b86572b8d2
Resolves: RHEL-9561 RHEL-9563 RHEL-9565
154 lines
6.0 KiB
Diff
154 lines
6.0 KiB
Diff
From ac7b0dbd5a18d2c57a942ca14ac856b8047425ff Mon Sep 17 00:00:00 2001
|
|
From: Panu Matilainen <pmatilai@redhat.com>
|
|
Date: Tue, 15 Feb 2022 10:43:13 +0200
|
|
Subject: [PATCH] Pass file descriptor to file prepare plugin hook, use when
|
|
possible
|
|
|
|
Sadly the thing that allegedly makes things better mostly just makes
|
|
things more complicated as symlinks can't be opened, so we'll now have
|
|
to deal with both cases in plugins too. To make matters worse, most
|
|
APIs out there support either an fd or a path, but very few support
|
|
the *at() style dirfd + basename approach so plugins are stuck with
|
|
absolute paths for now.
|
|
|
|
This is of course a plugin API/ABI change too.
|
|
---
|
|
lib/rpmplugin.h | 2 +-
|
|
lib/rpmplugins.c | 4 ++--
|
|
lib/rpmplugins.h | 3 ++-
|
|
plugins/ima.c | 9 +++++++--
|
|
plugins/selinux.c | 13 ++++++++-----
|
|
5 files changed, 20 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/lib/rpmplugin.h b/lib/rpmplugin.h
|
|
index fd81aec8d..fab4b3e83 100644
|
|
--- a/lib/rpmplugin.h
|
|
+++ b/lib/rpmplugin.h
|
|
@@ -57,7 +57,7 @@ typedef rpmRC (*plugin_fsm_file_post_func)(rpmPlugin plugin, rpmfi fi,
|
|
const char* path, mode_t file_mode,
|
|
rpmFsmOp op, int res);
|
|
typedef rpmRC (*plugin_fsm_file_prepare_func)(rpmPlugin plugin, rpmfi fi,
|
|
- const char* path,
|
|
+ int fd, const char* path,
|
|
const char *dest,
|
|
mode_t file_mode, rpmFsmOp op);
|
|
|
|
diff --git a/lib/rpmplugins.c b/lib/rpmplugins.c
|
|
index 65e684e84..923084b78 100644
|
|
--- a/lib/rpmplugins.c
|
|
+++ b/lib/rpmplugins.c
|
|
@@ -384,7 +384,7 @@ rpmRC rpmpluginsCallFsmFilePost(rpmPlugins plugins, rpmfi fi, const char *path,
|
|
}
|
|
|
|
rpmRC rpmpluginsCallFsmFilePrepare(rpmPlugins plugins, rpmfi fi,
|
|
- const char *path, const char *dest,
|
|
+ int fd, const char *path, const char *dest,
|
|
mode_t file_mode, rpmFsmOp op)
|
|
{
|
|
plugin_fsm_file_prepare_func hookFunc;
|
|
@@ -394,7 +394,7 @@ rpmRC rpmpluginsCallFsmFilePrepare(rpmPlugins plugins, rpmfi fi,
|
|
for (i = 0; i < plugins->count; i++) {
|
|
rpmPlugin plugin = plugins->plugins[i];
|
|
RPMPLUGINS_SET_HOOK_FUNC(fsm_file_prepare);
|
|
- if (hookFunc && hookFunc(plugin, fi, path, dest, file_mode, op) == RPMRC_FAIL) {
|
|
+ if (hookFunc && hookFunc(plugin, fi, fd, path, dest, file_mode, op) == RPMRC_FAIL) {
|
|
rpmlog(RPMLOG_ERR, "Plugin %s: hook fsm_file_prepare failed\n", plugin->name);
|
|
rc = RPMRC_FAIL;
|
|
}
|
|
diff --git a/lib/rpmplugins.h b/lib/rpmplugins.h
|
|
index 39762c376..ddf5d7048 100644
|
|
--- a/lib/rpmplugins.h
|
|
+++ b/lib/rpmplugins.h
|
|
@@ -156,6 +156,7 @@ rpmRC rpmpluginsCallFsmFilePost(rpmPlugins plugins, rpmfi fi, const char* path,
|
|
* permissions etc, but before committing file to destination path.
|
|
* @param plugins plugins structure
|
|
* @param fi file info iterator (or NULL)
|
|
+ * @param fd file descriptor (or -1 if not available)
|
|
* @param path file object current path
|
|
* @param dest file object destination path
|
|
* @param mode file object mode
|
|
@@ -164,7 +165,7 @@ rpmRC rpmpluginsCallFsmFilePost(rpmPlugins plugins, rpmfi fi, const char* path,
|
|
*/
|
|
RPM_GNUC_INTERNAL
|
|
rpmRC rpmpluginsCallFsmFilePrepare(rpmPlugins plugins, rpmfi fi,
|
|
- const char *path, const char *dest,
|
|
+ int fd, const char *path, const char *dest,
|
|
mode_t mode, rpmFsmOp op);
|
|
|
|
#ifdef __cplusplus
|
|
diff --git a/plugins/fapolicyd.c b/plugins/fapolicyd.c
|
|
index 7ac44f0d0..1ff50c30f 100644
|
|
--- a/plugins/fapolicyd.c
|
|
+++ b/plugins/fapolicyd.c
|
|
@@ -145,7 +145,8 @@ static rpmRC fapolicyd_scriptlet_pre(rpmPlugin plugin, const char *s_name,
|
|
}
|
|
|
|
static rpmRC fapolicyd_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
|
|
- const char *path, const char *dest,
|
|
+ int fd, const char *path,
|
|
+ const char *dest,
|
|
mode_t file_mode, rpmFsmOp op)
|
|
{
|
|
/* not ready */
|
|
--- a/plugins/ima.c 2020-04-28 14:50:11.835399269 +0200
|
|
+++ b/plugins/ima.c 2023-12-13 11:19:58.835948660 +0100
|
|
@@ -39,7 +39,7 @@
|
|
return (memcmp(fsig, &zero_hdr, sizeof(zero_hdr)) == 0);
|
|
}
|
|
|
|
-static rpmRC ima_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
|
|
+static rpmRC ima_fsm_file_prepare(rpmPlugin plugin, rpmfi fi, int fd,
|
|
const char *path,
|
|
const char *dest,
|
|
mode_t file_mode, rpmFsmOp op)
|
|
@@ -63,8 +63,14 @@
|
|
|
|
fsig = rpmfiFSignature(fi, &len);
|
|
if (fsig && (check_zero_hdr(fsig, len) == 0)) {
|
|
- if (lsetxattr(path, XATTR_NAME_IMA, fsig, len, 0) < 0) {
|
|
- rpmlog(RPMLOG_ERR,
|
|
+ int xx;
|
|
+ if (fd >= 0)
|
|
+ xx = fsetxattr(fd, XATTR_NAME_IMA, fsig, len, 0);
|
|
+ else
|
|
+ xx = lsetxattr(path, XATTR_NAME_IMA, fsig, len, 0);
|
|
+ if (xx < 0) {
|
|
+ int is_err = errno != EOPNOTSUPP;
|
|
+ rpmlog(is_err?RPMLOG_ERR:RPMLOG_DEBUG,
|
|
"ima: could not apply signature on '%s': %s\n",
|
|
path, strerror(errno));
|
|
rc = RPMRC_FAIL;
|
|
--- a/plugins/selinux.c 2023-12-13 11:21:54.935009141 +0100
|
|
+++ b/plugins/selinux.c 2023-12-13 11:22:23.172510285 +0100
|
|
@@ -149,7 +149,7 @@
|
|
return rc;
|
|
}
|
|
|
|
-static rpmRC selinux_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
|
|
+static rpmRC selinux_fsm_file_prepare(rpmPlugin plugin, rpmfi fi, int fd,
|
|
const char *path, const char *dest,
|
|
mode_t file_mode, rpmFsmOp op)
|
|
{
|
|
@@ -159,14 +159,17 @@
|
|
if (sehandle && !XFA_SKIPPING(action)) {
|
|
security_context_t scon = NULL;
|
|
if (selabel_lookup_raw(sehandle, &scon, dest, file_mode) == 0) {
|
|
- int conrc = lsetfilecon(path, scon);
|
|
+ int conrc;
|
|
+ if (fd >= 0)
|
|
+ conrc = fsetfilecon(fd, scon);
|
|
+ else
|
|
+ conrc = lsetfilecon(path, scon);
|
|
|
|
if (conrc == 0 || (conrc < 0 && errno == EOPNOTSUPP))
|
|
rc = RPMRC_OK;
|
|
|
|
- rpmlog((rc != RPMRC_OK) ? RPMLOG_ERR : RPMLOG_DEBUG,
|
|
- "lsetfilecon: (%s, %s) %s\n",
|
|
- path, scon, (conrc < 0 ? strerror(errno) : ""));
|
|
+ rpmlog((rc != RPMRC_OK) ? RPMLOG_ERR : RPMLOG_DEBUG, "lsetfilecon: (%d %s, %s) %s\n",
|
|
+ fd, path, scon, (conrc < 0 ? strerror(errno) : ""));
|
|
|
|
freecon(scon);
|
|
} else {
|