Don't error out on IMA signatures
on files not supporting them Resolves: #2157835 Resolves: #2157836
This commit is contained in:
Florian Festi
parent
31b00a05e3
commit
288f177357
41
rpm-4.16.1.3-IMA-without-xattr.patch
Normal file
41
rpm-4.16.1.3-IMA-without-xattr.patch
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
Based on
|
||||||
|
|
||||||
|
From 7db2efa95d859cebda2b095ffdffac42812bd6d9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Darren Kenny <darren.kenny@oracle.com>
|
||||||
|
Date: Tue, 22 Feb 2022 16:57:00 +0000
|
||||||
|
Subject: [PATCH] ima: Install on filesystems without xattr support without
|
||||||
|
failing
|
||||||
|
|
||||||
|
If an RPM contains IMA signed digests and rpm-plugin-ima is installed,
|
||||||
|
then any attempt to install to a filesystem that doesn't support
|
||||||
|
extended attributes will cause the RPM installation to fail.
|
||||||
|
|
||||||
|
This can be seen, for example, if installing a file /boot, which is
|
||||||
|
usually a vFAT filesystem.
|
||||||
|
|
||||||
|
The rpm-plugin for selinux fixed this some time back, and that same
|
||||||
|
logic can be applied to IMA too - where, if a failure to set an extended
|
||||||
|
attribute results in an errno that is set to EOPNOTSUPP, then this
|
||||||
|
should not cause a complete failure, but should instead just be logged
|
||||||
|
at a debug level.
|
||||||
|
|
||||||
|
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
|
||||||
|
|
||||||
|
--- rpm-4.16.1.3/plugins/ima.c.orig 2023-05-02 18:19:25.095992859 +0200
|
||||||
|
+++ rpm-4.16.1.3/plugins/ima.c 2023-05-02 18:21:46.032941008 +0200
|
||||||
|
@@ -69,10 +69,13 @@
|
||||||
|
fsig = rpmfiFSignature(fi, &len);
|
||||||
|
if (fsig && (check_zero_hdr(fsig, len) == 0)) {
|
||||||
|
if (lsetxattr(path, XATTR_NAME_IMA, fsig, len, 0) < 0) {
|
||||||
|
- rpmlog(RPMLOG_ERR,
|
||||||
|
+ int is_err = errno != EOPNOTSUPP;
|
||||||
|
+ rpmlog(is_err?RPMLOG_ERR:RPMLOG_DEBUG,
|
||||||
|
"ima: could not apply signature on '%s': %s\n",
|
||||||
|
path, strerror(errno));
|
||||||
|
- rc = RPMRC_FAIL;
|
||||||
|
+ if (is_err) {
|
||||||
|
+ rc = RPMRC_FAIL;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
7
rpm.spec
7
rpm.spec
@ -32,7 +32,7 @@
|
|||||||
|
|
||||||
%global rpmver 4.16.1.3
|
%global rpmver 4.16.1.3
|
||||||
#global snapver rc1
|
#global snapver rc1
|
||||||
%global rel 22
|
%global rel 23
|
||||||
%global sover 9
|
%global sover 9
|
||||||
|
|
||||||
%global srcver %{rpmver}%{?snapver:-%{snapver}}
|
%global srcver %{rpmver}%{?snapver:-%{snapver}}
|
||||||
@ -93,6 +93,7 @@ Patch121: rpm-4.16.1.3-rpm2archive-nocompression.patch
|
|||||||
Patch122: rpm-4.16.1.3-Support-long-languages-names-for-QT.patch
|
Patch122: rpm-4.16.1.3-Support-long-languages-names-for-QT.patch
|
||||||
Patch123: rpm-4.14.3-rpm2archive-parse-popt-options.patch
|
Patch123: rpm-4.14.3-rpm2archive-parse-popt-options.patch
|
||||||
Patch124: rpm-4.14.3-rpm2archive-Don-t-print-usage.patch
|
Patch124: rpm-4.14.3-rpm2archive-Don-t-print-usage.patch
|
||||||
|
Patch125: rpm-4.16.1.3-IMA-without-xattr.patch
|
||||||
|
|
||||||
# These are not yet upstream
|
# These are not yet upstream
|
||||||
Patch906: rpm-4.7.1-geode-i686.patch
|
Patch906: rpm-4.7.1-geode-i686.patch
|
||||||
@ -627,6 +628,10 @@ fi
|
|||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
|
||||||
|
* Wed May 03 2023 Florian Festi <ffesti@redhat.com> - 4.16.1.3-23
|
||||||
|
- Don't error out on IMA signatures on files not supporting them
|
||||||
|
(#2157835, #2157836)
|
||||||
|
|
||||||
* Mon Dec 19 2022 Florian Festi <ffesti@redhat.com> - 4.16.1.3-22
|
* Mon Dec 19 2022 Florian Festi <ffesti@redhat.com> - 4.16.1.3-22
|
||||||
- Fix option handling in rpm2archive for #2150804
|
- Fix option handling in rpm2archive for #2150804
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user