Restore create allowlist script

Resolves: RHEL-11866
Resolves: RHEL-11867

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

0012-Restore-create-allowlist.patch

@@ -0,0 +1,50 @@
+--- a/scripts/create_runtime_policy.sh	2023-10-06 10:51:36.857497863 +0200
++++ b/scripts/create_runtime_policy.sh	2023-10-06 17:05:45.579367576 +0200
+@@ -42,7 +42,7 @@
+     exit $NOARGS;
+ fi
+ 
+-ALGO=sha1sum
++ALGO=sha256sum
+ 
+ ALGO_LIST=("sha1sum" "sha256sum" "sha512sum")
+ 
+@@ -78,7 +78,7 @@
+ 
+ 
+ # Where to look for initramfs image
+-INITRAMFS_LOC="/boot/"
++INITRAMFS_LOC="/boot"
+ if [ -d "/ostree" ]; then
+     # If we are on an ostree system change where we look for initramfs image
+     loc=$(grep -E "/ostree/[^/]([^/]*)" -o /proc/cmdline | head -n 1 | cut -d / -f 3)
+@@ -130,9 +130,26 @@
+     find -type f -exec $ALGO "./{}" \; | sed "s| \./\./| /|" >> $OUTPUT
+ done
+ 
+-# Convert to runtime policy
+-echo "Converting created allowlist to Keylime runtime policy"
+-python3 $WORKING_DIR/../keylime/cmd/convert_runtime_policy.py -a $OUTPUT -o $OUTPUT
++# when ROOTFS_LOC = '/', the path starts on allowlist ends up with double '//'
++#
++# Example:
++#
++# b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c  //bar
++#
++# Replace the unwanted '//' with a single '/'
++sed -i 's| /\+| /|g'  $ALLOWLIST_DIR/${OUTPUT}
++
++# When the file name contains newlines or backslashes, the output of sha256sum
++# adds a backslash at the beginning of the line.
++#
++# Example:
++#
++# $ echo foo > ba\\r
++# $ sha256sum ba\\r
++# \b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c  ba\\r
++#
++# Remove the unwanted backslash prefix
++sed -i 's/^\\//g' $ALLOWLIST_DIR/${OUTPUT}
+ 
+ # Clean up
+ rm -rf /tmp/ima

keylime.spec

@@ -9,7 +9,7 @@
 
 Name:    keylime
 Version: 7.3.0
-Release: 9%{?dist}
+Release: 10%{?dist}
 Summary: Open source TPM software for Bootstrapping and Maintaining Trust
 
 URL:            https://github.com/keylime/keylime
@@ -28,6 +28,7 @@ Patch: 0008-verifier-should-read-parameters-from-verifier.conf-o.patch
 Patch: 0009-CVE-2023-38201.patch
 Patch: 0010-CVE-2023-38200.patch
 Patch: 0011-Automatically-update-agent-API-version.patch
+Patch: 0012-Restore-create-allowlist.patch
 
 License: ASL 2.0 and MIT
 
@@ -183,13 +184,19 @@ done
 
 # Ship some scripts.
 mkdir -p %{buildroot}/%{_datadir}/%{srcname}/scripts
-for s in create_runtime_policy.sh \
-         create_mb_refstate \
+for s in create_mb_refstate \
          ek-openssl-verify; do
     install -Dpm 755 scripts/${s} \
         %{buildroot}/%{_datadir}/%{srcname}/scripts/${s}
 done
 
+# On RHEL 9.3, install create_runtime_policy.sh as create_allowlist.sh
+# The convert_runtime_policy.py script to convert allowlist and excludelist into
+# runtime policy is not called anymore.
+# See: https://issues.redhat.com/browse/RHEL-11866
+install -Dpm 755 scripts/create_runtime_policy.sh \
+        %{buildroot}/%{_datadir}/%{srcname}/scripts/create_allowlist.sh
+
 # Ship configuration templates.
 cp -r ./templates %{buildroot}%{_datadir}/%{srcname}/templates/
 
@@ -353,7 +360,7 @@ fi
 %attr(400,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
 %{_tmpfilesdir}/%{srcname}.conf
 %{_sysusersdir}/%{srcname}.conf
-%{_datadir}/%{srcname}/scripts/create_runtime_policy.sh
+%{_datadir}/%{srcname}/scripts/create_allowlist.sh
 %{_datadir}/%{srcname}/scripts/ek-openssl-verify
 %{_datadir}/%{srcname}/templates
 %{_bindir}/keylime_upgrade_config
@@ -362,6 +369,11 @@ fi
 %license LICENSE
 
 %changelog
+* Fri Oct 06 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.3.0-10
+- Restore allowlist generation script
+  Resolves: RHEL-11866
+  Resolves: RHEL-11867
+
 * Wed Sep 06 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-9
 - Rebuild for properly tagging the resulting build
   Resolves: RHEL-1898