richardphibel / rpms / rpm

Forked from rpms/rpm 2 years ago
Clone
043c42
From 820dcc1db9f2130a21fdaf721217034376eb8e38 Mon Sep 17 00:00:00 2001
043c42
Message-Id: <820dcc1db9f2130a21fdaf721217034376eb8e38.1544785848.git.pmatilai@redhat.com>
043c42
From: Panu Matilainen <pmatilai@redhat.com>
043c42
Date: Fri, 30 Nov 2018 13:10:44 +0200
043c42
Subject: [PATCH] Add support for logging audit events for package installs as
043c42
 per OSPP v4.2
043c42
043c42
If enabled at build-time, log audit events for package install, update
043c42
and remove. The log includes the operation, package nevra, signature
043c42
check result, whether signatures are being enforced enforced and overall
043c42
success result. Package install/update/remove are logged as such,
043c42
obsoletion is logged as install + remove (whereas the erasure element
043c42
on updates is silent)
043c42
043c42
Loosely based on initial RHEL 7-8 implementations by Pavlina Moravcova
043c42
Varekova and Florian Festi (RhBug:1555326, RhBug:1607612)
043c42
043c42
(cherry picked from commit cfc9dde70fe65e91c83e03e9a9441e627b741489)
043c42
---
043c42
 configure.ac         |  21 +++++++++
043c42
 lib/Makefile.am      |   1 +
043c42
 lib/rpmte.c          |  11 +++++
043c42
 lib/rpmte_internal.h |   6 +++
043c42
 lib/transaction.c    | 104 +++++++++++++++++++++++++++++++++++++++++++
043c42
 5 files changed, 143 insertions(+)
043c42
043c42
diff --git a/configure.ac b/configure.ac
043c42
index 34ea85f9f..ab8a368d3 100644
043c42
--- a/configure.ac
043c42
+++ b/configure.ac
043c42
@@ -312,6 +312,27 @@ fi
043c42
 AC_SUBST(WITH_BEECRYPT_LIB)
043c42
 AC_SUBST(WITH_BEECRYPT_INCLUDE)
043c42
 
043c42
+
043c42
+#=================
043c42
+# Check for audit library.
043c42
+AC_ARG_WITH(audit,
043c42
+AS_HELP_STRING([--with-audit],[log results using Linux Audit]),
043c42
+with_audit=$withval,
043c42
+with_audit=auto)
043c42
+
043c42
+WITH_AUDIT_LIB=
043c42
+AS_IF([test "x$with_audit" != xno],[
043c42
+    AC_SEARCH_LIBS([audit_open],[audit],[
043c42
+    WITH_AUDIT_LIB="$ac_res"
043c42
+    AC_DEFINE(WITH_AUDIT, 1, [libaudit support])
043c42
+    ],
043c42
+       [if test "x$with_audit" != xauto; then
043c42
+		AC_MSG_ERROR([missing audit library])
043c42
+	fi
043c42
+    ])
043c42
+])
043c42
+AC_SUBST(WITH_AUDIT_LIB)
043c42
+
043c42
 #=================
043c42
 # Check for OpenSSL library.
043c42
 # We need evp.h from OpenSSL.
043c42
diff --git a/lib/Makefile.am b/lib/Makefile.am
043c42
index baf3238ee..c055962a3 100644
043c42
--- a/lib/Makefile.am
043c42
+++ b/lib/Makefile.am
043c42
@@ -51,6 +51,7 @@ librpm_la_LIBADD = \
043c42
 	@WITH_POPT_LIB@ \
043c42
 	@WITH_CAP_LIB@ \
043c42
 	@WITH_ACL_LIB@ \
043c42
+	@WITH_AUDIT_LIB@ \
043c42
 	@LIBINTL@
043c42
 
043c42
 if WITH_LUA
043c42
diff --git a/lib/rpmte.c b/lib/rpmte.c
043c42
index d980a37a4..bd5d53edc 100644
043c42
--- a/lib/rpmte.c
043c42
+++ b/lib/rpmte.c
043c42
@@ -69,6 +69,7 @@ struct rpmte_s {
043c42
     int nrelocs;		/*!< (TR_ADDED) No. of relocations. */
043c42
     uint8_t *badrelocs;		/*!< (TR_ADDED) Bad relocations (or NULL) */
043c42
     FD_t fd;			/*!< (TR_ADDED) Payload file descriptor. */
043c42
+    int verified;		/*!< (TR_ADDED) Verification status */
043c42
 
043c42
 #define RPMTE_HAVE_PRETRANS	(1 << 0)
043c42
 #define RPMTE_HAVE_POSTTRANS	(1 << 1)
043c42
@@ -753,6 +754,16 @@ rpmfs rpmteGetFileStates(rpmte te)
043c42
     return te->fs;
043c42
 }
043c42
 
043c42
+void rpmteSetVerified(rpmte te, int verified)
043c42
+{
043c42
+    te->verified = verified;
043c42
+}
043c42
+
043c42
+int rpmteGetVerified(rpmte te)
043c42
+{
043c42
+    return te->verified;
043c42
+}
043c42
+
043c42
 int rpmteProcess(rpmte te, pkgGoal goal, int num)
043c42
 {
043c42
     /* Only install/erase resets pkg file info */
043c42
diff --git a/lib/rpmte_internal.h b/lib/rpmte_internal.h
043c42
index a5a991ec5..2895925ce 100644
043c42
--- a/lib/rpmte_internal.h
043c42
+++ b/lib/rpmte_internal.h
043c42
@@ -86,6 +86,12 @@ int rpmteHaveTransScript(rpmte te, rpmTagVal tag);
043c42
 /* XXX should be internal too but build code needs for now... */
043c42
 rpmfs rpmteGetFileStates(rpmte te);
043c42
 
043c42
+RPM_GNUC_INTERNAL
043c42
+void rpmteSetVerified(rpmte te, int verified);
043c42
+
043c42
+RPM_GNUC_INTERNAL
043c42
+int rpmteGetVerified(rpmte te);
043c42
+
043c42
 /** \ingroup rpmte
043c42
  * Retrieve size in bytes of package header.
043c42
  * @param te		transaction element
043c42
diff --git a/lib/transaction.c b/lib/transaction.c
043c42
index 67b9db579..866e87fc2 100644
043c42
--- a/lib/transaction.c
043c42
+++ b/lib/transaction.c
043c42
@@ -7,6 +7,10 @@
043c42
 #include <inttypes.h>
043c42
 #include <libgen.h>
043c42
 
043c42
+#if WITH_AUDIT
043c42
+#include <libaudit.h>
043c42
+#endif
043c42
+
043c42
 #include <rpm/rpmlib.h>		/* rpmMachineScore, rpmReadPackageFile */
043c42
 #include <rpm/rpmmacro.h>	/* XXX for rpmExpand */
043c42
 #include <rpm/rpmlog.h>
043c42
@@ -1195,12 +1199,17 @@ static rpm_loff_t countPkgs(rpmts ts, rpmElementTypes types)
043c42
 
043c42
 struct vfydata_s {
043c42
     char *msg;
043c42
+    int signature;
043c42
     int vfylevel;
043c42
 };
043c42
 
043c42
 static int vfyCb(struct rpmsinfo_s *sinfo, void *cbdata)
043c42
 {
043c42
     struct vfydata_s *vd = cbdata;
043c42
+
043c42
+    if (sinfo->type == RPMSIG_SIGNATURE_TYPE && sinfo->rc == RPMRC_OK)
043c42
+	vd->signature = RPMRC_OK;
043c42
+
043c42
     switch (sinfo->rc) {
043c42
     case RPMRC_OK:
043c42
 	break;
043c42
@@ -1241,6 +1250,7 @@ static int verifyPackageFiles(rpmts ts, rpm_loff_t total)
043c42
 	struct rpmvs_s *vs = rpmvsCreate(vfylevel, vsflags, keyring);
043c42
 	struct vfydata_s vd = {
043c42
 	    .msg = NULL,
043c42
+	    .signature = RPMRC_NOTFOUND,
043c42
 	    .vfylevel = vfylevel,
043c42
 	};
043c42
 	rpmRC prc = RPMRC_FAIL;
043c42
@@ -1255,6 +1265,9 @@ static int verifyPackageFiles(rpmts ts, rpm_loff_t total)
043c42
 	if (prc == RPMRC_OK)
043c42
 	    prc = rpmvsVerify(vs, RPMSIG_VERIFIABLE_TYPE, vfyCb, &vd);
043c42
 
043c42
+	/* Record verify result, signatures only for now */
043c42
+	rpmteSetVerified(p, vd.signature == RPMRC_OK);
043c42
+
043c42
 	if (prc)
043c42
 	    rpmteAddProblem(p, RPMPROB_VERIFY, NULL, vd.msg, 0);
043c42
 
043c42
@@ -1619,6 +1632,95 @@ rpmRC runScript(rpmts ts, rpmte te, Header h, ARGV_const_t prefixes,
043c42
     return rc;
043c42
 }
043c42
 
043c42
+#if WITH_AUDIT
043c42
+struct teop {
043c42
+    rpmte te;
043c42
+    const char *op;
043c42
+};
043c42
+
043c42
+/*
043c42
+ * Figure out the actual operations:
043c42
+ * Install and remove are straightforward. Updates need to discovered 
043c42
+ * via their erasure element: locate the updating element, adjust it's
043c42
+ * op to update and silence the erasure part. Obsoletion is handled as
043c42
+ * as install + remove, which it technically is.
043c42
+ */
043c42
+static void getAuditOps(rpmts ts, struct teop *ops, int nelem)
043c42
+{
043c42
+    rpmtsi pi = rpmtsiInit(ts);
043c42
+    rpmte p;
043c42
+    int i = 0;
043c42
+    while ((p = rpmtsiNext(pi, 0)) != NULL) {
043c42
+	const char *op = NULL;
043c42
+	if (rpmteType(p) == TR_ADDED) {
043c42
+	    op = "install";
043c42
+	} else {
043c42
+	    op = "remove";
043c42
+	    rpmte d = rpmteDependsOn(p);
043c42
+	    /* Fixup op on updating elements, silence the cleanup stage */
043c42
+	    if (d != NULL && rstreq(rpmteN(d), rpmteN(p))) {
043c42
+		/* Linear lookup, but we're only dealing with a few thousand */
043c42
+		for (int x = 0; x < i; x++) {
043c42
+		    if (ops[x].te == d) {
043c42
+			ops[x].op = "update";
043c42
+			op = NULL;
043c42
+			break;
043c42
+		    }
043c42
+		}
043c42
+	    }
043c42
+	}
043c42
+	ops[i].te = p;
043c42
+	ops[i].op = op;
043c42
+	i++;
043c42
+    }
043c42
+    rpmtsiFree(pi);
043c42
+}
043c42
+
043c42
+/*
043c42
+ * If enabled, log audit events for the operations in this transaction.
043c42
+ * In the event values, 1 means true/success and 0 false/failure. Shockingly.
043c42
+ */
043c42
+static void rpmtsAudit(rpmts ts)
043c42
+{
043c42
+    int auditFd = audit_open();
043c42
+    if (auditFd < 0)
043c42
+	return;
043c42
+
043c42
+    int nelem = rpmtsNElements(ts);
043c42
+    struct teop *ops = xcalloc(nelem, sizeof(*ops));
043c42
+    char *dir = audit_encode_nv_string("root_dir", rpmtsRootDir(ts), 0);
043c42
+    int enforce = (rpmtsVfyLevel(ts) & RPMSIG_SIGNATURE_TYPE) != 0;
043c42
+
043c42
+    getAuditOps(ts, ops, nelem);
043c42
+
043c42
+    for (int i = 0; i < nelem; i++) {
043c42
+	const char *op = ops[i].op;
043c42
+	if (op) {
043c42
+	    rpmte p = ops[i].te;
043c42
+	    char *nevra = audit_encode_nv_string("sw", rpmteNEVRA(p), 0);
043c42
+	    char eventTxt[256];
043c42
+	    int verified = rpmteGetVerified(p);
043c42
+	    int result = (rpmteFailed(p) == 0);
043c42
+
043c42
+	    snprintf(eventTxt, sizeof(eventTxt),
043c42
+		    "op=%s %s sw_type=rpm key_enforce=%u gpg_res=%u %s",
043c42
+		    op, nevra, enforce, verified, dir);
043c42
+	    audit_log_user_comm_message(auditFd, AUDIT_SOFTWARE_UPDATE,
043c42
+				    eventTxt, NULL, NULL, NULL, NULL, result);
043c42
+	    free(nevra);
043c42
+	}
043c42
+    }
043c42
+
043c42
+    free(dir);
043c42
+    free(ops);
043c42
+    audit_close(auditFd);
043c42
+}
043c42
+#else
043c42
+static void rpmtsAudit(rpmts ts)
043c42
+{
043c42
+}
043c42
+#endif
043c42
+
043c42
 int rpmtsRun(rpmts ts, rpmps okProbs, rpmprobFilterFlags ignoreSet)
043c42
 {
043c42
     int rc = -1; /* assume failure */
043c42
@@ -1732,6 +1834,8 @@ exit:
043c42
 	rpmpluginsCallTsmPost(rpmtsPlugins(ts), ts, rc);
043c42
 
043c42
     /* Finish up... */
043c42
+    if (!(rpmtsFlags(ts) & (RPMTRANS_FLAG_TEST|RPMTRANS_FLAG_BUILD_PROBS)))
043c42
+	rpmtsAudit(ts);
043c42
     (void) umask(oldmask);
043c42
     (void) rpmtsFinish(ts);
043c42
     rpmpsFree(tsprobs);
043c42
-- 
043c42
2.19.2
043c42