From ff4acbb93973198bc9b82c6607bcbcc34cbccef3 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Tue, 17 Oct 2023 13:47:05 +0200 Subject: [PATCH] Set generator and timestamp in create_policy.py Related: RHEL-11866 Signed-off-by: Anderson Toshiyuki Sasaki --- ...rator-and-timestamp-in-create-policy.patch | 44 +++++++++++++++++++ keylime.spec | 7 ++- 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 0013-Set-generator-and-timestamp-in-create-policy.patch diff --git a/0013-Set-generator-and-timestamp-in-create-policy.patch b/0013-Set-generator-and-timestamp-in-create-policy.patch new file mode 100644 index 0000000..2c40991 --- /dev/null +++ b/0013-Set-generator-and-timestamp-in-create-policy.patch @@ -0,0 +1,44 @@ +diff --git a/keylime/cloud_verifier_common.py b/keylime/cloud_verifier_common.py +index a7399d2..c0f416d 100644 +--- a/keylime/cloud_verifier_common.py ++++ b/keylime/cloud_verifier_common.py +@@ -8,7 +8,7 @@ from keylime.agentstates import AgentAttestState, AgentAttestStates, TPMClockInf + from keylime.common import algorithms + from keylime.db.verifier_db import VerfierMain + from keylime.failure import Component, Event, Failure +-from keylime.ima import file_signatures ++from keylime.ima import file_signatures, ima + from keylime.ima.types import RuntimePolicyType + from keylime.tpm import tpm_util + from keylime.tpm.tpm_main import Tpm +@@ -271,7 +271,7 @@ def process_get_status(agent: VerfierMain) -> Dict[str, Any]: + logger.debug('The contents of the agent %s attribute "mb_refstate" are %s', agent.agent_id, agent.mb_refstate) + + has_runtime_policy = 0 +- if agent.ima_policy.generator and agent.ima_policy.generator > 1: ++ if agent.ima_policy.generator and agent.ima_policy.generator > ima.RUNTIME_POLICY_GENERATOR.EmptyAllowList: + has_runtime_policy = 1 + + response = { +diff --git a/keylime/cmd/create_policy.py b/keylime/cmd/create_policy.py +index 0841d64..086b92a 100755 +--- a/keylime/cmd/create_policy.py ++++ b/keylime/cmd/create_policy.py +@@ -6,6 +6,7 @@ import argparse + import binascii + import collections + import copy ++import datetime + import gzip + import json + import multiprocessing +@@ -580,6 +581,9 @@ def main() -> None: + policy["excludes"] = sorted(list(set(policy["excludes"]))) + policy["ima"]["ignored_keyrings"] = sorted(list(set(policy["ima"]["ignored_keyrings"]))) + ++ policy["meta"]["generator"] = ima.RUNTIME_POLICY_GENERATOR.LegacyAllowList ++ policy["meta"]["timestamp"] = str(datetime.datetime.now()) ++ + try: + ima.validate_runtime_policy(policy) + except ima.ImaValidationError as ex: diff --git a/keylime.spec b/keylime.spec index 8e97153..38481f7 100644 --- a/keylime.spec +++ b/keylime.spec @@ -9,7 +9,7 @@ Name: keylime Version: 7.3.0 -Release: 11%{?dist} +Release: 12%{?dist} Summary: Open source TPM software for Bootstrapping and Maintaining Trust URL: https://github.com/keylime/keylime @@ -29,6 +29,7 @@ Patch: 0009-CVE-2023-38201.patch Patch: 0010-CVE-2023-38200.patch Patch: 0011-Automatically-update-agent-API-version.patch Patch: 0012-Restore-create-allowlist.patch +Patch: 0013-Set-generator-and-timestamp-in-create-policy.patch License: ASL 2.0 and MIT @@ -369,6 +370,10 @@ fi %license LICENSE %changelog +* Tue Oct 17 2023 Anderson Toshiyuki Sasaki - 7.3.0-12 +- Set the generator and timestamp in create_policy.py + Related: RHEL-11866 + * Mon Oct 09 2023 Anderson Toshiyuki Sasaki - 7.3.0-11 - Suppress unnecessary error message Related: RHEL-11866