Compare commits
2 Commits
imports/c9
...
c9-beta
Author | SHA1 | Date | |
---|---|---|---|
064a1edc0b | |||
|
25f2287717 |
3
.gitignore
vendored
3
.gitignore
vendored
@ -1 +1,2 @@
|
|||||||
SOURCES/v6.4.3.tar.gz
|
SOURCES/keylime-selinux-1.2.0.tar.gz
|
||||||
|
SOURCES/v7.3.0.tar.gz
|
||||||
|
@ -1 +1,2 @@
|
|||||||
097e4062bdb09385bf9679f6411a42825e4f6bec SOURCES/v6.4.3.tar.gz
|
9130beade415b8e3b02aac8d06678f2c45b939fe SOURCES/keylime-selinux-1.2.0.tar.gz
|
||||||
|
400e2b019060b8a6cc255dbfc14c582121acbee1 SOURCES/v7.3.0.tar.gz
|
||||||
|
@ -0,0 +1,104 @@
|
|||||||
|
Subject: [PATCH] Remove usage of Required/NotRequired typing_ext
|
||||||
|
|
||||||
|
Since we do not yet have typing_extensions packaged, let us not
|
||||||
|
use its functionality yet.
|
||||||
|
---
|
||||||
|
keylime/ima/types.py | 33 ++++++++++++++-------------------
|
||||||
|
keylime/registrar_client.py | 8 +-------
|
||||||
|
2 files changed, 15 insertions(+), 26 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/keylime/ima/types.py b/keylime/ima/types.py
|
||||||
|
index 99f0aa7..a0fffdf 100644
|
||||||
|
--- a/keylime/ima/types.py
|
||||||
|
+++ b/keylime/ima/types.py
|
||||||
|
@@ -6,11 +6,6 @@ if sys.version_info >= (3, 8):
|
||||||
|
else:
|
||||||
|
from typing_extensions import Literal, TypedDict
|
||||||
|
|
||||||
|
-if sys.version_info >= (3, 11):
|
||||||
|
- from typing import NotRequired, Required
|
||||||
|
-else:
|
||||||
|
- from typing_extensions import NotRequired, Required
|
||||||
|
-
|
||||||
|
### Types for tpm_dm.py
|
||||||
|
|
||||||
|
RuleAttributeType = Optional[Union[int, str, bool]]
|
||||||
|
@@ -51,7 +46,7 @@ class Rule(TypedDict):
|
||||||
|
|
||||||
|
|
||||||
|
class Policies(TypedDict):
|
||||||
|
- version: Required[int]
|
||||||
|
+ version: int
|
||||||
|
match_on: MatchKeyType
|
||||||
|
rules: Dict[str, Rule]
|
||||||
|
|
||||||
|
@@ -60,27 +55,27 @@ class Policies(TypedDict):
|
||||||
|
|
||||||
|
|
||||||
|
class RPMetaType(TypedDict):
|
||||||
|
- version: Required[int]
|
||||||
|
- generator: NotRequired[int]
|
||||||
|
- timestamp: NotRequired[str]
|
||||||
|
+ version: int
|
||||||
|
+ generator: int
|
||||||
|
+ timestamp: str
|
||||||
|
|
||||||
|
|
||||||
|
class RPImaType(TypedDict):
|
||||||
|
- ignored_keyrings: Required[List[str]]
|
||||||
|
- log_hash_alg: Required[Literal["sha1", "sha256", "sha384", "sha512"]]
|
||||||
|
+ ignored_keyrings: List[str]
|
||||||
|
+ log_hash_alg: Literal["sha1", "sha256", "sha384", "sha512"]
|
||||||
|
dm_policy: Optional[Policies]
|
||||||
|
|
||||||
|
|
||||||
|
RuntimePolicyType = TypedDict(
|
||||||
|
"RuntimePolicyType",
|
||||||
|
{
|
||||||
|
- "meta": Required[RPMetaType],
|
||||||
|
- "release": NotRequired[int],
|
||||||
|
- "digests": Required[Dict[str, List[str]]],
|
||||||
|
- "excludes": Required[List[str]],
|
||||||
|
- "keyrings": Required[Dict[str, List[str]]],
|
||||||
|
- "ima": Required[RPImaType],
|
||||||
|
- "ima-buf": Required[Dict[str, List[str]]],
|
||||||
|
- "verification-keys": Required[str],
|
||||||
|
+ "meta": RPMetaType,
|
||||||
|
+ "release": int,
|
||||||
|
+ "digests": Dict[str, List[str]],
|
||||||
|
+ "excludes": List[str],
|
||||||
|
+ "keyrings": Dict[str, List[str]],
|
||||||
|
+ "ima": RPImaType,
|
||||||
|
+ "ima-buf": Dict[str, List[str]],
|
||||||
|
+ "verification-keys": str,
|
||||||
|
},
|
||||||
|
)
|
||||||
|
diff --git a/keylime/registrar_client.py b/keylime/registrar_client.py
|
||||||
|
index ab28977..ea5341b 100644
|
||||||
|
--- a/keylime/registrar_client.py
|
||||||
|
+++ b/keylime/registrar_client.py
|
||||||
|
@@ -13,12 +13,6 @@ if sys.version_info >= (3, 8):
|
||||||
|
else:
|
||||||
|
from typing_extensions import TypedDict
|
||||||
|
|
||||||
|
-if sys.version_info >= (3, 11):
|
||||||
|
- from typing import NotRequired
|
||||||
|
-else:
|
||||||
|
- from typing_extensions import NotRequired
|
||||||
|
-
|
||||||
|
-
|
||||||
|
class RegistrarData(TypedDict):
|
||||||
|
ip: Optional[str]
|
||||||
|
port: Optional[str]
|
||||||
|
@@ -27,7 +21,7 @@ class RegistrarData(TypedDict):
|
||||||
|
aik_tpm: str
|
||||||
|
ek_tpm: str
|
||||||
|
ekcert: Optional[str]
|
||||||
|
- provider_keys: NotRequired[Dict[str, str]]
|
||||||
|
+ provider_keys: Dict[str, str]
|
||||||
|
|
||||||
|
|
||||||
|
logger = keylime_logging.init_logging("registrar_client")
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -0,0 +1,27 @@
|
|||||||
|
From e8a1fa55ff0892ee2380e832ac94abc629b401d6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Patrik Koncity <pkoncity@redhat.com>
|
||||||
|
Date: Thu, 10 Aug 2023 07:47:04 -0400
|
||||||
|
Subject: [PATCH 2/2] Allow keylime_server_t tcp connect to several domains
|
||||||
|
|
||||||
|
---
|
||||||
|
keylime-selinux-1.2.0/keylime.te | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/keylime-selinux-1.2.0/keylime.te b/keylime-selinux-1.2.0/keylime.te
|
||||||
|
index 8d47d26..8e6487b 100644
|
||||||
|
--- a/keylime-selinux-1.2.0/keylime.te
|
||||||
|
+++ b/keylime-selinux-1.2.0/keylime.te
|
||||||
|
@@ -83,6 +83,10 @@ allow keylime_server_t self:udp_socket create_stream_socket_perms;
|
||||||
|
manage_dirs_pattern(keylime_server_t, keylime_log_t, keylime_log_t)
|
||||||
|
manage_files_pattern(keylime_server_t, keylime_log_t, keylime_log_t)
|
||||||
|
|
||||||
|
+corenet_tcp_connect_http_cache_port(keylime_server_t)
|
||||||
|
+corenet_tcp_connect_mysqld_port(keylime_server_t)
|
||||||
|
+corenet_tcp_connect_postgresql_port(keylime_server_t)
|
||||||
|
+
|
||||||
|
fs_getattr_all_fs(keylime_server_t)
|
||||||
|
fs_rw_inherited_tmpfs_files(keylime_server_t)
|
||||||
|
|
||||||
|
--
|
||||||
|
2.39.3
|
||||||
|
|
@ -0,0 +1,51 @@
|
|||||||
|
From b8e26ca5e98e1b842db2fc21411962d40f27c557 Mon Sep 17 00:00:00 2001
|
||||||
|
From: rpm-build <rpm-build>
|
||||||
|
Date: Tue, 15 Aug 2023 07:19:28 -0400
|
||||||
|
Subject: [PATCH 3/4] Use version 2.0 as the minimum for the configuration
|
||||||
|
|
||||||
|
---
|
||||||
|
keylime/cmd/convert_config.py | 16 +++++++++++-----
|
||||||
|
1 file changed, 11 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/keylime/cmd/convert_config.py b/keylime/cmd/convert_config.py
|
||||||
|
index ac28151..1d71b99 100755
|
||||||
|
--- a/keylime/cmd/convert_config.py
|
||||||
|
+++ b/keylime/cmd/convert_config.py
|
||||||
|
@@ -191,7 +191,13 @@ def output(components: List[str], config: RawConfigParser, templates: str, outdi
|
||||||
|
|
||||||
|
# Check that there are templates for all components
|
||||||
|
for component in components:
|
||||||
|
- version = config[component]["version"].strip('" ')
|
||||||
|
+ # Minimum version.
|
||||||
|
+ version = '2.0'
|
||||||
|
+ if "version" in config[component]:
|
||||||
|
+ version = config[component]["version"].strip('" ')
|
||||||
|
+ else:
|
||||||
|
+ config[component]["version"] = version
|
||||||
|
+
|
||||||
|
version_dir = os.path.join(templates, version)
|
||||||
|
if not os.path.isdir(version_dir):
|
||||||
|
raise Exception(f"Could not find directory {version_dir}")
|
||||||
|
@@ -292,15 +298,15 @@ def process_mapping(
|
||||||
|
raise Exception("Invalid version number found in old configuration")
|
||||||
|
|
||||||
|
except (configparser.NoOptionError, configparser.NoSectionError):
|
||||||
|
- print(f"No version found in old configuration for {component}, using '1.0'")
|
||||||
|
- old_version = (1, 0)
|
||||||
|
+ print(f"No version found in old configuration for {component}, using '2.0'")
|
||||||
|
+ old_version = (2, 0)
|
||||||
|
else:
|
||||||
|
# If the old_version does not contain the component from the
|
||||||
|
# mapping, use the minimum version to use defaults
|
||||||
|
- old_version = (1, 0)
|
||||||
|
+ old_version = (2, 0)
|
||||||
|
|
||||||
|
# Skip versions lower than the current version
|
||||||
|
- if old_version >= new_version:
|
||||||
|
+ if old_version >= new_version and component in old_config:
|
||||||
|
new[component] = old_config[component]
|
||||||
|
continue
|
||||||
|
|
||||||
|
--
|
||||||
|
2.39.3
|
||||||
|
|
@ -0,0 +1,88 @@
|
|||||||
|
From dbd521e8e8f0ffd9ace79c7b9b888f4cb89488f9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: rpm-build <rpm-build>
|
||||||
|
Date: Tue, 15 Aug 2023 06:09:37 -0400
|
||||||
|
Subject: [PATCH 4/4] Duplicate str_to_version for the upgrade tool
|
||||||
|
|
||||||
|
So it does not depend on python-keylime
|
||||||
|
---
|
||||||
|
keylime/cmd/convert_config.py | 24 ++++++++++++++++++++++--
|
||||||
|
templates/2.0/adjust.py | 22 ++++++++++++++++++++--
|
||||||
|
2 files changed, 42 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/keylime/cmd/convert_config.py b/keylime/cmd/convert_config.py
|
||||||
|
index c1c6180..cad5e31 100755
|
||||||
|
--- a/keylime/cmd/convert_config.py
|
||||||
|
+++ b/keylime/cmd/convert_config.py
|
||||||
|
@@ -84,13 +84,33 @@ import importlib.util
|
||||||
|
import itertools
|
||||||
|
import json
|
||||||
|
import os
|
||||||
|
+import re
|
||||||
|
import shutil
|
||||||
|
from configparser import RawConfigParser
|
||||||
|
-from typing import List, Optional, Tuple
|
||||||
|
+from typing import List, Optional, Tuple, Union
|
||||||
|
|
||||||
|
from jinja2 import Template
|
||||||
|
|
||||||
|
-from keylime.common.version import str_to_version
|
||||||
|
+
|
||||||
|
+def str_to_version(v_str: str) -> Union[Tuple[int, int], None]:
|
||||||
|
+ """
|
||||||
|
+ Validates the string format and converts the provided string to a tuple of
|
||||||
|
+ ints which can be sorted and compared.
|
||||||
|
+
|
||||||
|
+ :returns: Tuple with version number parts converted to int. In case of
|
||||||
|
+ invalid version string, returns None
|
||||||
|
+ """
|
||||||
|
+
|
||||||
|
+ # Strip to remove eventual quotes and spaces
|
||||||
|
+ v_str = v_str.strip('" ')
|
||||||
|
+
|
||||||
|
+ m = re.match(r"^(\d+)\.(\d+)$", v_str)
|
||||||
|
+
|
||||||
|
+ if not m:
|
||||||
|
+ return None
|
||||||
|
+
|
||||||
|
+ return (int(m.group(1)), int(m.group(2)))
|
||||||
|
+
|
||||||
|
|
||||||
|
COMPONENTS = ["agent", "verifier", "tenant", "registrar", "ca", "logging"]
|
||||||
|
|
||||||
|
diff --git a/templates/2.0/adjust.py b/templates/2.0/adjust.py
|
||||||
|
index 312b790..c1e582a 100644
|
||||||
|
--- a/templates/2.0/adjust.py
|
||||||
|
+++ b/templates/2.0/adjust.py
|
||||||
|
@@ -2,9 +2,27 @@ import ast
|
||||||
|
import configparser
|
||||||
|
import re
|
||||||
|
from configparser import RawConfigParser
|
||||||
|
-from typing import Dict, List, Optional, Tuple
|
||||||
|
+from typing import Dict, List, Optional, Tuple, Union
|
||||||
|
|
||||||
|
-from keylime.common.version import str_to_version
|
||||||
|
+
|
||||||
|
+def str_to_version(v_str: str) -> Union[Tuple[int, int], None]:
|
||||||
|
+ """
|
||||||
|
+ Validates the string format and converts the provided string to a tuple of
|
||||||
|
+ ints which can be sorted and compared.
|
||||||
|
+
|
||||||
|
+ :returns: Tuple with version number parts converted to int. In case of
|
||||||
|
+ invalid version string, returns None
|
||||||
|
+ """
|
||||||
|
+
|
||||||
|
+ # Strip to remove eventual quotes and spaces
|
||||||
|
+ v_str = v_str.strip('" ')
|
||||||
|
+
|
||||||
|
+ m = re.match(r"^(\d+)\.(\d+)$", v_str)
|
||||||
|
+
|
||||||
|
+ if not m:
|
||||||
|
+ return None
|
||||||
|
+
|
||||||
|
+ return (int(m.group(1)), int(m.group(2)))
|
||||||
|
|
||||||
|
|
||||||
|
def adjust(config: RawConfigParser, mapping: Dict) -> None: # pylint: disable=unused-argument
|
||||||
|
--
|
||||||
|
2.39.3
|
||||||
|
|
@ -0,0 +1,50 @@
|
|||||||
|
From f2432efbeb7b6305067111bb3a77ef5d7da4eb5b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Thore Sommer <mail@thson.de>
|
||||||
|
Date: Thu, 10 Aug 2023 16:15:57 +0300
|
||||||
|
Subject: [PATCH 5/6] elchecking/example: add ignores for
|
||||||
|
EV_PLATFORM_CONFIG_FLAGS
|
||||||
|
|
||||||
|
These are generated by edk2 when used with QEMU, but we do not have a
|
||||||
|
reference for them.
|
||||||
|
|
||||||
|
Signed-off-by: Thore Sommer <mail@thson.de>
|
||||||
|
---
|
||||||
|
keylime/mba/elchecking/example.py | 15 ++++++++++++++-
|
||||||
|
1 file changed, 14 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/keylime/mba/elchecking/example.py b/keylime/mba/elchecking/example.py
|
||||||
|
index 8885227..921db4e 100644
|
||||||
|
--- a/keylime/mba/elchecking/example.py
|
||||||
|
+++ b/keylime/mba/elchecking/example.py
|
||||||
|
@@ -75,7 +75,6 @@ shim_authcode_sha256_no_secureboot = tests.obj_test(
|
||||||
|
kernel_cmdline=tests.type_test(str),
|
||||||
|
)
|
||||||
|
|
||||||
|
-
|
||||||
|
allowed_kernel_list_test_no_secureboot = tests.list_test(shim_authcode_sha256_no_secureboot)
|
||||||
|
|
||||||
|
|
||||||
|
@@ -303,6 +302,20 @@ class Example(policies.Policy):
|
||||||
|
),
|
||||||
|
),
|
||||||
|
)
|
||||||
|
+ # edk2 measures up to 4 of those events, where we do not have a good way to get a reference
|
||||||
|
+ # See:
|
||||||
|
+ # - https://github.com/keylime/keylime/issues/1393
|
||||||
|
+ # - https://github.com/tianocore/edk2/commit/935343cf1639a28530904a1e8d73d6517a07cbff
|
||||||
|
+ dispatcher.set(
|
||||||
|
+ (1, "EV_PLATFORM_CONFIG_FLAGS"),
|
||||||
|
+ tests.Or(
|
||||||
|
+ tests.OnceTest(tests.AcceptAll()),
|
||||||
|
+ tests.OnceTest(tests.AcceptAll()),
|
||||||
|
+ tests.OnceTest(tests.AcceptAll()),
|
||||||
|
+ tests.OnceTest(tests.AcceptAll()),
|
||||||
|
+ ),
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
dispatcher.set((4, "EV_EFI_ACTION"), tests.EvEfiActionTest(4))
|
||||||
|
for pcr in range(8):
|
||||||
|
dispatcher.set((pcr, "EV_SEPARATOR"), tests.EvSeperatorTest())
|
||||||
|
--
|
||||||
|
2.39.3
|
||||||
|
|
43
SOURCES/0006-Revert-mapping-changes.patch
Normal file
43
SOURCES/0006-Revert-mapping-changes.patch
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
From ed213b9533535ceae5026b2fab274f80bcc58cb8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: rpm-build <rpm-build>
|
||||||
|
Date: Tue, 15 Aug 2023 09:18:32 -0400
|
||||||
|
Subject: [PATCH 6/6] Revert mapping changes
|
||||||
|
|
||||||
|
---
|
||||||
|
templates/2.0/mapping.json | 6 +++---
|
||||||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/templates/2.0/mapping.json b/templates/2.0/mapping.json
|
||||||
|
index 66addbc..0036b63 100644
|
||||||
|
--- a/templates/2.0/mapping.json
|
||||||
|
+++ b/templates/2.0/mapping.json
|
||||||
|
@@ -207,7 +207,7 @@
|
||||||
|
"registrar_port": {
|
||||||
|
"section": "cloud_verifier",
|
||||||
|
"option": "registrar_port",
|
||||||
|
- "default": "8881"
|
||||||
|
+ "default": "8891"
|
||||||
|
},
|
||||||
|
"tls_dir": {
|
||||||
|
"section": "cloud_verifier",
|
||||||
|
@@ -232,7 +232,7 @@
|
||||||
|
"server_key_password": {
|
||||||
|
"section": "cloud_verifier",
|
||||||
|
"option": "private_key_pw",
|
||||||
|
- "default": ""
|
||||||
|
+ "default": "default"
|
||||||
|
},
|
||||||
|
"enable_agent_mtls": {
|
||||||
|
"section": "cloud_verifier",
|
||||||
|
@@ -558,7 +558,7 @@
|
||||||
|
"server_key_password": {
|
||||||
|
"section": "registrar",
|
||||||
|
"option": "private_key_pw",
|
||||||
|
- "default": ""
|
||||||
|
+ "default": "default"
|
||||||
|
},
|
||||||
|
"server_cert": {
|
||||||
|
"section": "registrar",
|
||||||
|
--
|
||||||
|
2.39.3
|
||||||
|
|
@ -0,0 +1,90 @@
|
|||||||
|
From 3dc40e8b1878d84045ee80cb6d216348713c048a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Karel Srot <ksrot@redhat.com>
|
||||||
|
Date: Tue, 15 Aug 2023 10:00:50 +0200
|
||||||
|
Subject: [PATCH 7/7] Handle session close using a session manager
|
||||||
|
|
||||||
|
Resolves https://github.com/keylime/keylime/issues/1455
|
||||||
|
|
||||||
|
Signed-off-by: Karel Srot <ksrot@redhat.com>
|
||||||
|
---
|
||||||
|
keylime/revocation_notifier.py | 50 +++++++++++++++++-----------------
|
||||||
|
packit-ci.fmf | 1 +
|
||||||
|
2 files changed, 26 insertions(+), 25 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/keylime/revocation_notifier.py b/keylime/revocation_notifier.py
|
||||||
|
index 31a3095..5cc8b1a 100644
|
||||||
|
--- a/keylime/revocation_notifier.py
|
||||||
|
+++ b/keylime/revocation_notifier.py
|
||||||
|
@@ -132,32 +132,32 @@ def notify_webhook(tosend: Dict[str, Any]) -> None:
|
||||||
|
def worker_webhook(tosend: Dict[str, Any], url: str) -> None:
|
||||||
|
interval = config.getfloat("verifier", "retry_interval")
|
||||||
|
exponential_backoff = config.getboolean("verifier", "exponential_backoff")
|
||||||
|
- session = requests.session()
|
||||||
|
- logger.info("Sending revocation event via webhook...")
|
||||||
|
- for i in range(config.getint("verifier", "max_retries")):
|
||||||
|
- next_retry = retry.retry_time(exponential_backoff, interval, i, logger)
|
||||||
|
- try:
|
||||||
|
- response = session.post(url, json=tosend, timeout=5)
|
||||||
|
- if response.status_code in [200, 202]:
|
||||||
|
- break
|
||||||
|
-
|
||||||
|
- logger.debug(
|
||||||
|
- "Unable to publish revocation message %d times via webhook, "
|
||||||
|
- "trying again in %d seconds. "
|
||||||
|
- "Server returned status code: %s",
|
||||||
|
- i,
|
||||||
|
- next_retry,
|
||||||
|
- response.status_code,
|
||||||
|
- )
|
||||||
|
- except requests.exceptions.RequestException as e:
|
||||||
|
- logger.debug(
|
||||||
|
- "Unable to publish revocation message %d times via webhook, trying again in %d seconds: %s",
|
||||||
|
- i,
|
||||||
|
- next_retry,
|
||||||
|
- e,
|
||||||
|
- )
|
||||||
|
+ with requests.Session() as session:
|
||||||
|
+ logger.info("Sending revocation event via webhook...")
|
||||||
|
+ for i in range(config.getint("verifier", "max_retries")):
|
||||||
|
+ next_retry = retry.retry_time(exponential_backoff, interval, i, logger)
|
||||||
|
+ try:
|
||||||
|
+ response = session.post(url, json=tosend, timeout=5)
|
||||||
|
+ if response.status_code in [200, 202]:
|
||||||
|
+ break
|
||||||
|
+
|
||||||
|
+ logger.debug(
|
||||||
|
+ "Unable to publish revocation message %d times via webhook, "
|
||||||
|
+ "trying again in %d seconds. "
|
||||||
|
+ "Server returned status code: %s",
|
||||||
|
+ i,
|
||||||
|
+ next_retry,
|
||||||
|
+ response.status_code,
|
||||||
|
+ )
|
||||||
|
+ except requests.exceptions.RequestException as e:
|
||||||
|
+ logger.debug(
|
||||||
|
+ "Unable to publish revocation message %d times via webhook, trying again in %d seconds: %s",
|
||||||
|
+ i,
|
||||||
|
+ next_retry,
|
||||||
|
+ e,
|
||||||
|
+ )
|
||||||
|
|
||||||
|
- time.sleep(next_retry)
|
||||||
|
+ time.sleep(next_retry)
|
||||||
|
|
||||||
|
w = functools.partial(worker_webhook, tosend, url)
|
||||||
|
t = threading.Thread(target=w, daemon=True)
|
||||||
|
diff --git a/packit-ci.fmf b/packit-ci.fmf
|
||||||
|
index f4d2dae..7abe313 100644
|
||||||
|
--- a/packit-ci.fmf
|
||||||
|
+++ b/packit-ci.fmf
|
||||||
|
@@ -108,6 +108,7 @@ adjust:
|
||||||
|
- /setup/configure_tpm_emulator
|
||||||
|
- /setup/install_upstream_keylime
|
||||||
|
- /setup/install_rust_keylime_from_copr
|
||||||
|
+ - /setup/configure_kernel_ima_module/ima_policy_simple
|
||||||
|
- /functional/basic-attestation-on-localhost
|
||||||
|
- /functional/basic-attestation-with-custom-certificates
|
||||||
|
- /functional/basic-attestation-without-mtls
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -0,0 +1,31 @@
|
|||||||
|
From aa891f456d5cf0fc23e16d87fb28efc79a0d8073 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Marcio Silva <marcio.a.silva@ibm.com>
|
||||||
|
Date: Wed, 23 Aug 2023 11:24:59 -0300
|
||||||
|
Subject: [PATCH 8/8] verifier: should read parameters from verifier.conf only
|
||||||
|
|
||||||
|
Single-line fix for #1446
|
||||||
|
|
||||||
|
The verifier should read "durable attestation" backend imports from
|
||||||
|
verifier.conf (and NOT from registrar.conf)
|
||||||
|
|
||||||
|
Signed-off-by: Marcio Silva <marcio.a.silva@ibm.com>
|
||||||
|
---
|
||||||
|
keylime/cloud_verifier_tornado.py | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/keylime/cloud_verifier_tornado.py b/keylime/cloud_verifier_tornado.py
|
||||||
|
index d65cb63..261022a 100644
|
||||||
|
--- a/keylime/cloud_verifier_tornado.py
|
||||||
|
+++ b/keylime/cloud_verifier_tornado.py
|
||||||
|
@@ -51,7 +51,7 @@ except SQLAlchemyError as err:
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
try:
|
||||||
|
- rmc = record.get_record_mgt_class(config.get("registrar", "durable_attestation_import", fallback=""))
|
||||||
|
+ rmc = record.get_record_mgt_class(config.get("verifier", "durable_attestation_import", fallback=""))
|
||||||
|
if rmc:
|
||||||
|
rmc = rmc("verifier")
|
||||||
|
except record.RecordManagementException as rme:
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
48
SOURCES/0009-CVE-2023-38201.patch
Normal file
48
SOURCES/0009-CVE-2023-38201.patch
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
From 9e5ac9f25cd400b16d5969f531cee28290543f2a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Marcio Silva <marcio.a.silva@ibm.com>
|
||||||
|
Date: Wed, 12 Jul 2023 12:05:47 -0300
|
||||||
|
Subject: [PATCH] Fix for CVE-2023-38201 (Security Advisory
|
||||||
|
GHSA-f4r5-q63f-gcww)
|
||||||
|
|
||||||
|
In addition to remove the offending message, this patch also ensures
|
||||||
|
deletion of an agent's record from the database in case of failure after
|
||||||
|
a single attempt.
|
||||||
|
|
||||||
|
Signed-off-by: Marcio Silva <marcio.a.silva@ibm.com>
|
||||||
|
---
|
||||||
|
keylime/registrar_common.py | 15 +++++++++++++--
|
||||||
|
1 file changed, 13 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/keylime/registrar_common.py b/keylime/registrar_common.py
|
||||||
|
index 1fd97cd0c..7f15ae430 100644
|
||||||
|
--- a/keylime/registrar_common.py
|
||||||
|
+++ b/keylime/registrar_common.py
|
||||||
|
@@ -250,7 +250,9 @@ def get_network_params(
|
||||||
|
try:
|
||||||
|
port = int(port)
|
||||||
|
if port < 1 or port > 65535:
|
||||||
|
- logger.warning("Contact port for agent %s is not a number between 1 and got: %s.", agent_id, port)
|
||||||
|
+ logger.warning(
|
||||||
|
+ "Contact port for agent %s is not a number between 1 and 65535 got: %s.", agent_id, port
|
||||||
|
+ )
|
||||||
|
port = None
|
||||||
|
except ValueError:
|
||||||
|
logger.warning("Contact port for agent %s is not a valid number got: %s.", agent_id, port)
|
||||||
|
@@ -447,7 +449,16 @@ def do_PUT(self) -> None:
|
||||||
|
logger.error("SQLAlchemy Error: %s", e)
|
||||||
|
raise
|
||||||
|
else:
|
||||||
|
- raise Exception(f"Auth tag {auth_tag} does not match expected value {ex_mac}")
|
||||||
|
+ if agent_id and session.query(RegistrarMain).filter_by(agent_id=agent_id).delete():
|
||||||
|
+ try:
|
||||||
|
+ session.commit()
|
||||||
|
+ except SQLAlchemyError as e:
|
||||||
|
+ logger.error("SQLAlchemy Error: %s", e)
|
||||||
|
+ raise
|
||||||
|
+
|
||||||
|
+ raise Exception(
|
||||||
|
+ f"Auth tag {auth_tag} for agent {agent_id} does not match expected value. The agent has been deleted from database, and a restart of it will be required"
|
||||||
|
+ )
|
||||||
|
|
||||||
|
web_util.echo_json_response(self, 200, "Success")
|
||||||
|
logger.info("PUT activated: %s", agent_id)
|
69
SOURCES/0010-CVE-2023-38200.patch
Normal file
69
SOURCES/0010-CVE-2023-38200.patch
Normal file
@ -0,0 +1,69 @@
|
|||||||
|
From e17d5a6a47c1405a799a06754d3e905856e3035d Mon Sep 17 00:00:00 2001
|
||||||
|
From: florian <264356+flozilla@users.noreply.github.com>
|
||||||
|
Date: Tue, 11 Jul 2023 21:31:27 +0200
|
||||||
|
Subject: [PATCH 10/10] CVE-2023-38200
|
||||||
|
|
||||||
|
Extend Registrar SSL socket to be non-blocking
|
||||||
|
|
||||||
|
Fixes: CVE-2023-38200
|
||||||
|
|
||||||
|
Upstream:
|
||||||
|
- https://github.com/keylime/keylime/commit/c68d8f0b7
|
||||||
|
- https://github.com/keylime/keylime/commit/27d515f4b
|
||||||
|
---
|
||||||
|
keylime/registrar_common.py | 23 ++++++++++++++++++++++-
|
||||||
|
1 file changed, 22 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/keylime/registrar_common.py b/keylime/registrar_common.py
|
||||||
|
index d1d20dd..6441e3b 100644
|
||||||
|
--- a/keylime/registrar_common.py
|
||||||
|
+++ b/keylime/registrar_common.py
|
||||||
|
@@ -2,8 +2,10 @@ import base64
|
||||||
|
import http.server
|
||||||
|
import ipaddress
|
||||||
|
import os
|
||||||
|
+import select
|
||||||
|
import signal
|
||||||
|
import socket
|
||||||
|
+import ssl
|
||||||
|
import sys
|
||||||
|
import threading
|
||||||
|
from http.server import BaseHTTPRequestHandler, HTTPServer
|
||||||
|
@@ -77,6 +79,25 @@ class BaseHandler(BaseHTTPRequestHandler, SessionManager):
|
||||||
|
|
||||||
|
|
||||||
|
class ProtectedHandler(BaseHandler):
|
||||||
|
+ def handle(self) -> None:
|
||||||
|
+ """Need to perform SSL handshake here, as
|
||||||
|
+ do_handshake_on_connect=False for non-blocking SSL socket"""
|
||||||
|
+ while True:
|
||||||
|
+ try:
|
||||||
|
+ self.request.do_handshake()
|
||||||
|
+ break
|
||||||
|
+ except ssl.SSLWantReadError:
|
||||||
|
+ select.select([self.request], [], [])
|
||||||
|
+ except ssl.SSLWantWriteError:
|
||||||
|
+ select.select([], [self.request], [])
|
||||||
|
+ except ssl.SSLError as e:
|
||||||
|
+ logger.error("SSL connection error: %s", e)
|
||||||
|
+ return
|
||||||
|
+ except Exception as e:
|
||||||
|
+ logger.error("General communication failure: %s", e)
|
||||||
|
+ return
|
||||||
|
+ BaseHTTPRequestHandler.handle(self)
|
||||||
|
+
|
||||||
|
def do_HEAD(self) -> None:
|
||||||
|
"""HEAD not supported"""
|
||||||
|
web_util.echo_json_response(self, 405, "HEAD not supported")
|
||||||
|
@@ -494,7 +515,7 @@ def start(host: str, tlsport: int, port: int) -> None:
|
||||||
|
protected_server = RegistrarServer((host, tlsport), ProtectedHandler)
|
||||||
|
context = web_util.init_mtls("registrar", logger=logger)
|
||||||
|
if context is not None:
|
||||||
|
- protected_server.socket = context.wrap_socket(protected_server.socket, server_side=True)
|
||||||
|
+ protected_server.socket = context.wrap_socket(protected_server.socket, server_side=True, do_handshake_on_connect=False)
|
||||||
|
thread_protected_server = threading.Thread(target=protected_server.serve_forever)
|
||||||
|
|
||||||
|
# Set up the unprotected registrar server
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
244
SOURCES/0011-Automatically-update-agent-API-version.patch
Normal file
244
SOURCES/0011-Automatically-update-agent-API-version.patch
Normal file
@ -0,0 +1,244 @@
|
|||||||
|
From b0cf69c9db20eb319ea2e90c22f500e09b704224 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
||||||
|
Date: Wed, 23 Aug 2023 16:24:15 +0200
|
||||||
|
Subject: [PATCH] Implement automatic agent API version bump
|
||||||
|
|
||||||
|
Automatically update the agent supported API version in the database if
|
||||||
|
the agent is updated and its API version is bumped.
|
||||||
|
|
||||||
|
Previously, if an agent was added to a verifier while it used an old API
|
||||||
|
version, and then it is updated with an API version bump, the
|
||||||
|
attestation would fail as the verifier would try to reach the agent
|
||||||
|
using the old API version.
|
||||||
|
|
||||||
|
Fixes #1457
|
||||||
|
|
||||||
|
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
||||||
|
---
|
||||||
|
keylime/cloud_verifier_tornado.py | 185 +++++++++++++++++++++++++++---
|
||||||
|
1 file changed, 167 insertions(+), 18 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/keylime/cloud_verifier_tornado.py b/keylime/cloud_verifier_tornado.py
|
||||||
|
index 261022ac6..31e6f7159 100644
|
||||||
|
--- a/keylime/cloud_verifier_tornado.py
|
||||||
|
+++ b/keylime/cloud_verifier_tornado.py
|
||||||
|
@@ -32,6 +32,7 @@
|
||||||
|
)
|
||||||
|
from keylime.agentstates import AgentAttestState, AgentAttestStates
|
||||||
|
from keylime.common import retry, states, validators
|
||||||
|
+from keylime.common.version import str_to_version
|
||||||
|
from keylime.da import record
|
||||||
|
from keylime.db.keylime_db import DBEngineManager, SessionManager
|
||||||
|
from keylime.db.verifier_db import VerfierMain, VerifierAllowlist
|
||||||
|
@@ -998,6 +999,80 @@ def data_received(self, chunk: Any) -> None:
|
||||||
|
raise NotImplementedError()
|
||||||
|
|
||||||
|
|
||||||
|
+async def update_agent_api_version(agent: Dict[str, Any], timeout: float = 60.0) -> Union[Dict[str, Any], None]:
|
||||||
|
+ agent_id = agent["agent_id"]
|
||||||
|
+
|
||||||
|
+ logger.info("Agent %s API version bump detected, trying to update stored API version", agent_id)
|
||||||
|
+ kwargs = {}
|
||||||
|
+ if agent["ssl_context"]:
|
||||||
|
+ kwargs["context"] = agent["ssl_context"]
|
||||||
|
+
|
||||||
|
+ res = tornado_requests.request(
|
||||||
|
+ "GET",
|
||||||
|
+ f"http://{agent['ip']}:{agent['port']}/version",
|
||||||
|
+ **kwargs,
|
||||||
|
+ timeout=timeout,
|
||||||
|
+ )
|
||||||
|
+ response = await res
|
||||||
|
+
|
||||||
|
+ if response.status_code != 200:
|
||||||
|
+ logger.warning(
|
||||||
|
+ "Could not get agent %s supported API version, Error: %s",
|
||||||
|
+ agent["agent_id"],
|
||||||
|
+ response.status_code,
|
||||||
|
+ )
|
||||||
|
+ return None
|
||||||
|
+
|
||||||
|
+ try:
|
||||||
|
+ json_response = json.loads(response.body)
|
||||||
|
+ new_version = json_response["results"]["supported_version"]
|
||||||
|
+ old_version = agent["supported_version"]
|
||||||
|
+
|
||||||
|
+ # Only update the API version to use if it is supported by the verifier
|
||||||
|
+ if new_version in keylime_api_version.all_versions():
|
||||||
|
+ new_version_tuple = str_to_version(new_version)
|
||||||
|
+ old_version_tuple = str_to_version(old_version)
|
||||||
|
+
|
||||||
|
+ assert new_version_tuple, f"Agent {agent_id} version {new_version} is invalid"
|
||||||
|
+ assert old_version_tuple, f"Agent {agent_id} version {old_version} is invalid"
|
||||||
|
+
|
||||||
|
+ # Check that the new version is greater than current version
|
||||||
|
+ if new_version_tuple <= old_version_tuple:
|
||||||
|
+ logger.warning(
|
||||||
|
+ "Agent %s API version %s is lower or equal to previous version %s",
|
||||||
|
+ agent_id,
|
||||||
|
+ new_version,
|
||||||
|
+ old_version,
|
||||||
|
+ )
|
||||||
|
+ return None
|
||||||
|
+
|
||||||
|
+ logger.info("Agent %s new API version %s is supported", agent_id, new_version)
|
||||||
|
+ session = get_session()
|
||||||
|
+ agent["supported_version"] = new_version
|
||||||
|
+
|
||||||
|
+ # Remove keys that should not go to the DB
|
||||||
|
+ agent_db = dict(agent)
|
||||||
|
+ for key in exclude_db:
|
||||||
|
+ if key in agent_db:
|
||||||
|
+ del agent_db[key]
|
||||||
|
+
|
||||||
|
+ session.query(VerfierMain).filter_by(agent_id=agent_id).update(agent_db) # pyright: ignore
|
||||||
|
+ session.commit()
|
||||||
|
+ else:
|
||||||
|
+ logger.warning("Agent %s new API version %s is not supported", agent_id, new_version)
|
||||||
|
+ return None
|
||||||
|
+
|
||||||
|
+ except SQLAlchemyError as e:
|
||||||
|
+ logger.error("SQLAlchemy Error updating API version for agent %s: %s", agent_id, e)
|
||||||
|
+ return None
|
||||||
|
+ except Exception as e:
|
||||||
|
+ logger.exception(e)
|
||||||
|
+ return None
|
||||||
|
+
|
||||||
|
+ logger.info("Agent %s API version updated to %s", agent["agent_id"], agent["supported_version"])
|
||||||
|
+ return agent
|
||||||
|
+
|
||||||
|
+
|
||||||
|
async def invoke_get_quote(
|
||||||
|
agent: Dict[str, Any], runtime_policy: str, need_pubkey: bool, timeout: float = 60.0
|
||||||
|
) -> None:
|
||||||
|
@@ -1028,15 +1103,43 @@ async def invoke_get_quote(
|
||||||
|
# this is a connection error, retry get quote
|
||||||
|
if response.status_code in [408, 500, 599]:
|
||||||
|
asyncio.ensure_future(process_agent(agent, states.GET_QUOTE_RETRY))
|
||||||
|
- else:
|
||||||
|
- # catastrophic error, do not continue
|
||||||
|
- logger.critical(
|
||||||
|
- "Unexpected Get Quote response error for cloud agent %s, Error: %s",
|
||||||
|
- agent["agent_id"],
|
||||||
|
- response.status_code,
|
||||||
|
- )
|
||||||
|
- failure.add_event("no_quote", "Unexpected Get Quote reponse from agent", False)
|
||||||
|
- asyncio.ensure_future(process_agent(agent, states.FAILED, failure))
|
||||||
|
+ return
|
||||||
|
+
|
||||||
|
+ if response.status_code == 400:
|
||||||
|
+ try:
|
||||||
|
+ json_response = json.loads(response.body)
|
||||||
|
+ if "API version not supported" in json_response["status"]:
|
||||||
|
+ update = update_agent_api_version(agent)
|
||||||
|
+ updated = await update
|
||||||
|
+
|
||||||
|
+ if updated:
|
||||||
|
+ asyncio.ensure_future(process_agent(updated, states.GET_QUOTE_RETRY))
|
||||||
|
+ else:
|
||||||
|
+ logger.warning("Could not update stored agent %s API version", agent["agent_id"])
|
||||||
|
+ failure.add_event(
|
||||||
|
+ "version_not_supported",
|
||||||
|
+ {"context": "Agent API version not supported", "data": json_response},
|
||||||
|
+ False,
|
||||||
|
+ )
|
||||||
|
+ asyncio.ensure_future(process_agent(agent, states.FAILED, failure))
|
||||||
|
+ return
|
||||||
|
+
|
||||||
|
+ except Exception as e:
|
||||||
|
+ logger.exception(e)
|
||||||
|
+ failure.add_event(
|
||||||
|
+ "exception", {"context": "Agent caused the verifier to throw an exception", "data": str(e)}, False
|
||||||
|
+ )
|
||||||
|
+ asyncio.ensure_future(process_agent(agent, states.FAILED, failure))
|
||||||
|
+ return
|
||||||
|
+
|
||||||
|
+ # catastrophic error, do not continue
|
||||||
|
+ logger.critical(
|
||||||
|
+ "Unexpected Get Quote response error for cloud agent %s, Error: %s",
|
||||||
|
+ agent["agent_id"],
|
||||||
|
+ response.status_code,
|
||||||
|
+ )
|
||||||
|
+ failure.add_event("no_quote", "Unexpected Get Quote reponse from agent", False)
|
||||||
|
+ asyncio.ensure_future(process_agent(agent, states.FAILED, failure))
|
||||||
|
else:
|
||||||
|
try:
|
||||||
|
json_response = json.loads(response.body)
|
||||||
|
@@ -1100,15 +1203,43 @@ async def invoke_provide_v(agent: Dict[str, Any], timeout: float = 60.0) -> None
|
||||||
|
if response.status_code != 200:
|
||||||
|
if response.status_code in [408, 500, 599]:
|
||||||
|
asyncio.ensure_future(process_agent(agent, states.PROVIDE_V_RETRY))
|
||||||
|
- else:
|
||||||
|
- # catastrophic error, do not continue
|
||||||
|
- logger.critical(
|
||||||
|
- "Unexpected Provide V response error for cloud agent %s, Error: %s",
|
||||||
|
- agent["agent_id"],
|
||||||
|
- response.status_code,
|
||||||
|
- )
|
||||||
|
- failure.add_event("no_v", {"message": "Unexpected provide V response", "data": response.status_code}, False)
|
||||||
|
- asyncio.ensure_future(process_agent(agent, states.FAILED, failure))
|
||||||
|
+ return
|
||||||
|
+
|
||||||
|
+ if response.status_code == 400:
|
||||||
|
+ try:
|
||||||
|
+ json_response = json.loads(response.body)
|
||||||
|
+ if "API version not supported" in json_response["status"]:
|
||||||
|
+ update = update_agent_api_version(agent)
|
||||||
|
+ updated = await update
|
||||||
|
+
|
||||||
|
+ if updated:
|
||||||
|
+ asyncio.ensure_future(process_agent(updated, states.PROVIDE_V_RETRY))
|
||||||
|
+ else:
|
||||||
|
+ logger.warning("Could not update stored agent %s API version", agent["agent_id"])
|
||||||
|
+ failure.add_event(
|
||||||
|
+ "version_not_supported",
|
||||||
|
+ {"context": "Agent API version not supported", "data": json_response},
|
||||||
|
+ False,
|
||||||
|
+ )
|
||||||
|
+ asyncio.ensure_future(process_agent(agent, states.FAILED, failure))
|
||||||
|
+ return
|
||||||
|
+
|
||||||
|
+ except Exception as e:
|
||||||
|
+ logger.exception(e)
|
||||||
|
+ failure.add_event(
|
||||||
|
+ "exception", {"context": "Agent caused the verifier to throw an exception", "data": str(e)}, False
|
||||||
|
+ )
|
||||||
|
+ asyncio.ensure_future(process_agent(agent, states.FAILED, failure))
|
||||||
|
+ return
|
||||||
|
+
|
||||||
|
+ # catastrophic error, do not continue
|
||||||
|
+ logger.critical(
|
||||||
|
+ "Unexpected Provide V response error for cloud agent %s, Error: %s",
|
||||||
|
+ agent["agent_id"],
|
||||||
|
+ response.status_code,
|
||||||
|
+ )
|
||||||
|
+ failure.add_event("no_v", {"message": "Unexpected provide V response", "data": response.status_code}, False)
|
||||||
|
+ asyncio.ensure_future(process_agent(agent, states.FAILED, failure))
|
||||||
|
else:
|
||||||
|
asyncio.ensure_future(process_agent(agent, states.GET_QUOTE))
|
||||||
|
|
||||||
|
@@ -1134,6 +1265,24 @@ async def invoke_notify_error(agent: Dict[str, Any], tosend: Dict[str, Any], tim
|
||||||
|
agent["agent_id"],
|
||||||
|
)
|
||||||
|
elif response.status_code != 200:
|
||||||
|
+ if response.status_code == 400:
|
||||||
|
+ try:
|
||||||
|
+ json_response = json.loads(response.body)
|
||||||
|
+ if "API version not supported" in json_response["status"]:
|
||||||
|
+ update = update_agent_api_version(agent)
|
||||||
|
+ updated = await update
|
||||||
|
+
|
||||||
|
+ if updated:
|
||||||
|
+ asyncio.ensure_future(invoke_notify_error(updated, tosend))
|
||||||
|
+ else:
|
||||||
|
+ logger.warning("Could not update stored agent %s API version", agent["agent_id"])
|
||||||
|
+
|
||||||
|
+ return
|
||||||
|
+
|
||||||
|
+ except Exception as e:
|
||||||
|
+ logger.exception(e)
|
||||||
|
+ return
|
||||||
|
+
|
||||||
|
logger.warning(
|
||||||
|
"Unexpected Notify Revocation response error for cloud agent %s, Error: %s",
|
||||||
|
agent["agent_id"],
|
@ -1,24 +0,0 @@
|
|||||||
/usr/bin/keylime_agent -- gen_context(system_u:object_r:keylime_agent_exec_t,s0)
|
|
||||||
/usr/bin/keylime_ima_emulator -- gen_context(system_u:object_r:keylime_agent_exec_t,s0)
|
|
||||||
/usr/bin/keylime_userdata_encrypt -- gen_context(system_u:object_r:keylime_agent_exec_t,s0)
|
|
||||||
|
|
||||||
/usr/bin/keylime_ca -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
|
|
||||||
/usr/bin/keylime_migrations_apply -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
|
|
||||||
/usr/bin/keylime_registrar -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
|
|
||||||
/usr/bin/keylime_verifier -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
|
|
||||||
/usr/bin/keylime_tenant -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
|
|
||||||
|
|
||||||
/usr/local/bin/keylime_agent -- gen_context(system_u:object_r:keylime_agent_exec_t,s0)
|
|
||||||
/usr/local/bin/keylime_ima_emulator -- gen_context(system_u:object_r:keylime_agent_exec_t,s0)
|
|
||||||
/usr/local/bin/keylime_userdata_encrypt -- gen_context(system_u:object_r:keylime_agent_exec_t,s0)
|
|
||||||
|
|
||||||
/usr/local/bin/keylime_ca -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
|
|
||||||
/usr/local/bin/keylime_migrations_apply -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
|
|
||||||
/usr/local/bin/keylime_registrar -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
|
|
||||||
/usr/local/bin/keylime_verifier -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
|
|
||||||
/usr/local/bin/keylime_tenant -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
|
|
||||||
|
|
||||||
/var/lib/keylime(/.*)? gen_context(system_u:object_r:keylime_var_lib_t,s0)
|
|
||||||
/var/lib/keylime-agent(/.*)? gen_context(system_u:object_r:keylime_var_lib_t,s0)
|
|
||||||
|
|
||||||
/var/log/keylime(/.*)? gen_context(system_u:object_r:keylime_log_t,s0)
|
|
@ -1,37 +0,0 @@
|
|||||||
## <summary>policy for keylime</summary>
|
|
||||||
|
|
||||||
########################################
|
|
||||||
## <summary>
|
|
||||||
## Add to specified type to keylime_type attribute .
|
|
||||||
## </summary>
|
|
||||||
## <param name="type">
|
|
||||||
## <summary>
|
|
||||||
## Type to be used for keylime domains.
|
|
||||||
## </summary>
|
|
||||||
## </param>
|
|
||||||
#
|
|
||||||
interface(`keylime_use_keylime_domain',`
|
|
||||||
gen_require(`
|
|
||||||
attribute keylime_domain;
|
|
||||||
')
|
|
||||||
|
|
||||||
typeattribute $1 keylime_domain;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
|
||||||
## <summary>
|
|
||||||
## Mounton keylime lib directory.
|
|
||||||
## </summary>
|
|
||||||
## <param name="domain">
|
|
||||||
## <summary>
|
|
||||||
## Domain allowed access.
|
|
||||||
## </summary>
|
|
||||||
## </param>
|
|
||||||
#
|
|
||||||
interface(`keylime_mounton_var_lib',`
|
|
||||||
gen_require(`
|
|
||||||
type keylime_var_lib_t;
|
|
||||||
')
|
|
||||||
|
|
||||||
allow $1 keylime_var_lib_t:dir mounton;
|
|
||||||
')
|
|
@ -1,140 +0,0 @@
|
|||||||
policy_module(keylime, 1.0.0)
|
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# Declarations
|
|
||||||
#
|
|
||||||
|
|
||||||
attribute keylime_domain;
|
|
||||||
|
|
||||||
type keylime_agent_t;
|
|
||||||
keylime_use_keylime_domain(keylime_agent_t)
|
|
||||||
type keylime_agent_exec_t;
|
|
||||||
init_daemon_domain(keylime_agent_t, keylime_agent_exec_t)
|
|
||||||
|
|
||||||
type keylime_server_t;
|
|
||||||
keylime_use_keylime_domain(keylime_server_t)
|
|
||||||
type keylime_server_exec_t;
|
|
||||||
init_daemon_domain(keylime_server_t, keylime_server_exec_t)
|
|
||||||
|
|
||||||
type keylime_log_t;
|
|
||||||
logging_log_file(keylime_log_t)
|
|
||||||
|
|
||||||
type keylime_var_lib_t;
|
|
||||||
files_type(keylime_var_lib_t)
|
|
||||||
|
|
||||||
type keylime_tmp_t;
|
|
||||||
files_tmp_file(keylime_tmp_t)
|
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# keylime domain policy
|
|
||||||
#
|
|
||||||
|
|
||||||
allow keylime_domain self:tcp_socket create_stream_socket_perms;
|
|
||||||
|
|
||||||
manage_dirs_pattern(keylime_domain, keylime_tmp_t, keylime_tmp_t)
|
|
||||||
manage_files_pattern(keylime_domain, keylime_tmp_t, keylime_tmp_t)
|
|
||||||
files_tmp_filetrans(keylime_domain, keylime_tmp_t, { dir file })
|
|
||||||
|
|
||||||
manage_dirs_pattern(keylime_domain, keylime_var_lib_t, keylime_var_lib_t)
|
|
||||||
manage_files_pattern(keylime_domain, keylime_var_lib_t, keylime_var_lib_t)
|
|
||||||
files_var_lib_filetrans(keylime_domain, keylime_var_lib_t, { dir file lnk_file })
|
|
||||||
|
|
||||||
corecmd_exec_bin(keylime_domain)
|
|
||||||
|
|
||||||
corenet_tcp_bind_generic_node(keylime_domain)
|
|
||||||
corenet_tcp_bind_all_ports(keylime_domain)
|
|
||||||
corenet_tcp_connect_all_unreserved_ports(keylime_domain)
|
|
||||||
|
|
||||||
dev_read_sysfs(keylime_domain)
|
|
||||||
|
|
||||||
fs_tmpfs_filetrans(keylime_domain, keylime_var_lib_t, { dir file })
|
|
||||||
|
|
||||||
init_named_socket_activation(keylime_domain, keylime_var_lib_t, "keylime")
|
|
||||||
|
|
||||||
miscfiles_read_generic_certs(keylime_domain)
|
|
||||||
|
|
||||||
sysnet_read_config(keylime_domain)
|
|
||||||
|
|
||||||
userdom_exec_user_tmp_files(keylime_domain)
|
|
||||||
userdom_manage_user_tmp_dirs(keylime_domain)
|
|
||||||
userdom_manage_user_tmp_files(keylime_domain)
|
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# keylime server policy
|
|
||||||
#
|
|
||||||
|
|
||||||
allow keylime_server_t self:netlink_route_socket { create_stream_socket_perms nlmsg_read };
|
|
||||||
allow keylime_server_t self:udp_socket create_stream_socket_perms;
|
|
||||||
|
|
||||||
manage_dirs_pattern(keylime_server_t, keylime_log_t, keylime_log_t)
|
|
||||||
manage_files_pattern(keylime_server_t, keylime_log_t, keylime_log_t)
|
|
||||||
|
|
||||||
fs_rw_inherited_tmpfs_files(keylime_server_t)
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
gpg_exec(keylime_server_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
kerberos_read_config(keylime_server_t)
|
|
||||||
kerberos_read_keytab(keylime_server_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
sssd_run_stream_connect(keylime_server_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# keylime agent policy
|
|
||||||
#
|
|
||||||
#work with /var/lib/keylime/secure
|
|
||||||
allow keylime_agent_t self:capability { chown dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
|
|
||||||
allow keylime_agent_t self:chr_file getattr;
|
|
||||||
|
|
||||||
#FIX ME, add to tabrmd policy interface related with this
|
|
||||||
allow keylime_agent_t domain:unix_stream_socket rw_stream_socket_perms; #selint-disable:W-001
|
|
||||||
|
|
||||||
dev_rw_tpm(keylime_agent_t)
|
|
||||||
|
|
||||||
exec_files_pattern(keylime_agent_t, keylime_var_lib_t, keylime_var_lib_t)
|
|
||||||
files_read_var_lib_files(keylime_agent_t)
|
|
||||||
|
|
||||||
fs_dontaudit_search_cgroup_dirs(keylime_agent_t)
|
|
||||||
fs_getattr_cgroup(keylime_agent_t)
|
|
||||||
fs_mount_tmpfs(keylime_agent_t)
|
|
||||||
fs_setattr_tmpfs_dirs(keylime_agent_t)
|
|
||||||
|
|
||||||
init_dontaudit_stream_connect(keylime_agent_t)
|
|
||||||
|
|
||||||
kernel_read_all_proc(keylime_agent_t)
|
|
||||||
|
|
||||||
userdom_dontaudit_search_user_home_dirs(keylime_agent_t)
|
|
||||||
|
|
||||||
auth_read_passwd(keylime_agent_t)
|
|
||||||
|
|
||||||
keylime_mounton_var_lib(keylime_agent_t)
|
|
||||||
|
|
||||||
mount_domtrans(keylime_agent_t)
|
|
||||||
|
|
||||||
selinux_read_policy(keylime_agent_t)
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
#FIX ME, add to tabrmd policy interface related with this
|
|
||||||
#https://github.com/tpm2-software/tpm2-abrmd/blob/master/selinux
|
|
||||||
dbus_chat_system_bus(keylime_agent_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
dbus_stream_connect_system_dbusd(keylime_agent_t)
|
|
||||||
dbus_system_bus_client(keylime_agent_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
systemd_userdbd_stream_connect(keylime_agent_t)
|
|
||||||
systemd_machined_stream_connect(keylime_agent_t)
|
|
||||||
')
|
|
@ -1,4 +1,5 @@
|
|||||||
%global srcname keylime
|
%global srcname keylime
|
||||||
|
%global policy_version 1.2.0
|
||||||
%global with_selinux 1
|
%global with_selinux 1
|
||||||
%global selinuxtype targeted
|
%global selinuxtype targeted
|
||||||
|
|
||||||
@ -7,18 +8,26 @@
|
|||||||
%global debug_package %{nil}
|
%global debug_package %{nil}
|
||||||
|
|
||||||
Name: keylime
|
Name: keylime
|
||||||
Version: 6.4.3
|
Version: 7.3.0
|
||||||
Release: 1%{?dist}
|
Release: 9%{?dist}
|
||||||
Summary: Open source TPM software for Bootstrapping and Maintaining Trust
|
Summary: Open source TPM software for Bootstrapping and Maintaining Trust
|
||||||
|
|
||||||
URL: https://github.com/keylime/keylime
|
URL: https://github.com/keylime/keylime
|
||||||
Source0: https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz
|
Source0: https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz
|
||||||
Source1: %{srcname}.sysusers
|
Source1: %{srcname}.sysusers
|
||||||
%if 0%{?with_selinux}
|
Source2: https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%{policy_version}/keylime-selinux-%{policy_version}.tar.gz
|
||||||
Source2: %{srcname}.te
|
|
||||||
Source3: %{srcname}.if
|
Patch: 0001-Remove-usage-of-Required-NotRequired-typing_ext.patch
|
||||||
Source4: %{srcname}.fc
|
Patch: 0002-Allow-keylime_server_t-tcp-connect-to-several-domain.patch
|
||||||
%endif
|
Patch: 0003-Use-version-2.0-as-the-minimum-for-the-configuration.patch
|
||||||
|
Patch: 0004-Duplicate-str_to_version-for-the-upgrade-tool.patch
|
||||||
|
Patch: 0005-elchecking-example-add-ignores-for-EV_PLATFORM_CONFI.patch
|
||||||
|
Patch: 0006-Revert-mapping-changes.patch
|
||||||
|
Patch: 0007-Handle-session-close-using-a-session-manager.patch
|
||||||
|
Patch: 0008-verifier-should-read-parameters-from-verifier.conf-o.patch
|
||||||
|
Patch: 0009-CVE-2023-38201.patch
|
||||||
|
Patch: 0010-CVE-2023-38200.patch
|
||||||
|
Patch: 0011-Automatically-update-agent-API-version.patch
|
||||||
|
|
||||||
License: ASL 2.0 and MIT
|
License: ASL 2.0 and MIT
|
||||||
|
|
||||||
@ -27,8 +36,10 @@ BuildRequires: swig
|
|||||||
BuildRequires: openssl-devel
|
BuildRequires: openssl-devel
|
||||||
BuildRequires: python3-devel
|
BuildRequires: python3-devel
|
||||||
BuildRequires: python3-dbus
|
BuildRequires: python3-dbus
|
||||||
|
BuildRequires: python3-jinja2
|
||||||
BuildRequires: python3-setuptools
|
BuildRequires: python3-setuptools
|
||||||
BuildRequires: systemd-rpm-macros
|
BuildRequires: systemd-rpm-macros
|
||||||
|
BuildRequires: tpm2-abrmd-selinux
|
||||||
|
|
||||||
Requires: python3-%{srcname} = %{version}-%{release}
|
Requires: python3-%{srcname} = %{version}-%{release}
|
||||||
Requires: %{srcname}-base = %{version}-%{release}
|
Requires: %{srcname}-base = %{version}-%{release}
|
||||||
@ -50,14 +61,16 @@ Summary: The base package contains the default configuration
|
|||||||
License: MIT
|
License: MIT
|
||||||
|
|
||||||
|
|
||||||
|
Requires(pre): python3-jinja2
|
||||||
Requires(pre): shadow-utils
|
Requires(pre): shadow-utils
|
||||||
|
Requires(pre): util-linux
|
||||||
Requires: procps-ng
|
Requires: procps-ng
|
||||||
Requires: tpm2-tss
|
Requires: tpm2-tss
|
||||||
|
|
||||||
%if 0%{?with_selinux}
|
%if 0%{?with_selinux}
|
||||||
# This ensures that the *-selinux package and all it’s dependencies are not pulled
|
# This ensures that the *-selinux package and all it’s dependencies are not pulled
|
||||||
# into containers and other systems that do not use SELinux
|
# into containers and other systems that do not use SELinux
|
||||||
Requires: (%{srcname}-selinux if selinux-policy-%{selinuxtype})
|
Recommends: (%{srcname}-selinux if selinux-policy-%{selinuxtype})
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%ifarch %efi
|
%ifarch %efi
|
||||||
@ -86,7 +99,9 @@ Requires: python3-gpg
|
|||||||
Requires: python3-lark-parser
|
Requires: python3-lark-parser
|
||||||
Requires: python3-pyasn1
|
Requires: python3-pyasn1
|
||||||
Requires: python3-pyasn1-modules
|
Requires: python3-pyasn1-modules
|
||||||
|
Requires: python3-jsonschema
|
||||||
Requires: tpm2-tools
|
Requires: tpm2-tools
|
||||||
|
Requires: openssl
|
||||||
|
|
||||||
%description -n python3-%{srcname}
|
%description -n python3-%{srcname}
|
||||||
The python3-keylime module implements the functionality used
|
The python3-keylime module implements the functionality used
|
||||||
@ -140,15 +155,12 @@ Requires: python3-%{srcname} = %{version}-%{release}
|
|||||||
The Keylime Tenant can be used to provision a Keylime Agent.
|
The Keylime Tenant can be used to provision a Keylime Agent.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup -S git -n %{srcname}-%{version}
|
%autosetup -S git -n %{srcname}-%{version} -a2
|
||||||
|
|
||||||
%if 0%{?with_selinux}
|
%if 0%{?with_selinux}
|
||||||
# SELinux policy (originally from selinux-policy-contrib)
|
# SELinux policy (originally from selinux-policy-contrib)
|
||||||
# this policy module will override the production module
|
# this policy module will override the production module
|
||||||
mkdir selinux
|
mkdir selinux
|
||||||
cp -p %{SOURCE2} selinux/
|
|
||||||
cp -p %{SOURCE3} selinux/
|
|
||||||
cp -p %{SOURCE4} selinux/
|
|
||||||
|
|
||||||
make -f %{_datadir}/selinux/devel/Makefile %{srcname}.pp
|
make -f %{_datadir}/selinux/devel/Makefile %{srcname}.pp
|
||||||
bzip2 -9 %{srcname}.pp
|
bzip2 -9 %{srcname}.pp
|
||||||
@ -163,45 +175,40 @@ mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname}
|
|||||||
mkdir -p --mode=0700 %{buildroot}/%{_rundir}/%{srcname}
|
mkdir -p --mode=0700 %{buildroot}/%{_rundir}/%{srcname}
|
||||||
mkdir -p --mode=0700 %{buildroot}/%{_localstatedir}/log/%{srcname}
|
mkdir -p --mode=0700 %{buildroot}/%{_localstatedir}/log/%{srcname}
|
||||||
|
|
||||||
# Remove agent and webapp.
|
mkdir -p --mode=0700 %{buildroot}/%{_sysconfdir}/%{srcname}/
|
||||||
rm -f %{buildroot}/%{_bindir}/%{srcname}_agent
|
for comp in "verifier" "tenant" "registrar" "ca" "logging"; do
|
||||||
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/%{srcname}_agent*
|
mkdir -p --mode=0700 %{buildroot}/%{_sysconfdir}/%{srcname}/${comp}.conf.d
|
||||||
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/__pycache__/agent.*
|
install -Dpm 400 config/${comp}.conf %{buildroot}/%{_sysconfdir}/%{srcname}
|
||||||
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/agent.*
|
done
|
||||||
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/%{srcname}_agent.*
|
|
||||||
|
|
||||||
rm -f %{buildroot}/%{_bindir}/%{srcname}_webapp
|
# Ship some scripts.
|
||||||
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/tenant_webapp.*
|
mkdir -p %{buildroot}/%{_datadir}/%{srcname}/scripts
|
||||||
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/__pycache__/webapp.*
|
for s in create_runtime_policy.sh \
|
||||||
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/webapp.*
|
create_mb_refstate \
|
||||||
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/tenant_webapp.*
|
ek-openssl-verify; do
|
||||||
rm -rf %{buildroot}%{python3_sitelib}/%{srcname}/static/
|
install -Dpm 755 scripts/${s} \
|
||||||
|
%{buildroot}/%{_datadir}/%{srcname}/scripts/${s}
|
||||||
|
done
|
||||||
|
|
||||||
# Remove misc progs.
|
# Ship configuration templates.
|
||||||
rm -f %{buildroot}/%{_bindir}/%{srcname}_ima_emulator
|
cp -r ./templates %{buildroot}%{_datadir}/%{srcname}/templates/
|
||||||
rm -f %{buildroot}/%{_bindir}/%{srcname}_userdata_encrypt
|
|
||||||
|
|
||||||
# Setting up the agent to use keylime:keylime user/group after dropping privileges.
|
mkdir -p --mode=0755 %{buildroot}/%{_bindir}
|
||||||
sed -e 's/^run_as[[:space:]]*=.*/run_as = keylime:keylime/g' -i %{srcname}.conf
|
install -Dpm 755 ./keylime/cmd/convert_config.py %{buildroot}/%{_bindir}/keylime_upgrade_config
|
||||||
|
|
||||||
# Using sha256 for tpm_hash_alg.
|
|
||||||
sed -e 's/^tpm_hash_alg[[:space:]]*=.*/tpm_hash_alg = sha256/g' -i %{srcname}.conf
|
|
||||||
|
|
||||||
%if 0%{?with_selinux}
|
%if 0%{?with_selinux}
|
||||||
install -D -m 0644 %{srcname}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2
|
install -D -m 0644 %{srcname}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2
|
||||||
install -D -p -m 0644 selinux/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if
|
install -D -p -m 0644 keylime-selinux-%{policy_version}/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
install -Dpm 600 %{srcname}.conf \
|
|
||||||
%{buildroot}%{_sysconfdir}/%{srcname}.conf
|
|
||||||
|
|
||||||
install -Dpm 644 ./services/%{srcname}_verifier.service \
|
install -Dpm 644 ./services/%{srcname}_verifier.service \
|
||||||
%{buildroot}%{_unitdir}/%{srcname}_verifier.service
|
%{buildroot}%{_unitdir}/%{srcname}_verifier.service
|
||||||
|
|
||||||
install -Dpm 644 ./services/%{srcname}_registrar.service \
|
install -Dpm 644 ./services/%{srcname}_registrar.service \
|
||||||
%{buildroot}%{_unitdir}/%{srcname}_registrar.service
|
%{buildroot}%{_unitdir}/%{srcname}_registrar.service
|
||||||
|
|
||||||
cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/keylime/
|
cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/
|
||||||
|
chmod 400 %{buildroot}%{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
|
||||||
|
|
||||||
install -p -d %{buildroot}/%{_tmpfilesdir}
|
install -p -d %{buildroot}/%{_tmpfilesdir}
|
||||||
cat > %{buildroot}/%{_tmpfilesdir}/%{srcname}.conf << EOF
|
cat > %{buildroot}/%{_tmpfilesdir}/%{srcname}.conf << EOF
|
||||||
@ -214,21 +221,45 @@ install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/%{srcname}.conf
|
|||||||
%sysusers_create_compat %{SOURCE1}
|
%sysusers_create_compat %{SOURCE1}
|
||||||
exit 0
|
exit 0
|
||||||
|
|
||||||
|
%post base
|
||||||
|
/usr/bin/keylime_upgrade_config --component ca --component logging >/dev/null
|
||||||
|
exit 0
|
||||||
|
|
||||||
%posttrans base
|
%posttrans base
|
||||||
[ -f %{_sysconfdir}/%{srcname}.conf ] && \
|
if [ -d %{_sysconfdir}/%{srcname} ]; then
|
||||||
chmod 600 %{_sysconfdir}/%{srcname}.conf && \
|
chmod 500 %{_sysconfdir}/%{srcname}
|
||||||
chown %{srcname} %{_sysconfdir}/%{srcname}.conf
|
chown -R %{srcname}:%{srcname} %{_sysconfdir}/%{srcname}
|
||||||
|
|
||||||
|
for comp in "verifier" "tenant" "registrar" "ca" "logging"; do
|
||||||
|
[ -d %{_sysconfdir}/%{srcname}/${comp}.conf.d ] && \
|
||||||
|
chmod 500 %{_sysconfdir}/%{srcname}/${comp}.conf.d
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
[ -d %{_sharedstatedir}/%{srcname} ] && \
|
[ -d %{_sharedstatedir}/%{srcname} ] && \
|
||||||
chown -R %{srcname} %{_sharedstatedir}/%{srcname}/
|
chown -R %{srcname} %{_sharedstatedir}/%{srcname}/
|
||||||
|
|
||||||
|
[ -d %{_sharedstatedir}/%{srcname}/tpm_cert_store ] && \
|
||||||
|
chmod 400 %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem && \
|
||||||
|
chmod 500 %{_sharedstatedir}/%{srcname}/tpm_cert_store/
|
||||||
|
|
||||||
[ -d %{_localstatedir}/log/%{srcname} ] && \
|
[ -d %{_localstatedir}/log/%{srcname} ] && \
|
||||||
chown -R %{srcname} %{_localstatedir}/log/%{srcname}/
|
chown -R %{srcname} %{_localstatedir}/log/%{srcname}/
|
||||||
exit 0
|
exit 0
|
||||||
|
|
||||||
%post verifier
|
%post verifier
|
||||||
|
/usr/bin/keylime_upgrade_config --component verifier >/dev/null
|
||||||
%systemd_post %{srcname}_verifier.service
|
%systemd_post %{srcname}_verifier.service
|
||||||
|
exit 0
|
||||||
|
|
||||||
%post registrar
|
%post registrar
|
||||||
|
/usr/bin/keylime_upgrade_config --component registrar >/dev/null
|
||||||
%systemd_post %{srcname}_registrar.service
|
%systemd_post %{srcname}_registrar.service
|
||||||
|
exit 0
|
||||||
|
|
||||||
|
%post tenant
|
||||||
|
/usr/bin/keylime_upgrade_config --component tenant >/dev/null
|
||||||
|
exit 0
|
||||||
|
|
||||||
%preun verifier
|
%preun verifier
|
||||||
%systemd_preun %{srcname}_verifier.service
|
%systemd_preun %{srcname}_verifier.service
|
||||||
@ -272,13 +303,16 @@ fi
|
|||||||
|
|
||||||
%files verifier
|
%files verifier
|
||||||
%license LICENSE
|
%license LICENSE
|
||||||
|
%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/verifier.conf.d
|
||||||
|
%config(noreplace) %verify(not md5 size mode mtime) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/verifier.conf
|
||||||
%{_bindir}/%{srcname}_verifier
|
%{_bindir}/%{srcname}_verifier
|
||||||
%{_bindir}/%{srcname}_ca
|
%{_bindir}/%{srcname}_ca
|
||||||
%{_bindir}/%{srcname}_migrations_apply
|
|
||||||
%{_unitdir}/keylime_verifier.service
|
%{_unitdir}/keylime_verifier.service
|
||||||
|
|
||||||
%files registrar
|
%files registrar
|
||||||
%license LICENSE
|
%license LICENSE
|
||||||
|
%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/registrar.conf.d
|
||||||
|
%config(noreplace) %verify(not md5 size mode mtime) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/registrar.conf
|
||||||
%{_bindir}/%{srcname}_registrar
|
%{_bindir}/%{srcname}_registrar
|
||||||
%{_unitdir}/keylime_registrar.service
|
%{_unitdir}/keylime_registrar.service
|
||||||
|
|
||||||
@ -291,27 +325,111 @@ fi
|
|||||||
|
|
||||||
%files tenant
|
%files tenant
|
||||||
%license LICENSE
|
%license LICENSE
|
||||||
|
%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/tenant.conf.d
|
||||||
|
%config(noreplace) %verify(not md5 size mode mtime) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/tenant.conf
|
||||||
%{_bindir}/%{srcname}_tenant
|
%{_bindir}/%{srcname}_tenant
|
||||||
|
|
||||||
%files -n python3-%{srcname}
|
%files -n python3-%{srcname}
|
||||||
%license LICENSE
|
%license LICENSE
|
||||||
%{python3_sitelib}/%{srcname}-*.egg-info/
|
%{python3_sitelib}/%{srcname}-*.egg-info/
|
||||||
%{python3_sitelib}/%{srcname}
|
%{python3_sitelib}/%{srcname}
|
||||||
|
%{_datadir}/%{srcname}/scripts/create_mb_refstate
|
||||||
|
%{_bindir}/keylime_attest
|
||||||
|
%{_bindir}/keylime_convert_runtime_policy
|
||||||
|
%{_bindir}/keylime_create_policy
|
||||||
|
%{_bindir}/keylime_sign_runtime_policy
|
||||||
|
%{_bindir}/keylime_userdata_encrypt
|
||||||
|
|
||||||
%files base
|
%files base
|
||||||
%license LICENSE
|
%license LICENSE
|
||||||
%doc README.md
|
%doc README.md
|
||||||
%config(noreplace) %attr(600,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}.conf
|
%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/{ca,logging}.conf.d
|
||||||
|
%config(noreplace) %verify(not md5 size mode mtime) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/ca.conf
|
||||||
|
%config(noreplace) %verify(not md5 size mode mtime) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/logging.conf
|
||||||
%attr(700,%{srcname},%{srcname}) %dir %{_rundir}/%{srcname}
|
%attr(700,%{srcname},%{srcname}) %dir %{_rundir}/%{srcname}
|
||||||
%attr(700,%{srcname},%{srcname}) %dir %{_localstatedir}/log/%{srcname}
|
%attr(700,%{srcname},%{srcname}) %dir %{_localstatedir}/log/%{srcname}
|
||||||
%attr(700,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}
|
%attr(700,%{srcname},%{srcname}) %dir %{_sharedstatedir}/%{srcname}
|
||||||
|
%attr(500,%{srcname},%{srcname}) %dir %{_sharedstatedir}/%{srcname}/tpm_cert_store
|
||||||
|
%attr(400,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
|
||||||
%{_tmpfilesdir}/%{srcname}.conf
|
%{_tmpfilesdir}/%{srcname}.conf
|
||||||
%{_sysusersdir}/%{srcname}.conf
|
%{_sysusersdir}/%{srcname}.conf
|
||||||
|
%{_datadir}/%{srcname}/scripts/create_runtime_policy.sh
|
||||||
|
%{_datadir}/%{srcname}/scripts/ek-openssl-verify
|
||||||
|
%{_datadir}/%{srcname}/templates
|
||||||
|
%{_bindir}/keylime_upgrade_config
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%license LICENSE
|
%license LICENSE
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Sep 06 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-9
|
||||||
|
- Rebuild for properly tagging the resulting build
|
||||||
|
Resolves: RHEL-1898
|
||||||
|
|
||||||
|
* Fri Sep 01 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-8
|
||||||
|
- Add missing dependencies python3-jinja2 and util-linux
|
||||||
|
Resolves: RHEL-1898
|
||||||
|
|
||||||
|
* Mon Aug 28 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.3.0-7
|
||||||
|
- Automatically update agent API version
|
||||||
|
Resolves: RHEL-1518
|
||||||
|
|
||||||
|
* Mon Aug 28 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-6
|
||||||
|
- Fix registrar is subject to a DoS against SSL (CVE-2023-38200)
|
||||||
|
Resolves: rhbz#2222694
|
||||||
|
|
||||||
|
* Fri Aug 25 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.3.0-5
|
||||||
|
- Fix challenge-protocol bypass during agent registration (CVE-2023-38201)
|
||||||
|
Resolves: rhbz#2222695
|
||||||
|
|
||||||
|
* Tue Aug 22 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-4
|
||||||
|
- Update spec file to use %verify(not md5 size mode mtime) for files updated in %post scriptlets
|
||||||
|
Resolves: RHEL-475
|
||||||
|
|
||||||
|
* Tue Aug 15 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-3
|
||||||
|
- Fix Keylime configuration upgrades issues introduced in last rebase
|
||||||
|
Resolves: RHEL-475
|
||||||
|
- Handle session close using a session manager
|
||||||
|
Resolves: RHEL-1252
|
||||||
|
- Add ignores for EV_PLATFORM_CONFIG_FLAGS
|
||||||
|
Resolves: RHEL-947
|
||||||
|
|
||||||
|
* Tue Aug 8 2023 Patrik Koncity <pkoncity@redhat.com> - 7.3.0-2
|
||||||
|
- Keylime SELinux policy provides more restricted ports.
|
||||||
|
- New SELinux label for ports used by keylime.
|
||||||
|
- Adding tabrmd interfaces allow unix stream socket communication and dbus communication.
|
||||||
|
- Allow the keylime_server_t domain to get the attributes of all filesystems.
|
||||||
|
Resolves: RHEL-595
|
||||||
|
Resolves: RHEL-390
|
||||||
|
Resolves: RHEL-948
|
||||||
|
|
||||||
|
* Wed Jul 19 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-1
|
||||||
|
- Update to 7.3.0
|
||||||
|
Resolves: RHEL-475
|
||||||
|
|
||||||
|
* Fri Jan 13 2023 Sergio Correia <scorreia@redhat.com> - 6.5.2-4
|
||||||
|
- Backport upstream PR#1240 - logging: remove option to log into separate file
|
||||||
|
Resolves: rhbz#2154584 - keylime verifier is not logging to /var/log/keylime
|
||||||
|
|
||||||
|
* Thu Dec 1 2022 Sergio Correia <scorreia@redhat.com> - 6.5.2-3
|
||||||
|
- Remove leftover policy file
|
||||||
|
Related: rhbz#2152135
|
||||||
|
|
||||||
|
* Thu Dec 1 2022 Patrik Koncity <pkoncity@redhat.com> - 6.5.2-2
|
||||||
|
- Use keylime selinux policy from upstream.
|
||||||
|
Resolves: rhbz#2152135
|
||||||
|
|
||||||
|
* Mon Nov 14 2022 Sergio Correia <scorreia@redhat.com> - 6.5.2-1
|
||||||
|
- Update to 6.5.2
|
||||||
|
Resolves: CVE-2022-3500
|
||||||
|
Resolves: rhbz#2138167 - agent fails IMA attestation when one scripts is executed quickly after the other
|
||||||
|
Resolves: rhbz#2140670 - Segmentation fault in /usr/share/keylime/create_mb_refstate script
|
||||||
|
Resolves: rhbz#142009 - Registrar may crash during EK validation when require_ek_cert is enabled
|
||||||
|
|
||||||
|
* Tue Sep 13 2022 Sergio Correia <scorreia@redhat.com> - 6.5.0-1
|
||||||
|
- Update to 6.5.0
|
||||||
|
Resolves: rhbz#2120686 - Keylime configuration is too complex
|
||||||
|
|
||||||
* Fri Aug 26 2022 Sergio Correia <scorreia@redhat.com> - 6.4.3-1
|
* Fri Aug 26 2022 Sergio Correia <scorreia@redhat.com> - 6.4.3-1
|
||||||
- Update to 6.4.3
|
- Update to 6.4.3
|
||||||
Resolves: rhbz#2121044 - Error parsing EK ASN.1 certificate of Nuvoton HW TPM
|
Resolves: rhbz#2121044 - Error parsing EK ASN.1 certificate of Nuvoton HW TPM
|
||||||
|
Loading…
Reference in New Issue
Block a user