401048 --- /dev/null +++ b/SOURCES/0002-Switch-to-sha256-hashes-for-signatures.patch @@ -0,0 +1,67 @@ +From 1f9ee7437f5b712a892c6d13ac8d75e128c1a16f Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Tue, 22 Nov 2022 10:56:43 -0500 +Subject: [PATCH] tests: Switch to sha256 hashes for signatures + +Resolves: https://github.com/keylime/keylime/issues/1202 +Signed-off-by: Stefan Berger +--- + test/test_ima_ast.py | 4 ++-- + test/test_ima_verification.py | 12 ++++++------ + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/test/test_ima_ast.py b/test/test_ima_ast.py +index cd54f95f9..e7d3841a7 100644 +--- a/test/test_ima_ast.py ++++ b/test/test_ima_ast.py +@@ -14,11 +14,11 @@ + VALID_ENTRIES = { + "ima-sig-rsa": ( + ast.ImaSig, +- "10 50873c47693cf9458e87eb4a02dd4f594f7a0c0f ima-sig sha1:1350320e5f7f51553bac8aa403489a1b135bc101 /usr/bin/dd 030202f3452d23010084c2a6cf7de1aeefa119220df0da265a7c44d34380f0d97002e7c778d09cfcf88c018e6595df3ee70eda926851f159332f852e7981a8fca1bc5e959958d06d234a0896861f13cc60da825905c8ed234df26c1deecfa816d5aa9bfb11b905e2814084a86b588be60423afada8dd0dd5a143774c6d890b64195ac42fb47ef5a9a00f0d6c80711d8e0c2b843ec38c02f60fd46bc46c7b4c329ad2dbb1b7625293703f9c739dc4c2bf0769126a2f3cb2cd031d1881cd0af64bf20fd474a993b48620f103a5c14999a2f17d60721bcc019a896b4138a688a59f50cb6cd94a4cfe3b8052e82dec025fef4feabb08c7ce412e3de850f903797e293ec27c329f57fd84e0", ++ "10 1e70a3e1af66f42826ad63b761b4cb9c4df195e1 ima-sig sha256:d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef /usr/bin/dd 030204f3452d2301009dd340c852f37e35748363586939d4199b6684be27e7c1236ca1528f708372ed9cd52a0d991f66448790f5616ed5bd7f9bbd22193b1e3e54f6bf29a1497945a34d1b418b24f4cbeaef897bf3cebca27065ebb8761b46bc2662fe76f141245b9186a5ac8493c7f4976cf0d6dfc085c3e503e3f771bc3ccb121230db76fd8aba4f45f060ad64ab3afd99b4e52824b9eba12e93e46f9dcb2fa01d9cef89f298a0da02a82a4fb56924afd3e3c277a1302d99f770d488449df2d43eb5b174a0a528827e6877b965c2f0b7c89cf1aa26a7417a892df4c2294e2872d62748b72ea04ecb0689b5d792e615a9bf9d56f6e0f298560bf9441df0a22729c5f23389f028c25f", + ), + "ima-sig-ec": ( + ast.ImaSig, +- "10 06e804489a77ddab51b9ef27e17053c0e5d503bd ima-sig sha1:1cb84b12db45d7da8de58ba6744187db84082f0e /usr/bin/zmore 030202531f402500483046022100bff9c02dc7b270c83cc94bfec10eecd42831de2cdcb04f024369a14623bc3a91022100cc4d015ae932fb98d6846645ed7d1bb1afd4621ec9089bc087126f191886dd31", ++ "10 5d4d5141ccd5066d50dc3f21d79ba02fedc24256 ima-sig sha256:b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b /usr/bin/zmore 030204531f402500483046022100fe24678d21083ead47660e1a2d553a592d777c478d1b0466de6ed484b54956b3022100cad3adb37f277bbb03544d6107751b4cd4f2289d8353fa36257400a99334d5c3", + ), + "ima-sig-missing": ( + ast.ImaSig, +diff --git a/test/test_ima_verification.py b/test/test_ima_verification.py +index bdb929c9c..d2fc9ef16 100644 +--- a/test/test_ima_verification.py ++++ b/test/test_ima_verification.py +@@ -27,8 +27,8 @@ + "/lib/modules/5.4.48-openpower1/kernel/drivers/gpu/drm/drm_panel_orientation_quirks.ko": [ + "cd026b58efdf66658685430ff526490d54a430a3f0066a35ac26a8acab66c55d" + ], +- "/usr/bin/dd": ["1350320e5f7f51553bac8aa403489a1b135bc101"], +- "/usr/bin/zmore": ["1cb84b12db45d7da8de58ba6744187db84082f0e"], ++ "/usr/bin/dd": ["d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef"], ++ "/usr/bin/zmore": ["b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b"], + "/usr/bin/zless": ["233ad3a8e77c63a7d9a56063ec2cad1eafa58850"], + }, + "keyrings": { +@@ -50,8 +50,8 @@ + "version": 1, + }, + "hashes": { +- "/usr/bin/dd": ["1350320e5f7f51553bac8aa403489a1b135bc102"], +- "/usr/bin/zmore": ["1cb84b12db45d7da8de58ba6744187db84082f01"], ++ "/usr/bin/dd": ["bad05d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef"], ++ "/usr/bin/zmore": ["bad00b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b"], + }, + } + +@@ -73,8 +73,8 @@ + # 1st signature: RSA + # 2nd signature: EC + SIGNATURES = ( +- "10 50873c47693cf9458e87eb4a02dd4f594f7a0c0f ima-sig sha1:1350320e5f7f51553bac8aa403489a1b135bc101 /usr/bin/dd 030202f3452d23010084c2a6cf7de1aeefa119220df0da265a7c44d34380f0d97002e7c778d09cfcf88c018e6595df3ee70eda926851f159332f852e7981a8fca1bc5e959958d06d234a0896861f13cc60da825905c8ed234df26c1deecfa816d5aa9bfb11b905e2814084a86b588be60423afada8dd0dd5a143774c6d890b64195ac42fb47ef5a9a00f0d6c80711d8e0c2b843ec38c02f60fd46bc46c7b4c329ad2dbb1b7625293703f9c739dc4c2bf0769126a2f3cb2cd031d1881cd0af64bf20fd474a993b48620f103a5c14999a2f17d60721bcc019a896b4138a688a59f50cb6cd94a4cfe3b8052e82dec025fef4feabb08c7ce412e3de850f903797e293ec27c329f57fd84e0\n" +- "10 06e804489a77ddab51b9ef27e17053c0e5d503bd ima-sig sha1:1cb84b12db45d7da8de58ba6744187db84082f0e /usr/bin/zmore 030202531f402500483046022100bff9c02dc7b270c83cc94bfec10eecd42831de2cdcb04f024369a14623bc3a91022100cc4d015ae932fb98d6846645ed7d1bb1afd4621ec9089bc087126f191886dd31\n" ++ "10 1e70a3e1af66f42826ad63b761b4cb9c4df195e1 ima-sig sha256:d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef /usr/bin/dd 030204f3452d2301009dd340c852f37e35748363586939d4199b6684be27e7c1236ca1528f708372ed9cd52a0d991f66448790f5616ed5bd7f9bbd22193b1e3e54f6bf29a1497945a34d1b418b24f4cbeaef897bf3cebca27065ebb8761b46bc2662fe76f141245b9186a5ac8493c7f4976cf0d6dfc085c3e503e3f771bc3ccb121230db76fd8aba4f45f060ad64ab3afd99b4e52824b9eba12e93e46f9dcb2fa01d9cef89f298a0da02a82a4fb56924afd3e3c277a1302d99f770d488449df2d43eb5b174a0a528827e6877b965c2f0b7c89cf1aa26a7417a892df4c2294e2872d62748b72ea04ecb0689b5d792e615a9bf9d56f6e0f298560bf9441df0a22729c5f23389f028c25f\n" ++ "10 5d4d5141ccd5066d50dc3f21d79ba02fedc24256 ima-sig sha256:b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b /usr/bin/zmore 030204531f402500483046022100fe24678d21083ead47660e1a2d553a592d777c478d1b0466de6ed484b54956b3022100cad3adb37f277bbb03544d6107751b4cd4f2289d8353fa36257400a99334d5c3\n" + ) + + COMBINED = MEASUREMENTS + SIGNATURES diff --git a/SOURCES/0003-logging-remove-option-to-log-into-separate-file.patch b/SOURCES/0003-logging-remove-option-to-log-into-separate-file.patch new file mode 100644 index 0000000..e7e3672 --- /dev/null +++ b/SOURCES/0003-logging-remove-option-to-log-into-separate-file.patch @@ -0,0 +1,136 @@ +From eb5112dd597336b566378b3a157e76fe3cbbbfee Mon Sep 17 00:00:00 2001 +From: Thore Sommer +Date: Mon, 16 Jan 2023 07:26:08 -0300 +Subject: [PATCH 3/3] logging: remove option to log into separate file + +The implementation had the issue that only the main loggers were added and that +the permissions were not set strict enough. Users should use the logging +provided by systemd instead. + +Signed-off-by: Thore Sommer +--- + keylime.conf | 10 ---------- + keylime/keylime_logging.py | 31 ------------------------------ + scripts/templates/2.0/registrar.j2 | 9 --------- + scripts/templates/2.0/verifier.j2 | 9 --------- + 4 files changed, 59 deletions(-) + +diff --git a/keylime.conf b/keylime.conf +index d896f9f..043b6a8 100644 +--- a/keylime.conf ++++ b/keylime.conf +@@ -342,11 +342,6 @@ tomtou_errors = False + # signature check before storing them in the database. + require_allow_list_signatures = False + +-# Destination for log output, in addition to console. Values can be 'file', +-# with the file being named after the "service" - cloud_verifier - created under +-# /var/log/keylime), 'stream' or it can be left empty (which results in +-# logging to console only, recommended when running inside a container) +-log_destination = file + + #============================================================================= + [tenant] +@@ -595,11 +590,6 @@ auto_migrate_db = True + # The file to use for SQLite persistence of provider hypervisor data. + prov_db_filename = provider_reg_data.sqlite + +-# Destination for log output, in addition to console. Values can be 'file', +-# with the file being named after the "service" - registrar - created under +-# /var/log/keylime), 'stream' or it can be left empty (which results in +-# logging to console only, recommended when running inside a container) +-log_destination = file + + #============================================================================= + [ca] +diff --git a/keylime/keylime_logging.py b/keylime/keylime_logging.py +index bc8a11d..f7c7a8f 100644 +--- a/keylime/keylime_logging.py ++++ b/keylime/keylime_logging.py +@@ -1,17 +1,10 @@ + import logging +-import os + from logging import Logger + from logging import config as logging_config + from typing import Any, Callable, Dict + + from keylime import config + +-LOG_TO_FILE = set() +-LOG_TO_STREAM = set() +-LOGDIR = os.getenv("KEYLIME_LOGDIR", "/var/log/keylime") +-# not clear that this works right. console logging may not work +-LOGSTREAM = os.path.join(LOGDIR, "keylime-stream.log") +- + logging_config.fileConfig(config.get_config("logging")) + + +@@ -50,31 +43,7 @@ def log_http_response(logger: Logger, loglevel: int, response_body: Dict[str, An + + + def init_logging(loggername: str) -> Logger: +- +- if loggername in ("verifier", "registrar"): +- logdest = config.get(loggername, "log_destination", fallback="") +- if logdest == "file": +- LOG_TO_FILE.add(loggername) +- if logdest == "stream": +- LOG_TO_STREAM.add(loggername) +- + logger = logging.getLogger(f"keylime.{loggername}") + logging.getLogger("requests").setLevel(logging.WARNING) +- mainlogger = logging.getLogger("keylime") +- basic_formatter = logging.Formatter("%(asctime)s %(name)s %(levelname)s %(message)s") +- if loggername in LOG_TO_FILE: +- logfilename = os.path.join(LOGDIR, f"{loggername}.log") +- if not os.path.exists(LOGDIR): +- os.makedirs(LOGDIR, 0o750) +- fh = logging.FileHandler(logfilename) +- fh.setLevel(logger.getEffectiveLevel()) +- fh.setFormatter(basic_formatter) +- mainlogger.addHandler(fh) +- +- if loggername in LOG_TO_STREAM: +- fh = logging.FileHandler(filename=LOGSTREAM, mode="w") +- fh.setLevel(logger.getEffectiveLevel()) +- fh.setFormatter(basic_formatter) +- mainlogger.addHandler(fh) + + return logger +diff --git a/scripts/templates/2.0/registrar.j2 b/scripts/templates/2.0/registrar.j2 +index 3d92303..8de7a50 100644 +--- a/scripts/templates/2.0/registrar.j2 ++++ b/scripts/templates/2.0/registrar.j2 +@@ -71,12 +71,3 @@ auto_migrate_db = {{ registrar.auto_migrate_db }} + + # The file to use for SQLite persistence of provider hypervisor data. + prov_db_filename: {{ registrar.prov_db_filename }} +- +-# Destination for log output, in addition to console. If left empty, the log +-# output will only be printed to console (recommended for containers to avoid +-# filling data storage). The accepted values are: +-# 'file': The log output will also be written to a file named after the +-# component in '/var/log/keylime/registrar.log' +-# 'stream': The log output will be written to a common file in +-# 'var/log/keylime/keylime-stream.log' +-log_destination = {{ registrar.log_destination }} +diff --git a/scripts/templates/2.0/verifier.j2 b/scripts/templates/2.0/verifier.j2 +index d1584df..7a66cb1 100644 +--- a/scripts/templates/2.0/verifier.j2 ++++ b/scripts/templates/2.0/verifier.j2 +@@ -196,12 +196,3 @@ zmq_port = {{ verifier.zmq_port }} + + # Webhook url for revocation notifications. + webhook_url = {{ verifier.webhook_url }} +- +-# Destination for log output, in addition to console. If left empty, the log +-# output will only be printed to console (recommended for containers to avoid +-# filling data storage). The accepted values are: +-# 'file': The log output will also be written to a file named after the +-# component in '/var/log/keylime/verifier.log' +-# 'stream': The log output will be written to a common file in +-# 'var/log/keylime/keylime-stream.log' +-log_destination = {{ verifier.log_destination }} +-- +2.38.1 + diff --git a/SOURCES/keylime.fc b/SOURCES/keylime.fc deleted file mode 100644 index 5114c47..0000000 --- a/SOURCES/keylime.fc +++ /dev/null @@ -1,24 +0,0 @@ -/usr/bin/keylime_agent -- gen_context(system_u:object_r:keylime_agent_exec_t,s0) -/usr/bin/keylime_ima_emulator -- gen_context(system_u:object_r:keylime_agent_exec_t,s0) -/usr/bin/keylime_userdata_encrypt -- gen_context(system_u:object_r:keylime_agent_exec_t,s0) - -/usr/bin/keylime_ca -- gen_context(system_u:object_r:keylime_server_exec_t,s0) -/usr/bin/keylime_migrations_apply -- gen_context(system_u:object_r:keylime_server_exec_t,s0) -/usr/bin/keylime_registrar -- gen_context(system_u:object_r:keylime_server_exec_t,s0) -/usr/bin/keylime_verifier -- gen_context(system_u:object_r:keylime_server_exec_t,s0) -/usr/bin/keylime_tenant -- gen_context(system_u:object_r:keylime_server_exec_t,s0) - -/usr/local/bin/keylime_agent -- gen_context(system_u:object_r:keylime_agent_exec_t,s0) -/usr/local/bin/keylime_ima_emulator -- gen_context(system_u:object_r:keylime_agent_exec_t,s0) -/usr/local/bin/keylime_userdata_encrypt -- gen_context(system_u:object_r:keylime_agent_exec_t,s0) - -/usr/local/bin/keylime_ca -- gen_context(system_u:object_r:keylime_server_exec_t,s0) -/usr/local/bin/keylime_migrations_apply -- gen_context(system_u:object_r:keylime_server_exec_t,s0) -/usr/local/bin/keylime_registrar -- gen_context(system_u:object_r:keylime_server_exec_t,s0) -/usr/local/bin/keylime_verifier -- gen_context(system_u:object_r:keylime_server_exec_t,s0) -/usr/local/bin/keylime_tenant -- gen_context(system_u:object_r:keylime_server_exec_t,s0) - -/var/lib/keylime(/.*)? gen_context(system_u:object_r:keylime_var_lib_t,s0) -/var/lib/keylime-agent(/.*)? gen_context(system_u:object_r:keylime_var_lib_t,s0) - -/var/log/keylime(/.*)? gen_context(system_u:object_r:keylime_log_t,s0) diff --git a/SOURCES/keylime.if b/SOURCES/keylime.if deleted file mode 100644 index 1614a33..0000000 --- a/SOURCES/keylime.if +++ /dev/null @@ -1,37 +0,0 @@ -## policy for keylime - -######################################## -## -## Add to specified type to keylime_type attribute . -## -## -## -## Type to be used for keylime domains. -## -## -# -interface(`keylime_use_keylime_domain',` - gen_require(` - attribute keylime_domain; - ') - - typeattribute $1 keylime_domain; -') - -######################################## -## -## Mounton keylime lib directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`keylime_mounton_var_lib',` - gen_require(` - type keylime_var_lib_t; - ') - - allow $1 keylime_var_lib_t:dir mounton; -') diff --git a/SOURCES/keylime.te b/SOURCES/keylime.te deleted file mode 100644 index cd02baf..0000000 --- a/SOURCES/keylime.te +++ /dev/null @@ -1,140 +0,0 @@ -policy_module(keylime, 1.0.0) - -######################################## -# -# Declarations -# - -attribute keylime_domain; - -type keylime_agent_t; -keylime_use_keylime_domain(keylime_agent_t) -type keylime_agent_exec_t; -init_daemon_domain(keylime_agent_t, keylime_agent_exec_t) - -type keylime_server_t; -keylime_use_keylime_domain(keylime_server_t) -type keylime_server_exec_t; -init_daemon_domain(keylime_server_t, keylime_server_exec_t) - -type keylime_log_t; -logging_log_file(keylime_log_t) - -type keylime_var_lib_t; -files_type(keylime_var_lib_t) - -type keylime_tmp_t; -files_tmp_file(keylime_tmp_t) - -######################################## -# -# keylime domain policy -# - -allow keylime_domain self:tcp_socket create_stream_socket_perms; - -manage_dirs_pattern(keylime_domain, keylime_tmp_t, keylime_tmp_t) -manage_files_pattern(keylime_domain, keylime_tmp_t, keylime_tmp_t) -files_tmp_filetrans(keylime_domain, keylime_tmp_t, { dir file }) - -manage_dirs_pattern(keylime_domain, keylime_var_lib_t, keylime_var_lib_t) -manage_files_pattern(keylime_domain, keylime_var_lib_t, keylime_var_lib_t) -files_var_lib_filetrans(keylime_domain, keylime_var_lib_t, { dir file lnk_file }) - -corecmd_exec_bin(keylime_domain) - -corenet_tcp_bind_generic_node(keylime_domain) -corenet_tcp_bind_all_ports(keylime_domain) -corenet_tcp_connect_all_unreserved_ports(keylime_domain) - -dev_read_sysfs(keylime_domain) - -fs_tmpfs_filetrans(keylime_domain, keylime_var_lib_t, { dir file }) - -init_named_socket_activation(keylime_domain, keylime_var_lib_t, "keylime") - -miscfiles_read_generic_certs(keylime_domain) - -sysnet_read_config(keylime_domain) - -userdom_exec_user_tmp_files(keylime_domain) -userdom_manage_user_tmp_dirs(keylime_domain) -userdom_manage_user_tmp_files(keylime_domain) - -######################################## -# -# keylime server policy -# - -allow keylime_server_t self:netlink_route_socket { create_stream_socket_perms nlmsg_read }; -allow keylime_server_t self:udp_socket create_stream_socket_perms; - -manage_dirs_pattern(keylime_server_t, keylime_log_t, keylime_log_t) -manage_files_pattern(keylime_server_t, keylime_log_t, keylime_log_t) - -fs_rw_inherited_tmpfs_files(keylime_server_t) - -optional_policy(` - gpg_exec(keylime_server_t) -') - -optional_policy(` - kerberos_read_config(keylime_server_t) - kerberos_read_keytab(keylime_server_t) -') - -optional_policy(` - sssd_run_stream_connect(keylime_server_t) -') - - -######################################## -# -# keylime agent policy -# -#work with /var/lib/keylime/secure -allow keylime_agent_t self:capability { chown dac_override dac_read_search setgid setuid sys_nice sys_ptrace }; -allow keylime_agent_t self:chr_file getattr; - -#FIX ME, add to tabrmd policy interface related with this -allow keylime_agent_t domain:unix_stream_socket rw_stream_socket_perms; #selint-disable:W-001 - -dev_rw_tpm(keylime_agent_t) - -exec_files_pattern(keylime_agent_t, keylime_var_lib_t, keylime_var_lib_t) -files_read_var_lib_files(keylime_agent_t) - -fs_dontaudit_search_cgroup_dirs(keylime_agent_t) -fs_getattr_cgroup(keylime_agent_t) -fs_mount_tmpfs(keylime_agent_t) -fs_setattr_tmpfs_dirs(keylime_agent_t) - -init_dontaudit_stream_connect(keylime_agent_t) - -kernel_read_all_proc(keylime_agent_t) - -userdom_dontaudit_search_user_home_dirs(keylime_agent_t) - -auth_read_passwd(keylime_agent_t) - -keylime_mounton_var_lib(keylime_agent_t) - -mount_domtrans(keylime_agent_t) - -selinux_read_policy(keylime_agent_t) - -optional_policy(` - #FIX ME, add to tabrmd policy interface related with this - #https://github.com/tpm2-software/tpm2-abrmd/blob/master/selinux - dbus_chat_system_bus(keylime_agent_t) -') - -optional_policy(` - dbus_stream_connect_system_dbusd(keylime_agent_t) - dbus_system_bus_client(keylime_agent_t) -') - -optional_policy(` - systemd_userdbd_stream_connect(keylime_agent_t) - systemd_machined_stream_connect(keylime_agent_t) -') diff --git a/SPECS/keylime.spec b/SPECS/keylime.spec index f8bfffd..8a47a55 100644 --- a/SPECS/keylime.spec +++ b/SPECS/keylime.spec @@ -1,4 +1,5 @@ %global srcname keylime +%global policy_version 1.0.0 %global with_selinux 1 %global selinuxtype targeted @@ -7,18 +8,18 @@ %global debug_package %{nil} Name: keylime -Version: 6.4.3 -Release: 1%{?dist} +Version: 6.5.2 +Release: 4%{?dist} Summary: Open source TPM software for Bootstrapping and Maintaining Trust URL: https://github.com/keylime/keylime Source0: https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz Source1: %{srcname}.sysusers -%if 0%{?with_selinux} -Source2: %{srcname}.te -Source3: %{srcname}.if -Source4: %{srcname}.fc -%endif +Source2: https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%{policy_version}/keylime-selinux-%{policy_version}.tar.gz + +Patch: 0001-Do-not-use-default-values-that-need-reading-the-conf.patch +Patch: 0002-Switch-to-sha256-hashes-for-signatures.patch +Patch: 0003-logging-remove-option-to-log-into-separate-file.patch License: ASL 2.0 and MIT @@ -27,6 +28,7 @@ BuildRequires: swig BuildRequires: openssl-devel BuildRequires: python3-devel BuildRequires: python3-dbus +BuildRequires: python3-jinja2 BuildRequires: python3-setuptools BuildRequires: systemd-rpm-macros @@ -57,7 +59,7 @@ Requires: tpm2-tss %if 0%{?with_selinux} # This ensures that the *-selinux package and all it’s dependencies are not pulled # into containers and other systems that do not use SELinux -Requires: (%{srcname}-selinux if selinux-policy-%{selinuxtype}) +Recommends: (%{srcname}-selinux if selinux-policy-%{selinuxtype}) %endif %ifarch %efi @@ -87,6 +89,7 @@ Requires: python3-lark-parser Requires: python3-pyasn1 Requires: python3-pyasn1-modules Requires: tpm2-tools +Requires: openssl %description -n python3-%{srcname} The python3-keylime module implements the functionality used @@ -140,15 +143,12 @@ Requires: python3-%{srcname} = %{version}-%{release} The Keylime Tenant can be used to provision a Keylime Agent. %prep -%autosetup -S git -n %{srcname}-%{version} +%autosetup -S git -n %{srcname}-%{version} -a2 %if 0%{?with_selinux} # SELinux policy (originally from selinux-policy-contrib) # this policy module will override the production module mkdir selinux -cp -p %{SOURCE2} selinux/ -cp -p %{SOURCE3} selinux/ -cp -p %{SOURCE4} selinux/ make -f %{_datadir}/selinux/devel/Makefile %{srcname}.pp bzip2 -9 %{srcname}.pp @@ -163,37 +163,38 @@ mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname} mkdir -p --mode=0700 %{buildroot}/%{_rundir}/%{srcname} mkdir -p --mode=0700 %{buildroot}/%{_localstatedir}/log/%{srcname} -# Remove agent and webapp. +mkdir -p --mode=0700 %{buildroot}/%{_sysconfdir}/%{srcname}/ +for comp in "verifier" "tenant" "registrar" "ca" "logging"; do + mkdir -p --mode=0700 %{buildroot}/%{_sysconfdir}/%{srcname}/${comp}.conf.d + install -Dpm 400 config/${comp}.conf %{buildroot}/%{_sysconfdir}/%{srcname} +done + +# Remove agent. rm -f %{buildroot}/%{_bindir}/%{srcname}_agent rm -f %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/%{srcname}_agent* rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/__pycache__/agent.* rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/agent.* rm -f %{buildroot}%{python3_sitelib}/%{srcname}/%{srcname}_agent.* -rm -f %{buildroot}/%{_bindir}/%{srcname}_webapp -rm -f %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/tenant_webapp.* -rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/__pycache__/webapp.* -rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/webapp.* -rm -f %{buildroot}%{python3_sitelib}/%{srcname}/tenant_webapp.* -rm -rf %{buildroot}%{python3_sitelib}/%{srcname}/static/ - # Remove misc progs. rm -f %{buildroot}/%{_bindir}/%{srcname}_ima_emulator rm -f %{buildroot}/%{_bindir}/%{srcname}_userdata_encrypt -# Setting up the agent to use keylime:keylime user/group after dropping privileges. -sed -e 's/^run_as[[:space:]]*=.*/run_as = keylime:keylime/g' -i %{srcname}.conf - -# Using sha256 for tpm_hash_alg. -sed -e 's/^tpm_hash_alg[[:space:]]*=.*/tpm_hash_alg = sha256/g' -i %{srcname}.conf +# Ship some scripts. +mkdir -p %{buildroot}/%{_datadir}/%{srcname}/scripts +for s in create_allowlist.sh \ + create_mb_refstate \ + create_policy \ + ek-openssl-verify; do + install -Dpm 755 scripts/${s} \ + %{buildroot}/%{_datadir}/%{srcname}/scripts/${s} +done %if 0%{?with_selinux} install -D -m 0644 %{srcname}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2 -install -D -p -m 0644 selinux/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if +install -D -p -m 0644 keylime-selinux-%{policy_version}/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if %endif -install -Dpm 600 %{srcname}.conf \ - %{buildroot}%{_sysconfdir}/%{srcname}.conf install -Dpm 644 ./services/%{srcname}_verifier.service \ %{buildroot}%{_unitdir}/%{srcname}_verifier.service @@ -201,7 +202,8 @@ install -Dpm 644 ./services/%{srcname}_verifier.service \ install -Dpm 644 ./services/%{srcname}_registrar.service \ %{buildroot}%{_unitdir}/%{srcname}_registrar.service -cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/keylime/ +cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/ +chmod 400 %{buildroot}%{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem install -p -d %{buildroot}/%{_tmpfilesdir} cat > %{buildroot}/%{_tmpfilesdir}/%{srcname}.conf << EOF @@ -215,11 +217,24 @@ install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/%{srcname}.conf exit 0 %posttrans base -[ -f %{_sysconfdir}/%{srcname}.conf ] && \ - chmod 600 %{_sysconfdir}/%{srcname}.conf && \ - chown %{srcname} %{_sysconfdir}/%{srcname}.conf +if [ -d %{_sysconfdir}/%{srcname} ]; then + chmod 500 %{_sysconfdir}/%{srcname} + chown -R %{srcname}:%{srcname} %{_sysconfdir}/%{srcname} + + for comp in "verifier" "tenant" "registrar" "ca" "logging"; do + [ -d %{_sysconfdir}/%{srcname}/${comp}.conf.d ] && \ + chmod 500 %{_sysconfdir}/%{srcname}/${comp}.conf.d + done +fi + + [ -d %{_sharedstatedir}/%{srcname} ] && \ chown -R %{srcname} %{_sharedstatedir}/%{srcname}/ + +[ -d %{_sharedstatedir}/%{srcname}/tpm_cert_store ] && \ + chmod 400 %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem && \ + chmod 500 %{_sharedstatedir}/%{srcname}/tpm_cert_store/ + [ -d %{_localstatedir}/log/%{srcname} ] && \ chown -R %{srcname} %{_localstatedir}/log/%{srcname}/ exit 0 @@ -272,6 +287,8 @@ fi %files verifier %license LICENSE +%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/verifier.conf.d +%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/verifier.conf %{_bindir}/%{srcname}_verifier %{_bindir}/%{srcname}_ca %{_bindir}/%{srcname}_migrations_apply @@ -279,6 +296,8 @@ fi %files registrar %license LICENSE +%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/registrar.conf.d +%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/registrar.conf %{_bindir}/%{srcname}_registrar %{_unitdir}/keylime_registrar.service @@ -291,27 +310,61 @@ fi %files tenant %license LICENSE +%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/tenant.conf.d +%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/tenant.conf %{_bindir}/%{srcname}_tenant %files -n python3-%{srcname} %license LICENSE %{python3_sitelib}/%{srcname}-*.egg-info/ %{python3_sitelib}/%{srcname} +%{_datadir}/%{srcname}/scripts/create_mb_refstate +%{_datadir}/%{srcname}/scripts/create_policy +%{_bindir}/keylime_convert_ima_policy %files base %license LICENSE %doc README.md -%config(noreplace) %attr(600,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}.conf +%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/{ca,logging}.conf.d +%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/ca.conf +%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/logging.conf %attr(700,%{srcname},%{srcname}) %dir %{_rundir}/%{srcname} %attr(700,%{srcname},%{srcname}) %dir %{_localstatedir}/log/%{srcname} -%attr(700,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname} +%attr(700,%{srcname},%{srcname}) %dir %{_sharedstatedir}/%{srcname} +%attr(500,%{srcname},%{srcname}) %dir %{_sharedstatedir}/%{srcname}/tpm_cert_store +%attr(400,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem %{_tmpfilesdir}/%{srcname}.conf %{_sysusersdir}/%{srcname}.conf +%{_datadir}/%{srcname}/scripts/create_allowlist.sh +%{_datadir}/%{srcname}/scripts/ek-openssl-verify %files %license LICENSE %changelog +* Fri Jan 13 2023 Sergio Correia - 6.5.2-4 +- Backport upstream PR#1240 - logging: remove option to log into separate file + Resolves: rhbz#2154584 - keylime verifier is not logging to /var/log/keylime + +* Thu Dec 1 2022 Sergio Correia - 6.5.2-3 +- Remove leftover policy file + Related: rhbz#2152135 + +* Thu Dec 1 2022 Patrik Koncity - 6.5.2-2 +- Use keylime selinux policy from upstream. + Resolves: rhbz#2152135 + +* Mon Nov 14 2022 Sergio Correia - 6.5.2-1 +- Update to 6.5.2 + Resolves: CVE-2022-3500 + Resolves: rhbz#2138167 - agent fails IMA attestation when one scripts is executed quickly after the other + Resolves: rhbz#2140670 - Segmentation fault in /usr/share/keylime/create_mb_refstate script + Resolves: rhbz#142009 - Registrar may crash during EK validation when require_ek_cert is enabled + +* Tue Sep 13 2022 Sergio Correia - 6.5.0-1 +- Update to 6.5.0 + Resolves: rhbz#2120686 - Keylime configuration is too complex + * Fri Aug 26 2022 Sergio Correia - 6.4.3-1 - Update to 6.4.3 Resolves: rhbz#2121044 - Error parsing EK ASN.1 certificate of Nuvoton HW TPM