On 09/23/2016 02:20 PM, Stefan Berger wrote:
Panu Matilainen <[email protected]> wrote on 09/23/2016 04:15:22
AM:
From: Panu Matilainen <[email protected]>
To: Stefan Berger <[email protected]>, [email protected]
Cc: Stefan Berger/Watson/IBM@IBMUS, [email protected]
Date: 09/23/2016 04:15 AM
Subject: Re: [Rpm-maint] [PATCH v2 0/4] Fixes for file signatures
On 09/22/2016 08:30 PM, Stefan Berger wrote:
The following series of patches addresses some issues with signatures
on
files. In particular:
- some files marked as config files are also executables and therefore
need to have a signature applied
- the IMA plugin may only run on package install cycle rather than the
remove cycle, which would apply the previous versions' signatures on
the files
- some RPM packages require that the files be signed when the post
install scriptlets are run since they may invoke executables that
were just installed; so we introduce two new hooks, fsm_pre and
fsm_post. We move the IMA plugin from the psm_post hook to the
fsm_post hook.
Regards,
Stefan
Stefan Berger (4):
ima-plugin: Have executable configuration files signed
ima-plugin: Only run the IMA plugin on package installation
rpmplugins: Introduce new fsm_pre and fsm_post hooks
IMA: Move the IMA plugin to the fsm_post hook
lib/psm.c | 6 +++++-
lib/rpmplugin.h | 6 ++++++
lib/rpmplugins.c | 35 +++++++++++++++++++++++++++++++++++
lib/rpmplugins.h | 19 +++++++++++++++++++
plugins/ima.c | 32 ++++++++++++++++++++++----------
5 files changed, 87 insertions(+), 11 deletions(-)
So... to achieve all this and actually behave correct in the face of
skipped files - whether due to color, netshared path or other file
policies - the IMA plugin should really just do what the selinux plugin
does and use fsm_file_prepare hook for its task, which after all is
highly similar anyway.
Has the file been written when fsm_file_prepare is called? Otherwise it
seems better to do it in fsm_file_post.
Yes, the entire file has been created but not yet moved to its final
destination. That's why it gets two path parameters: "path" for the
actual current filename which has a temporary suffix, and "dest" which
is the actual destination filename. So this is really the best place to
do any metadata work because then the file actually ready when it gets
renamed to its final distination (ie without the suffix).
Btw, what do fsm, tsm, and psm stand for ?
Ah, that explains :)
FSM is File State Machine
PSM is Package State Machine
TSM is Transaction State Machine
These are historical artifacts and dont mean much these days,
unfortunately they ended up in the plugin interface for the lack of
better ideas, or something. Names are hard :-/
- Panu -
_______________________________________________
Rpm-maint mailing list
[email protected]
http://lists.rpm.org/mailman/listinfo/rpm-maint
