From: Fionnuala Gunter <fin.gun...@hypori.com> IMA-appraisal, upstreamed in linux-3.7, enforces local file integrity based on a known 'good' value stored as an extended attribute 'security.ima'. Labeling the filesystem is currently done post install using a local private key. Including file signatures in the package provides not only file integrity, but file provenance.
This patch set extends the existing rpm signing tool to include file signatures in packages, and adds a plugin that installs file signatures using the psm_post hook. There are new options to rpmsign - signfiles and fskpath. rpm --addsign [--signfiles [--fskpath <file signing key>]] PACKAGE_FILE ... Signfiles signs all the file digests included in the package with libimaevm and stores the signatures in the package header under the tag RPMTAG_FILESIGNATURES. The file signing key can be provided with the option fskpath, or in a macro file with %_file_signing_key. After including file signatures, the packages are signed normally. When a package with signed files is installed, rpmfilesPopulate extracts file signatures from the package header and stores them (in binary) in rpmfiles struct. Then the ima plugin instantiates the psm_post hook and writes the file signatures to security.ima xattr. f...@linux.vnet.ibm.com (11): Refactor copyFile to not close files Export generateSignature Add rpmtags for file signatures and their length Subroutine for dumping immutable region of header Add support for file signatures to rpmfi and rpmfiles Configure option to build with imaevm support Sign file digests and store signatures in header Add file signature support to rpmsign command Add file signature support to package signing IMA plugin labels ima xattr with file signatures Documentation for file signing build/pack.c | 90 +-------------------- configure.ac | 9 +++ doc/rpmsign.8 | 24 +++++- lib/Makefile.am | 4 + lib/rpmfi.c | 44 ++++++++++- lib/rpmfi.h | 8 ++ lib/rpmfiles.h | 10 +++ lib/rpmsignfiles.c | 126 ++++++++++++++++++++++++++++++ lib/rpmsignfiles.h | 20 +++++ lib/rpmtag.h | 2 + lib/signature.c | 87 +++++++++++++++++++++ lib/signature.h | 11 +++ macros.in | 1 + plugins/Makefile.am | 4 + plugins/ima.c | 51 ++++++++++++ rpmpopt.in | 1 + rpmsign.c | 28 ++++++- sign/rpmgensig.c | 221 +++++++++++++++++++++++++++++++++++++++++++++------- sign/rpmsign.h | 1 + tests/rpmgeneral.at | 2 + 20 files changed, 624 insertions(+), 120 deletions(-) create mode 100644 lib/rpmsignfiles.c create mode 100644 lib/rpmsignfiles.h create mode 100644 plugins/ima.c -- 2.4.3 _______________________________________________ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint