Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rust-keylime for openSUSE:Factory
checked in at 2022-07-18 18:33:11
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rust-keylime (Old)
and /work/SRC/openSUSE:Factory/.rust-keylime.new.1523 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rust-keylime"
Mon Jul 18 18:33:11 2022 rev:2 rq:989451 version:0.1.0+git.1657303637.5b9072a
Changes:
--------
--- /work/SRC/openSUSE:Factory/rust-keylime/rust-keylime.changes
2022-07-01 13:44:53.598892586 +0200
+++ /work/SRC/openSUSE:Factory/.rust-keylime.new.1523/rust-keylime.changes
2022-07-18 18:33:18.577703912 +0200
@@ -1,0 +2,26 @@
+Tue Jul 12 09:20:39 UTC 2022 - apla...@suse.com
+
+- Update to version 0.1.0+git.1657303637.5b9072a:
+ * keys_handler: Use scopes to drop mutexes before await
+ * Enable usage of Rust IMA emulator in E2E tests.
+ * ima_emulator: Support PCR hash algorithms other than SHA-1
+ * ima_entry: add IMA entry parser ported from Python Keylime
+ * algorithms: Add conversion between our hash algorithms and OpenSSL's
+ * Remove unused functions revocation_ip_get and revocation_port_get. Change
String to &str.
+ * Adjust function usage comments to account for new parameters.
+ * Load config file less at startup in src/common.rs
+ * GNUmakefile: Make target dependencies explicit
+ * permissions: Set supplementary groups when dropping privileges
+ * main: Use more descriptive message for missing files error
+ * Show path when fail to load the certificate
+ * tpm: Add serialization functions for structures in quotes
+- Requires tpm2.0-abrmd dependency, as the kernel resource manager
+ could be not enough
+- Downgrade /var/run/keylime permissions
+- Set "run_as" parameter to "keylime:tss"
+- Create the keylime user via systemd
+- Fix keylime service home directory
+- Add 0001-main-die-when-cannot-drop-privileges.patch to avoid the
+ execution as root when the run_as user is missing in the system
+
+-------------------------------------------------------------------
Old:
----
keylime_agent.service
logrotate.keylime
rust-keylime-0.1.0+git.1655384301.b834667.tar.xz
New:
----
0001-main-die-when-cannot-drop-privileges.patch
keylime-user.conf
rust-keylime-0.1.0+git.1657303637.5b9072a.tar.xz
tmpfiles.keylime
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rust-keylime.spec ++++++
--- /var/tmp/diff_new_pack.Y9VTqD/_old 2022-07-18 18:33:19.873705756 +0200
+++ /var/tmp/diff_new_pack.Y9VTqD/_new 2022-07-18 18:33:19.877705761 +0200
@@ -17,8 +17,15 @@
%global rustflags '-Clink-arg=-Wl,-z,relro,-z,now'
+# Consolidate _distconfdir and _sysconfdir
+%if 0%{?_distconfdir:1}
+ %define _config_norepl %{nil}
+%else
+ %define _distconfdir %{_sysconfdir}
+ %define _config_norepl %config(noreplace)
+%endif
Name: rust-keylime
-Version: 0.1.0+git.1655384301.b834667
+Version: 0.1.0+git.1657303637.5b9072a
Release: 0
Summary: Rust implementation of the keylime agent
License: Apache-2.0 AND MIT
@@ -26,19 +33,23 @@
Source: rust-keylime-%{version}.tar.xz
Source1: vendor.tar.xz
Source2: cargo_config
-Source3: keylime_agent.service
-Source4: keylime.xml
-Source5: logrotate.keylime
+Source3: keylime.xml
+Source4: keylime-user.conf
+Source5: tmpfiles.keylime
# PATCH-FIX-OPENSUSE keylime.conf.diff
Patch1: keylime.conf.diff
+# PATCH-FIX-UPSTREAM 0001-main-die-when-cannot-drop-privileges.patch -- based
on PR 423
+Patch2: 0001-main-die-when-cannot-drop-privileges.patch
BuildRequires: cargo
BuildRequires: firewall-macros
BuildRequires: libarchive-devel
BuildRequires: rust
+BuildRequires: sysuser-tools
BuildRequires: tpm2-0-tss-devel
BuildRequires: zeromq-devel
Requires: libtss2-tcti-device0
Requires: logrotate
+Requires: tpm2.0-abrmd
ExcludeArch: %{ix86} s390x ppc64 ppc64le armhfp armv7hl
%description
@@ -52,47 +63,61 @@
%build
RUSTFLAGS=%{rustflags} cargo build --release --no-default-features --features
"with-zmq"
+%sysusers_generate_pre %{SOURCE4} keylime keylime-user.conf
%install
RUSTFLAGS=%{rustflags} cargo install --frozen --no-default-features --features
"with-zmq" --root=%{buildroot}%{_prefix} --path .
-install -Dpm 644 keylime.conf %{buildroot}%{_sysconfdir}/keylime.conf
-install -Dpm 644 %{SOURCE3} %{buildroot}%{_unitdir}/keylime_agent.service
-install -Dpm 644 %{SOURCE4}
%{buildroot}%{_prefix}/lib/firewalld/services/keylime.xml
-install -Dpm 644 %{SOURCE5} %{buildroot}%{_distconfdir}/logrotate.d/keylime
+# TODO: move the configuration file into _distconfdir
+install -Dpm 0600 keylime.conf %{buildroot}%{_sysconfdir}/keylime.conf
+install -Dpm 0644 ./dist/systemd/system/keylime_agent.service
%{buildroot}%{_unitdir}/keylime_agent.service
+install -Dpm 0644 ./dist/systemd/system/var-lib-keylime-secure.mount
%{buildroot}%{_unitdir}/var-lib-keylime-secure.mount
+
+install -Dpm 0644 %{SOURCE3}
%{buildroot}%{_prefix}/lib/firewalld/services/keylime.xml
+install -Dpm 0644 %{SOURCE4} %{buildroot}%{_sysusersdir}/keylime-user.conf
+install -Dpm 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/keylime.conf
install -d %{buildroot}%{_localstatedir}/log/keylime
+install -d %{buildroot}%{_libexecdir}/keylime
# Create work directory
-mkdir -p %{buildroot}%{_localstatedir}/keylime
+mkdir -p %{buildroot}%{_sharedstatedir}/keylime
rm %{buildroot}%{_prefix}/.crates.toml
rm %{buildroot}%{_prefix}/.crates2.json
%pre
%service_add_pre keylime_agent.service
+%service_add_pre var-lib-keylime-secure.mount
%post
%firewalld_reload
+%tmpfiles_create keylime.conf
%service_add_post keylime_agent.service
+%service_add_post var-lib-keylime-secure.mount
%preun
%service_del_preun keylime_agent.service
+%service_del_preun var-lib-keylime-secure.mount
%postun
%service_del_postun keylime_agent.service
+%service_del_postun var-lib-keylime-secure.mount
%files
%doc README.md
%license LICENSE
%{_bindir}/keylime_agent
%{_bindir}/keylime_ima_emulator
-%config(noreplace) %{_sysconfdir}/keylime.conf
-%dir %attr(0700,root,root) %{_localstatedir}/keylime
+%config(noreplace) %attr (0600,keylime,tss) %{_sysconfdir}/keylime.conf
+%{_unitdir}/keylime_agent.service
+%{_unitdir}/var-lib-keylime-secure.mount
%dir %{_prefix}/lib/firewalld
%dir %{_prefix}/lib/firewalld/services
%{_prefix}/lib/firewalld/services/keylime.xml
-%{_unitdir}/keylime_agent.service
-%{_distconfdir}/logrotate.d/keylime
-%dir %attr(750,keylime,tss) %{_localstatedir}/log/keylime
+%{_sysusersdir}/keylime-user.conf
+%{_tmpfilesdir}/keylime.conf
+%dir %attr(0750,keylime,tss) %{_localstatedir}/log/keylime
+%dir %attr(0750,keylime,tss) %{_libexecdir}/keylime
+%dir %attr(0700,keylime,tss) %{_sharedstatedir}/keylime
%changelog
++++++ 0001-main-die-when-cannot-drop-privileges.patch ++++++
>From e34692c33914f7c9598c1bc9030bf94ef525d5eb Mon Sep 17 00:00:00 2001
From: Alberto Planas <apla...@suse.com>
Date: Tue, 12 Jul 2022 14:09:24 +0200
Subject: [PATCH 2/2] main: die when cannot drop privileges
If `run_as` parameter is set but the user is missing in the system,
keylime will log an ERROR when trying to drop privileges, but continue
the execution as the current user (usually `root`). This can be a
security issue, as the agent is running "silently" as a privileged user.
This commit stop the execution if an error is found when dropping
privileges for the agent service, and present an `info!` message with
the current user and group.
Signed-off-by: Alberto Planas <apla...@suse.com>
---
src/main.rs | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/main.rs b/src/main.rs
index ef29eb2..d646d09 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -407,8 +407,10 @@ async fn main() -> Result<()> {
// Drop privileges
if let Some(user_group) = &config.run_as {
- permissions::chown(user_group, &mount);
- permissions::run_as(user_group);
+ permissions::chown(user_group, &mount)
+ .expect("Error when changing directory ownership");
+ permissions::run_as(user_group).expect("Error dropping privileges");
+ info!("Running the service as {}...", user_group);
}
info!("Starting server with API version {}...", API_VERSION);
--
2.37.0
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.Y9VTqD/_old 2022-07-18 18:33:19.925705830 +0200
+++ /var/tmp/diff_new_pack.Y9VTqD/_new 2022-07-18 18:33:19.929705835 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/keylime/rust-keylime.git</param>
- <param
name="changesrevision">b834667b4d775065be3d7677e8cb6ad209c43668</param></service></servicedata>
+ <param
name="changesrevision">5b9072abae219bda0e9a95498b5aef4af5db1bda</param></service></servicedata>
(No newline at EOF)
++++++ keylime-user.conf ++++++
# Type Name ID GECOS [HOME]
u keylime - "Keylime agent" /var/lib/keylime
++++++ keylime.conf.diff ++++++
--- /var/tmp/diff_new_pack.Y9VTqD/_old 2022-07-18 18:33:19.965705886 +0200
+++ /var/tmp/diff_new_pack.Y9VTqD/_new 2022-07-18 18:33:19.965705886 +0200
@@ -1,7 +1,7 @@
-Index: rust-keylime-0.1.0+git.1655143451.7c4121e/keylime.conf
+Index: rust-keylime-0.1.0+git.1657303637.5b9072a/keylime.conf
===================================================================
---- rust-keylime-0.1.0+git.1655143451.7c4121e.orig/keylime.conf
-+++ rust-keylime-0.1.0+git.1655143451.7c4121e/keylime.conf
+--- rust-keylime-0.1.0+git.1657303637.5b9072a.orig/keylime.conf
++++ rust-keylime-0.1.0+git.1657303637.5b9072a/keylime.conf
@@ -4,7 +4,8 @@
# Revocation IP & Port used by either the cloud_agent or keylime_ca to receive
@@ -32,4 +32,26 @@
registrar_port = 8890
# The keylime working directory. Can be overriden by setting the KEYLIME_DIR
+@@ -127,3 +130,21 @@ tpm_signing_alg = rsassa
+ # handle (e.g. "0x81000000"). The Keylime agent will then not attempt to
+ # create a new EK upon startup, and neither will it flush the EK upon exit.
+ ek_handle = generate
++
++# The user account to switch to to drop privileges when started as root
++# If left empty, the agent will keep running with high privileges.
++# The user and group specified here must allow the user to access the
++# WORK_DIR (typically /var/lib/keylime) and /dev/tpmrm0. Therefore,
++# suggested value for the run_as parameter is keylime:tss.
++# The following commands should be used to set ownership before running the
++# agent:
++# chown keylime /var/lib/keylime
++#
++# If agent_data.json already exists:
++# chown keylime /var/lib/keylime/agent_data.json
++#
++# If cv_ca directory exists:
++# chown keylime /var/lib/keylime/cv_ca
++# chown keylime /var/lib/keylime/cv_ca/cacert.crt
++#
++run_as = keylime:tss
++++++ rust-keylime-0.1.0+git.1655384301.b834667.tar.xz ->
rust-keylime-0.1.0+git.1657303637.5b9072a.tar.xz ++++++
++++ 1782 lines of diff (skipped)
++++++ tmpfiles.keylime ++++++
d /run/keylime 0700 keylime tss
++++++ vendor.tar.xz ++++++
/work/SRC/openSUSE:Factory/rust-keylime/vendor.tar.xz
/work/SRC/openSUSE:Factory/.rust-keylime.new.1523/vendor.tar.xz differ: char
27, line 1
