Updating for Keylime release v6.3.2

.gitignore

@@ -13,3 +13,4 @@
 /6.1.0.tar.gz
 /v6.3.0.tar.gz
 /v6.3.1.tar.gz
+/v6.3.2.tar.gz

keylime.spec

@@ -1,7 +1,7 @@
 %global srcname keylime
 
 Name:    keylime
-Version: 6.3.1
+Version: 6.3.2
 Release: 1%{?dist}
 Summary: Open source TPM software for Bootstrapping and Maintaining Trust
 
@@ -226,12 +226,17 @@ mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname}
 mkdir -p --mode=0700 %{buildroot}/%{_rundir}/%{srcname}
 mkdir -p --mode=0700 %{buildroot}/%{_localstatedir}/log/%{srcname}
 
+# Setting up the agent to use keylime user/group.
+sed -e 's/^run_as.*/run_as = %{srcname}:%{srcname}/g' -i %{srcname}.conf
 install -Dpm 600 %{srcname}.conf \
     %{buildroot}%{_sysconfdir}/%{srcname}.conf
 
 install -Dpm 644 ./services/%{srcname}_agent.service \
     %{buildroot}%{_unitdir}/%{srcname}_agent.service
 
+install -Dpm 644 ./services/%{srcname}_agent_secure.mount \
+    %{buildroot}%{_unitdir}/%{srcname}_agent_secure.mount
+
 install -Dpm 644 ./services/%{srcname}_verifier.service \
     %{buildroot}%{_unitdir}/%{srcname}_verifier.service
 
@@ -249,6 +254,37 @@ getent passwd %{srcname} >/dev/null || \
 if getent group tss >/dev/null && ! groups %{srcname} | grep -q "\btss\b"; then
     usermod -a -G tss %{srcname} &>/dev/null
 fi
+
+# Check if already use run_as (introduced in 6.3.2).
+if ! _ug=$(grep ^run_as %{_sysconfdir}/%{srcname}.conf | awk '{ print $3 }') \
+           || [ -z "${_ug}" ]; then
+
+    [ -d %{_localstatedir}/lib/rpm-state/%{srcname} ] \
+        && rm -rf %{_localstatedir}/lib/rpm-state/%{srcname}
+    mkdir -p %{_localstatedir}/lib/rpm-state/%{srcname}
+    touch %{_localstatedir}/lib/rpm-state/%{srcname}/no-run_as
+fi
+exit 0
+
+%posttrans base
+[ -f %{_sysconfdir}/%{srcname}.conf ] && \
+    chmod 600 %{_sysconfdir}/%{srcname}.conf
+
+# If we just started using run_as, we need to change a few permissions.
+if _ug=$(grep ^run_as %{_sysconfdir}/%{srcname}.conf | awk '{ print $3 }') \
+         && [ -n "${_ug}" ] \
+         && [ -f %{_localstatedir}/lib/rpm-state/%{srcname}/no-run_as ]; then
+
+    [ -f %{_sharedstatedir}/%{srcname}/tpmdata.yml ] && \
+        chown "${_ug}" %{_sharedstatedir}/%{srcname}/tpmdata.yml
+    if [ -d %{_sharedstatedir}/%{srcname}/cv_ca ]; then
+        chown "${_ug}" %{_sharedstatedir}/%{srcname}/cv_ca
+        [ -f %{_sharedstatedir}/%{srcname}/cv_ca/cacert.crt ] && \
+            chown "${_ug}" %{_sharedstatedir}/%{srcname}/cv_ca/cacert.crt
+    fi
+fi
+[ -d %{_localstatedir}/lib/rpm-state/%{srcname} ] \
+    && rm -rf %{_localstatedir}/lib/rpm-state/%{srcname}
 exit 0
 
 %post verifier
@@ -293,7 +329,8 @@ exit 0
 %files -n python3-%{srcname}-agent
 %license LICENSE
 %{_bindir}/%{srcname}_agent
-%{_unitdir}/keylime_agent.service
+%{_unitdir}/%{srcname}_agent.service
+%{_unitdir}/%{srcname}_agent_secure.mount
 %{_bindir}/%{srcname}_ima_emulator
 
 %files tenant
@@ -321,11 +358,13 @@ exit 0
 %attr(700,%{srcname},%{srcname}) %dir %{_localstatedir}/log/%{srcname}
 %attr(700,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}
 
-
 %files
 %license LICENSE
 
 %changelog
+* Wed Apr 06 2022 Sergio Correia <scorreia@redhat.com> - 6.3.2-1
+- Updating for Keylime release v6.3.2
+
 * Mon Feb 14 2022 Sergio Correia <scorreia@redhat.com> - 6.3.1-1
 - Updating for Keylime release v6.3.1
 

sources

@@ -1 +1 @@
-SHA512 (v6.3.1.tar.gz) = 0c0d5f2bbc68eae6608c3e7b8f06149c4f6ad27174fd84a05a7beecf69fba3340f961955da843a5c3bce2849bb79f065c5e2002d477d19c0fe8d6b81c5cb9109
+SHA512 (v6.3.2.tar.gz) = 632c2acccc5e139c2771e6771eca497933b2d76fa1307c97a72aa507a113342b9a6fd2c7fec288a9cdc90a1fce7d7febd453c97f859ea4a248f8171fd39fd4b1