diff --git a/0012-Restore-create-allowlist.patch b/0012-Restore-create-allowlist.patch new file mode 100644 index 0000000..f1ac3a6 --- /dev/null +++ b/0012-Restore-create-allowlist.patch @@ -0,0 +1,50 @@ +--- a/scripts/create_runtime_policy.sh 2023-10-06 10:51:36.857497863 +0200 ++++ b/scripts/create_runtime_policy.sh 2023-10-06 17:05:45.579367576 +0200 +@@ -42,7 +42,7 @@ + exit $NOARGS; + fi + +-ALGO=sha1sum ++ALGO=sha256sum + + ALGO_LIST=("sha1sum" "sha256sum" "sha512sum") + +@@ -78,7 +78,7 @@ + + + # Where to look for initramfs image +-INITRAMFS_LOC="/boot/" ++INITRAMFS_LOC="/boot" + if [ -d "/ostree" ]; then + # If we are on an ostree system change where we look for initramfs image + loc=$(grep -E "/ostree/[^/]([^/]*)" -o /proc/cmdline | head -n 1 | cut -d / -f 3) +@@ -130,9 +130,26 @@ + find -type f -exec $ALGO "./{}" \; | sed "s| \./\./| /|" >> $OUTPUT + done + +-# Convert to runtime policy +-echo "Converting created allowlist to Keylime runtime policy" +-python3 $WORKING_DIR/../keylime/cmd/convert_runtime_policy.py -a $OUTPUT -o $OUTPUT ++# when ROOTFS_LOC = '/', the path starts on allowlist ends up with double '//' ++# ++# Example: ++# ++# b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c //bar ++# ++# Replace the unwanted '//' with a single '/' ++sed -i 's| /\+| /|g' $ALLOWLIST_DIR/${OUTPUT} ++ ++# When the file name contains newlines or backslashes, the output of sha256sum ++# adds a backslash at the beginning of the line. ++# ++# Example: ++# ++# $ echo foo > ba\\r ++# $ sha256sum ba\\r ++# \b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c ba\\r ++# ++# Remove the unwanted backslash prefix ++sed -i 's/^\\//g' $ALLOWLIST_DIR/${OUTPUT} + + # Clean up + rm -rf /tmp/ima diff --git a/keylime.spec b/keylime.spec index f106cb3..7ebd4c9 100644 --- a/keylime.spec +++ b/keylime.spec @@ -9,7 +9,7 @@ Name: keylime Version: 7.3.0 -Release: 9%{?dist} +Release: 10%{?dist} Summary: Open source TPM software for Bootstrapping and Maintaining Trust URL: https://github.com/keylime/keylime @@ -28,6 +28,7 @@ Patch: 0008-verifier-should-read-parameters-from-verifier.conf-o.patch Patch: 0009-CVE-2023-38201.patch Patch: 0010-CVE-2023-38200.patch Patch: 0011-Automatically-update-agent-API-version.patch +Patch: 0012-Restore-create-allowlist.patch License: ASL 2.0 and MIT @@ -183,13 +184,19 @@ done # Ship some scripts. mkdir -p %{buildroot}/%{_datadir}/%{srcname}/scripts -for s in create_runtime_policy.sh \ - create_mb_refstate \ +for s in create_mb_refstate \ ek-openssl-verify; do install -Dpm 755 scripts/${s} \ %{buildroot}/%{_datadir}/%{srcname}/scripts/${s} done +# On RHEL 9.3, install create_runtime_policy.sh as create_allowlist.sh +# The convert_runtime_policy.py script to convert allowlist and excludelist into +# runtime policy is not called anymore. +# See: https://issues.redhat.com/browse/RHEL-11866 +install -Dpm 755 scripts/create_runtime_policy.sh \ + %{buildroot}/%{_datadir}/%{srcname}/scripts/create_allowlist.sh + # Ship configuration templates. cp -r ./templates %{buildroot}%{_datadir}/%{srcname}/templates/ @@ -353,7 +360,7 @@ fi %attr(400,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem %{_tmpfilesdir}/%{srcname}.conf %{_sysusersdir}/%{srcname}.conf -%{_datadir}/%{srcname}/scripts/create_runtime_policy.sh +%{_datadir}/%{srcname}/scripts/create_allowlist.sh %{_datadir}/%{srcname}/scripts/ek-openssl-verify %{_datadir}/%{srcname}/templates %{_bindir}/keylime_upgrade_config @@ -362,6 +369,11 @@ fi %license LICENSE %changelog +* Fri Oct 06 2023 Anderson Toshiyuki Sasaki - 7.3.0-10 +- Restore allowlist generation script + Resolves: RHEL-11866 + Resolves: RHEL-11867 + * Wed Sep 06 2023 Sergio Correia - 7.3.0-9 - Rebuild for properly tagging the resulting build Resolves: RHEL-1898