Compare commits
No commits in common. "imports/c9/keylime-7.3.0-12.el9_3" and "c9-beta" have entirely different histories.
imports/c9
...
c9-beta
|
@ -1,59 +0,0 @@
|
||||||
--- a/scripts/create_runtime_policy.sh 2023-10-09 17:04:26.121194607 +0200
|
|
||||||
+++ b/scripts/create_runtime_policy.sh 2023-10-09 17:06:02.089855614 +0200
|
|
||||||
@@ -42,7 +42,7 @@
|
|
||||||
exit $NOARGS;
|
|
||||||
fi
|
|
||||||
|
|
||||||
-ALGO=sha1sum
|
|
||||||
+ALGO=sha256sum
|
|
||||||
|
|
||||||
ALGO_LIST=("sha1sum" "sha256sum" "sha512sum")
|
|
||||||
|
|
||||||
@@ -78,7 +78,7 @@
|
|
||||||
|
|
||||||
|
|
||||||
# Where to look for initramfs image
|
|
||||||
-INITRAMFS_LOC="/boot/"
|
|
||||||
+INITRAMFS_LOC="/boot"
|
|
||||||
if [ -d "/ostree" ]; then
|
|
||||||
# If we are on an ostree system change where we look for initramfs image
|
|
||||||
loc=$(grep -E "/ostree/[^/]([^/]*)" -o /proc/cmdline | head -n 1 | cut -d / -f 3)
|
|
||||||
@@ -121,7 +121,7 @@
|
|
||||||
cp -r /tmp/ima/$i-extracted-unmk/. /tmp/ima/$i-extracted
|
|
||||||
fi
|
|
||||||
elif [[ -x "/usr/lib/dracut/skipcpio" ]] ; then
|
|
||||||
- /usr/lib/dracut/skipcpio $i | gunzip -c | cpio -i -d 2> /dev/null
|
|
||||||
+ /usr/lib/dracut/skipcpio $i | gunzip -c 2> /dev/null | cpio -i -d 2> /dev/null
|
|
||||||
else
|
|
||||||
echo "ERROR: No tools for initramfs image processing found!"
|
|
||||||
break
|
|
||||||
@@ -130,9 +130,26 @@
|
|
||||||
find -type f -exec $ALGO "./{}" \; | sed "s| \./\./| /|" >> $OUTPUT
|
|
||||||
done
|
|
||||||
|
|
||||||
-# Convert to runtime policy
|
|
||||||
-echo "Converting created allowlist to Keylime runtime policy"
|
|
||||||
-python3 $WORKING_DIR/../keylime/cmd/convert_runtime_policy.py -a $OUTPUT -o $OUTPUT
|
|
||||||
+# when ROOTFS_LOC = '/', the path starts on allowlist ends up with double '//'
|
|
||||||
+#
|
|
||||||
+# Example:
|
|
||||||
+#
|
|
||||||
+# b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c //bar
|
|
||||||
+#
|
|
||||||
+# Replace the unwanted '//' with a single '/'
|
|
||||||
+sed -i 's| /\+| /|g' $ALLOWLIST_DIR/${OUTPUT}
|
|
||||||
+
|
|
||||||
+# When the file name contains newlines or backslashes, the output of sha256sum
|
|
||||||
+# adds a backslash at the beginning of the line.
|
|
||||||
+#
|
|
||||||
+# Example:
|
|
||||||
+#
|
|
||||||
+# $ echo foo > ba\\r
|
|
||||||
+# $ sha256sum ba\\r
|
|
||||||
+# \b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c ba\\r
|
|
||||||
+#
|
|
||||||
+# Remove the unwanted backslash prefix
|
|
||||||
+sed -i 's/^\\//g' $ALLOWLIST_DIR/${OUTPUT}
|
|
||||||
|
|
||||||
# Clean up
|
|
||||||
rm -rf /tmp/ima
|
|
|
@ -1,44 +0,0 @@
|
||||||
diff --git a/keylime/cloud_verifier_common.py b/keylime/cloud_verifier_common.py
|
|
||||||
index a7399d2..c0f416d 100644
|
|
||||||
--- a/keylime/cloud_verifier_common.py
|
|
||||||
+++ b/keylime/cloud_verifier_common.py
|
|
||||||
@@ -8,7 +8,7 @@ from keylime.agentstates import AgentAttestState, AgentAttestStates, TPMClockInf
|
|
||||||
from keylime.common import algorithms
|
|
||||||
from keylime.db.verifier_db import VerfierMain
|
|
||||||
from keylime.failure import Component, Event, Failure
|
|
||||||
-from keylime.ima import file_signatures
|
|
||||||
+from keylime.ima import file_signatures, ima
|
|
||||||
from keylime.ima.types import RuntimePolicyType
|
|
||||||
from keylime.tpm import tpm_util
|
|
||||||
from keylime.tpm.tpm_main import Tpm
|
|
||||||
@@ -271,7 +271,7 @@ def process_get_status(agent: VerfierMain) -> Dict[str, Any]:
|
|
||||||
logger.debug('The contents of the agent %s attribute "mb_refstate" are %s', agent.agent_id, agent.mb_refstate)
|
|
||||||
|
|
||||||
has_runtime_policy = 0
|
|
||||||
- if agent.ima_policy.generator and agent.ima_policy.generator > 1:
|
|
||||||
+ if agent.ima_policy.generator and agent.ima_policy.generator > ima.RUNTIME_POLICY_GENERATOR.EmptyAllowList:
|
|
||||||
has_runtime_policy = 1
|
|
||||||
|
|
||||||
response = {
|
|
||||||
diff --git a/keylime/cmd/create_policy.py b/keylime/cmd/create_policy.py
|
|
||||||
index 0841d64..086b92a 100755
|
|
||||||
--- a/keylime/cmd/create_policy.py
|
|
||||||
+++ b/keylime/cmd/create_policy.py
|
|
||||||
@@ -6,6 +6,7 @@ import argparse
|
|
||||||
import binascii
|
|
||||||
import collections
|
|
||||||
import copy
|
|
||||||
+import datetime
|
|
||||||
import gzip
|
|
||||||
import json
|
|
||||||
import multiprocessing
|
|
||||||
@@ -580,6 +581,9 @@ def main() -> None:
|
|
||||||
policy["excludes"] = sorted(list(set(policy["excludes"])))
|
|
||||||
policy["ima"]["ignored_keyrings"] = sorted(list(set(policy["ima"]["ignored_keyrings"])))
|
|
||||||
|
|
||||||
+ policy["meta"]["generator"] = ima.RUNTIME_POLICY_GENERATOR.LegacyAllowList
|
|
||||||
+ policy["meta"]["timestamp"] = str(datetime.datetime.now())
|
|
||||||
+
|
|
||||||
try:
|
|
||||||
ima.validate_runtime_policy(policy)
|
|
||||||
except ima.ImaValidationError as ex:
|
|
|
@ -9,7 +9,7 @@
|
||||||
|
|
||||||
Name: keylime
|
Name: keylime
|
||||||
Version: 7.3.0
|
Version: 7.3.0
|
||||||
Release: 12%{?dist}
|
Release: 9%{?dist}
|
||||||
Summary: Open source TPM software for Bootstrapping and Maintaining Trust
|
Summary: Open source TPM software for Bootstrapping and Maintaining Trust
|
||||||
|
|
||||||
URL: https://github.com/keylime/keylime
|
URL: https://github.com/keylime/keylime
|
||||||
|
@ -28,8 +28,6 @@ Patch: 0008-verifier-should-read-parameters-from-verifier.conf-o.patch
|
||||||
Patch: 0009-CVE-2023-38201.patch
|
Patch: 0009-CVE-2023-38201.patch
|
||||||
Patch: 0010-CVE-2023-38200.patch
|
Patch: 0010-CVE-2023-38200.patch
|
||||||
Patch: 0011-Automatically-update-agent-API-version.patch
|
Patch: 0011-Automatically-update-agent-API-version.patch
|
||||||
Patch: 0012-Restore-create-allowlist.patch
|
|
||||||
Patch: 0013-Set-generator-and-timestamp-in-create-policy.patch
|
|
||||||
|
|
||||||
License: ASL 2.0 and MIT
|
License: ASL 2.0 and MIT
|
||||||
|
|
||||||
|
@ -185,19 +183,13 @@ done
|
||||||
|
|
||||||
# Ship some scripts.
|
# Ship some scripts.
|
||||||
mkdir -p %{buildroot}/%{_datadir}/%{srcname}/scripts
|
mkdir -p %{buildroot}/%{_datadir}/%{srcname}/scripts
|
||||||
for s in create_mb_refstate \
|
for s in create_runtime_policy.sh \
|
||||||
|
create_mb_refstate \
|
||||||
ek-openssl-verify; do
|
ek-openssl-verify; do
|
||||||
install -Dpm 755 scripts/${s} \
|
install -Dpm 755 scripts/${s} \
|
||||||
%{buildroot}/%{_datadir}/%{srcname}/scripts/${s}
|
%{buildroot}/%{_datadir}/%{srcname}/scripts/${s}
|
||||||
done
|
done
|
||||||
|
|
||||||
# On RHEL 9.3, install create_runtime_policy.sh as create_allowlist.sh
|
|
||||||
# The convert_runtime_policy.py script to convert allowlist and excludelist into
|
|
||||||
# runtime policy is not called anymore.
|
|
||||||
# See: https://issues.redhat.com/browse/RHEL-11866
|
|
||||||
install -Dpm 755 scripts/create_runtime_policy.sh \
|
|
||||||
%{buildroot}/%{_datadir}/%{srcname}/scripts/create_allowlist.sh
|
|
||||||
|
|
||||||
# Ship configuration templates.
|
# Ship configuration templates.
|
||||||
cp -r ./templates %{buildroot}%{_datadir}/%{srcname}/templates/
|
cp -r ./templates %{buildroot}%{_datadir}/%{srcname}/templates/
|
||||||
|
|
||||||
|
@ -361,7 +353,7 @@ fi
|
||||||
%attr(400,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
|
%attr(400,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
|
||||||
%{_tmpfilesdir}/%{srcname}.conf
|
%{_tmpfilesdir}/%{srcname}.conf
|
||||||
%{_sysusersdir}/%{srcname}.conf
|
%{_sysusersdir}/%{srcname}.conf
|
||||||
%{_datadir}/%{srcname}/scripts/create_allowlist.sh
|
%{_datadir}/%{srcname}/scripts/create_runtime_policy.sh
|
||||||
%{_datadir}/%{srcname}/scripts/ek-openssl-verify
|
%{_datadir}/%{srcname}/scripts/ek-openssl-verify
|
||||||
%{_datadir}/%{srcname}/templates
|
%{_datadir}/%{srcname}/templates
|
||||||
%{_bindir}/keylime_upgrade_config
|
%{_bindir}/keylime_upgrade_config
|
||||||
|
@ -370,19 +362,6 @@ fi
|
||||||
%license LICENSE
|
%license LICENSE
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Oct 17 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.3.0-12
|
|
||||||
- Set the generator and timestamp in create_policy.py
|
|
||||||
Related: RHEL-11866
|
|
||||||
|
|
||||||
* Mon Oct 09 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.3.0-11
|
|
||||||
- Suppress unnecessary error message
|
|
||||||
Related: RHEL-11866
|
|
||||||
|
|
||||||
* Fri Oct 06 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.3.0-10
|
|
||||||
- Restore allowlist generation script
|
|
||||||
Resolves: RHEL-11866
|
|
||||||
Resolves: RHEL-11867
|
|
||||||
|
|
||||||
* Wed Sep 06 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-9
|
* Wed Sep 06 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-9
|
||||||
- Rebuild for properly tagging the resulting build
|
- Rebuild for properly tagging the resulting build
|
||||||
Resolves: RHEL-1898
|
Resolves: RHEL-1898
|
||||||
|
|
Loading…
Reference in New Issue