|
Florian Festi |
0408f9 |
From ac7b0dbd5a18d2c57a942ca14ac856b8047425ff Mon Sep 17 00:00:00 2001
|
|
Florian Festi |
0408f9 |
From: Panu Matilainen <pmatilai@redhat.com>
|
|
Florian Festi |
0408f9 |
Date: Tue, 15 Feb 2022 10:43:13 +0200
|
|
Florian Festi |
0408f9 |
Subject: [PATCH] Pass file descriptor to file prepare plugin hook, use when
|
|
Florian Festi |
0408f9 |
possible
|
|
Florian Festi |
0408f9 |
|
|
Florian Festi |
0408f9 |
Sadly the thing that allegedly makes things better mostly just makes
|
|
Florian Festi |
0408f9 |
things more complicated as symlinks can't be opened, so we'll now have
|
|
Florian Festi |
0408f9 |
to deal with both cases in plugins too. To make matters worse, most
|
|
Florian Festi |
0408f9 |
APIs out there support either an fd or a path, but very few support
|
|
Florian Festi |
0408f9 |
the *at() style dirfd + basename approach so plugins are stuck with
|
|
Florian Festi |
0408f9 |
absolute paths for now.
|
|
Florian Festi |
0408f9 |
|
|
Florian Festi |
0408f9 |
This is of course a plugin API/ABI change too.
|
|
Florian Festi |
0408f9 |
---
|
|
Florian Festi |
0408f9 |
lib/rpmplugin.h | 2 +-
|
|
Florian Festi |
0408f9 |
lib/rpmplugins.c | 4 ++--
|
|
Florian Festi |
0408f9 |
lib/rpmplugins.h | 3 ++-
|
|
Florian Festi |
0408f9 |
plugins/ima.c | 9 +++++++--
|
|
Florian Festi |
0408f9 |
plugins/selinux.c | 13 ++++++++-----
|
|
Florian Festi |
0408f9 |
5 files changed, 20 insertions(+), 11 deletions(-)
|
|
Florian Festi |
0408f9 |
|
|
Florian Festi |
0408f9 |
diff --git a/lib/rpmplugin.h b/lib/rpmplugin.h
|
|
Florian Festi |
0408f9 |
index fd81aec8d..fab4b3e83 100644
|
|
Florian Festi |
0408f9 |
--- a/lib/rpmplugin.h
|
|
Florian Festi |
0408f9 |
+++ b/lib/rpmplugin.h
|
|
Florian Festi |
0408f9 |
@@ -57,7 +57,7 @@ typedef rpmRC (*plugin_fsm_file_post_func)(rpmPlugin plugin, rpmfi fi,
|
|
Florian Festi |
0408f9 |
const char* path, mode_t file_mode,
|
|
Florian Festi |
0408f9 |
rpmFsmOp op, int res);
|
|
Florian Festi |
0408f9 |
typedef rpmRC (*plugin_fsm_file_prepare_func)(rpmPlugin plugin, rpmfi fi,
|
|
Florian Festi |
0408f9 |
- const char* path,
|
|
Florian Festi |
0408f9 |
+ int fd, const char* path,
|
|
Florian Festi |
0408f9 |
const char *dest,
|
|
Florian Festi |
0408f9 |
mode_t file_mode, rpmFsmOp op);
|
|
Florian Festi |
0408f9 |
|
|
Florian Festi |
0408f9 |
diff --git a/lib/rpmplugins.c b/lib/rpmplugins.c
|
|
Florian Festi |
0408f9 |
index 65e684e84..923084b78 100644
|
|
Florian Festi |
0408f9 |
--- a/lib/rpmplugins.c
|
|
Florian Festi |
0408f9 |
+++ b/lib/rpmplugins.c
|
|
Florian Festi |
0408f9 |
@@ -384,7 +384,7 @@ rpmRC rpmpluginsCallFsmFilePost(rpmPlugins plugins, rpmfi fi, const char *path,
|
|
Florian Festi |
0408f9 |
}
|
|
Florian Festi |
0408f9 |
|
|
Florian Festi |
0408f9 |
rpmRC rpmpluginsCallFsmFilePrepare(rpmPlugins plugins, rpmfi fi,
|
|
Florian Festi |
0408f9 |
- const char *path, const char *dest,
|
|
Florian Festi |
0408f9 |
+ int fd, const char *path, const char *dest,
|
|
Florian Festi |
0408f9 |
mode_t file_mode, rpmFsmOp op)
|
|
Florian Festi |
0408f9 |
{
|
|
Florian Festi |
0408f9 |
plugin_fsm_file_prepare_func hookFunc;
|
|
Florian Festi |
0408f9 |
@@ -394,7 +394,7 @@ rpmRC rpmpluginsCallFsmFilePrepare(rpmPlugins plugins, rpmfi fi,
|
|
Florian Festi |
0408f9 |
for (i = 0; i < plugins->count; i++) {
|
|
Florian Festi |
0408f9 |
rpmPlugin plugin = plugins->plugins[i];
|
|
Florian Festi |
0408f9 |
RPMPLUGINS_SET_HOOK_FUNC(fsm_file_prepare);
|
|
Florian Festi |
0408f9 |
- if (hookFunc && hookFunc(plugin, fi, path, dest, file_mode, op) == RPMRC_FAIL) {
|
|
Florian Festi |
0408f9 |
+ if (hookFunc && hookFunc(plugin, fi, fd, path, dest, file_mode, op) == RPMRC_FAIL) {
|
|
Florian Festi |
0408f9 |
rpmlog(RPMLOG_ERR, "Plugin %s: hook fsm_file_prepare failed\n", plugin->name);
|
|
Florian Festi |
0408f9 |
rc = RPMRC_FAIL;
|
|
Florian Festi |
0408f9 |
}
|
|
Florian Festi |
0408f9 |
diff --git a/lib/rpmplugins.h b/lib/rpmplugins.h
|
|
Florian Festi |
0408f9 |
index 39762c376..ddf5d7048 100644
|
|
Florian Festi |
0408f9 |
--- a/lib/rpmplugins.h
|
|
Florian Festi |
0408f9 |
+++ b/lib/rpmplugins.h
|
|
Florian Festi |
0408f9 |
@@ -156,6 +156,7 @@ rpmRC rpmpluginsCallFsmFilePost(rpmPlugins plugins, rpmfi fi, const char* path,
|
|
Florian Festi |
0408f9 |
* permissions etc, but before committing file to destination path.
|
|
Florian Festi |
0408f9 |
* @param plugins plugins structure
|
|
Florian Festi |
0408f9 |
* @param fi file info iterator (or NULL)
|
|
Florian Festi |
0408f9 |
+ * @param fd file descriptor (or -1 if not available)
|
|
Florian Festi |
0408f9 |
* @param path file object current path
|
|
Florian Festi |
0408f9 |
* @param dest file object destination path
|
|
Florian Festi |
0408f9 |
* @param mode file object mode
|
|
Florian Festi |
0408f9 |
@@ -164,7 +165,7 @@ rpmRC rpmpluginsCallFsmFilePost(rpmPlugins plugins, rpmfi fi, const char* path,
|
|
Florian Festi |
0408f9 |
*/
|
|
Florian Festi |
0408f9 |
RPM_GNUC_INTERNAL
|
|
Florian Festi |
0408f9 |
rpmRC rpmpluginsCallFsmFilePrepare(rpmPlugins plugins, rpmfi fi,
|
|
Florian Festi |
0408f9 |
- const char *path, const char *dest,
|
|
Florian Festi |
0408f9 |
+ int fd, const char *path, const char *dest,
|
|
Florian Festi |
0408f9 |
mode_t mode, rpmFsmOp op);
|
|
Florian Festi |
0408f9 |
|
|
Florian Festi |
0408f9 |
#ifdef __cplusplus
|
|
Florian Festi |
0408f9 |
diff --git a/plugins/ima.c b/plugins/ima.c
|
|
Florian Festi |
0408f9 |
index fe6d3ad7f..9c28a41a3 100644
|
|
Florian Festi |
0408f9 |
--- a/plugins/ima.c
|
|
Florian Festi |
0408f9 |
+++ b/plugins/ima.c
|
|
Florian Festi |
0408f9 |
@@ -39,7 +39,7 @@ static int check_zero_hdr(const unsigned char *fsig, size_t siglen)
|
|
Florian Festi |
0408f9 |
return (memcmp(fsig, &zero_hdr, sizeof(zero_hdr)) == 0);
|
|
Florian Festi |
0408f9 |
}
|
|
Florian Festi |
0408f9 |
|
|
Florian Festi |
0408f9 |
-static rpmRC ima_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
|
|
Florian Festi |
0408f9 |
+static rpmRC ima_fsm_file_prepare(rpmPlugin plugin, rpmfi fi, int fd,
|
|
Florian Festi |
0408f9 |
const char *path,
|
|
Florian Festi |
0408f9 |
const char *dest,
|
|
Florian Festi |
0408f9 |
mode_t file_mode, rpmFsmOp op)
|
|
Florian Festi |
0408f9 |
@@ -63,7 +63,12 @@ static rpmRC ima_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
|
|
Florian Festi |
0408f9 |
|
|
Florian Festi |
0408f9 |
fsig = rpmfiFSignature(fi, &len;;
|
|
Florian Festi |
0408f9 |
if (fsig && (check_zero_hdr(fsig, len) == 0)) {
|
|
Florian Festi |
0408f9 |
- if (lsetxattr(path, XATTR_NAME_IMA, fsig, len, 0) < 0) {
|
|
Florian Festi |
0408f9 |
+ int xx;
|
|
Florian Festi |
0408f9 |
+ if (fd >= 0)
|
|
Florian Festi |
0408f9 |
+ xx = fsetxattr(fd, XATTR_NAME_IMA, fsig, len, 0);
|
|
Florian Festi |
0408f9 |
+ else
|
|
Florian Festi |
0408f9 |
+ xx = lsetxattr(path, XATTR_NAME_IMA, fsig, len, 0);
|
|
Florian Festi |
0408f9 |
+ if (xx < 0) {
|
|
Florian Festi |
0408f9 |
rpmlog(RPMLOG_ERR,
|
|
Florian Festi |
0408f9 |
"ima: could not apply signature on '%s': %s\n",
|
|
Florian Festi |
0408f9 |
path, strerror(errno));
|
|
Florian Festi |
0408f9 |
diff --git a/plugins/fapolicyd.c b/plugins/fapolicyd.c
|
|
Florian Festi |
0408f9 |
index 7ac44f0d0..1ff50c30f 100644
|
|
Florian Festi |
0408f9 |
--- a/plugins/fapolicyd.c
|
|
Florian Festi |
0408f9 |
+++ b/plugins/fapolicyd.c
|
|
Florian Festi |
0408f9 |
@@ -145,7 +145,8 @@ static rpmRC fapolicyd_scriptlet_pre(rpmPlugin plugin, const char *s_name,
|
|
Florian Festi |
0408f9 |
}
|
|
Florian Festi |
0408f9 |
|
|
Florian Festi |
0408f9 |
static rpmRC fapolicyd_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
|
|
Florian Festi |
0408f9 |
- const char *path, const char *dest,
|
|
Florian Festi |
0408f9 |
+ int fd, const char *path,
|
|
Florian Festi |
0408f9 |
+ const char *dest,
|
|
Florian Festi |
0408f9 |
mode_t file_mode, rpmFsmOp op)
|
|
Florian Festi |
0408f9 |
{
|
|
Florian Festi |
0408f9 |
/* not ready */
|
|
Florian Festi |
0408f9 |
diff --git a/plugins/selinux.c b/plugins/selinux.c
|
|
Florian Festi |
0408f9 |
index 32c3b7529..a7f20aeca 100644
|
|
Florian Festi |
0408f9 |
--- a/plugins/selinux.c
|
|
Florian Festi |
0408f9 |
+++ b/plugins/selinux.c
|
|
Florian Festi |
0408f9 |
@@ -149,7 +149,7 @@ static rpmRC selinux_scriptlet_fork_post(rpmPlugin plugin,
|
|
Florian Festi |
0408f9 |
return rc;
|
|
Florian Festi |
0408f9 |
}
|
|
Florian Festi |
0408f9 |
|
|
Florian Festi |
0408f9 |
-static rpmRC selinux_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
|
|
Florian Festi |
0408f9 |
+static rpmRC selinux_fsm_file_prepare(rpmPlugin plugin, rpmfi fi, int fd,
|
|
Florian Festi |
0408f9 |
const char *path, const char *dest,
|
|
Florian Festi |
0408f9 |
mode_t file_mode, rpmFsmOp op)
|
|
Florian Festi |
0408f9 |
{
|
|
Florian Festi |
0408f9 |
@@ -159,14 +159,17 @@ static rpmRC selinux_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
|
|
Florian Festi |
0408f9 |
if (sehandle && !XFA_SKIPPING(action)) {
|
|
Florian Festi |
0408f9 |
security_context_t scon = NULL;
|
|
Florian Festi |
0408f9 |
if (selabel_lookup_raw(sehandle, &scon, dest, file_mode) == 0) {
|
|
Florian Festi |
0408f9 |
- int conrc = lsetfilecon(path, scon);
|
|
Florian Festi |
0408f9 |
+ int conrc;
|
|
Florian Festi |
0408f9 |
+ if (fd >= 0)
|
|
Florian Festi |
0408f9 |
+ conrc = fsetfilecon(fd, scon);
|
|
Florian Festi |
0408f9 |
+ else
|
|
Florian Festi |
0408f9 |
+ conrc = lsetfilecon(path, scon);
|
|
Florian Festi |
0408f9 |
|
|
Florian Festi |
0408f9 |
if (conrc == 0 || (conrc < 0 && errno == EOPNOTSUPP))
|
|
Florian Festi |
0408f9 |
rc = RPMRC_OK;
|
|
Florian Festi |
0408f9 |
|
|
Florian Festi |
0408f9 |
- rpmlog((rc != RPMRC_OK) ? RPMLOG_ERR : RPMLOG_DEBUG,
|
|
Florian Festi |
0408f9 |
- "lsetfilecon: (%s, %s) %s\n",
|
|
Florian Festi |
0408f9 |
- path, scon, (conrc < 0 ? strerror(errno) : ""));
|
|
Florian Festi |
0408f9 |
+ rpmlog((rc != RPMRC_OK) ? RPMLOG_ERR : RPMLOG_DEBUG, "lsetfilecon: (%d %s, %s) %s\n",
|
|
Florian Festi |
0408f9 |
+ fd, path, scon, (conrc < 0 ? strerror(errno) : ""));
|
|
Florian Festi |
0408f9 |
|
|
Florian Festi |
0408f9 |
freecon(scon);
|
|
Florian Festi |
0408f9 |
} else {
|
|
Florian Festi |
0408f9 |
--
|
|
Florian Festi |
0408f9 |
2.41.0
|
|
Florian Festi |
0408f9 |
|