From f1a92e02faa2715777286acd07b8d0f465c5df37 Mon Sep 17 00:00:00 2001
From: Jes Sorensen <jsorensen@fb.com>
Date: Mon, 20 Apr 2020 11:11:25 -0400
Subject: [PATCH 27/33] plugins/fsverity: Install fsverity signatures
This plugin installs fsverity signatures for regular files, when a signature
is found in the RPM. It tries to enable them unconditionally, but fails
gracefully if fsverity isn't supported or enabled.
Signed-off-by: Jes Sorensen <jsorensen@fb.com>
---
configure.ac | 29 ++++++++
macros.in | 4 +
plugins/Makefile.am | 7 ++
plugins/fsverity.c | 177 ++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 217 insertions(+)
create mode 100644 plugins/fsverity.c
diff --git a/configure.ac b/configure.ac
index cc7144440..7d3c31831 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1049,6 +1049,11 @@ AS_IF([test "$enable_plugins" != no],[
])
AM_CONDITIONAL(IMA, [test "x$ac_cv_func_lsetxattr" = xyes])
+AS_IF([test "$enable_plugins" != no],[
+AC_CHECK_HEADERS([linux/fsverity.h],[FSVERITY_IOCTL="yes"])
+])
+AM_CONDITIONAL(FSVERITY_IOCTL,[test "x$FSVERITY_IOCTL" = xyes])
+
#=================
# Check for fapolicyd support
AC_ARG_WITH(fapolicyd,
diff --git a/macros.in b/macros.in
index fe8862903..3c722146b 100644
--- a/macros.in
+++ b/macros.in
@@ -767,6 +767,9 @@ package or when debugging this package.\
# a wrong or missing signature.
#%_ima_sign_config_files 0
+# Set to 1 to have fsverity signatures written for %config files.
+#%_fsverity_sign_config_files 0
+
#
# Default output format string for rpm -qa
#
@@ -1185,6 +1188,7 @@ package or when debugging this package.\
%__transaction_syslog %{__plugindir}/syslog.so
%__transaction_ima %{__plugindir}/ima.so
%__transaction_fapolicyd %{__plugindir}/fapolicyd.so
+%__transaction_fsverity %{__plugindir}/fsverity.so
%__transaction_prioreset %{__plugindir}/prioreset.so
%__transaction_audit %{__plugindir}/audit.so
diff --git a/plugins/Makefile.am b/plugins/Makefile.am
index cbfb81e19..e51b71f62 100644
--- a/plugins/Makefile.am
+++ b/plugins/Makefile.am
@@ -48,3 +48,10 @@ audit_la_sources = audit.c
audit_la_LIBADD = $(top_builddir)/lib/librpm.la $(top_builddir)/rpmio/librpmio.la @WITH_AUDIT_LIB@
plugins_LTLIBRARIES += audit.la
endif
+
+if FSVERITY_IOCTL
+fsverity_la_sources = fsverity.c
+fsverity_la_LIBADD = $(top_builddir)/lib/librpm.la $(top_builddir)/rpmio/librpmio.la
+plugins_LTLIBRARIES += fsverity.la
+endif
+
diff --git a/plugins/fsverity.c b/plugins/fsverity.c
new file mode 100644
index 000000000..15ddcf33e
--- /dev/null
+++ b/plugins/fsverity.c
@@ -0,0 +1,177 @@
+/**
+ * Copyright (C) 2020 Facebook
+ *
+ * Author: Jes Sorensen <jsorensen@fb.com>
+ */
+
+#include "system.h"
+
+#include <errno.h>
+#include <fcntl.h>
+#include <sys/ioctl.h>
+#include <linux/fsverity.h>
+
+#include <rpm/rpmfi.h>
+#include <rpm/rpmte.h>
+#include <rpm/rpmfiles.h>
+#include <rpm/rpmtypes.h>
+#include <rpm/rpmlog.h>
+#include <rpmio/rpmstring.h>
+#include <rpmio/rpmmacro.h>
+
+#include "lib/rpmfs.h"
+#include "lib/rpmplugin.h"
+#include "lib/rpmte_internal.h"
+
+#include "sign/rpmsignverity.h"
+
+static int sign_config_files = 0;
+
+/*
+ * This unconditionally tries to apply the fsverity signature to a file,
+ * but fails gracefully if the file system doesn't support it or the
+ * verity feature flag isn't enabled in the file system (ext4).
+ */
+static rpmRC fsverity_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
+ const char *path, const char *dest,
+ mode_t file_mode, rpmFsmOp op)
+{
+ struct fsverity_enable_arg arg;
+ const unsigned char * signature = NULL;
+ size_t len;
+ int rc = RPMRC_OK;
+ int fd;
+ rpmFileAction action = XFO_ACTION(op);
+ char *buffer;
+
+ /* Ignore skipped files and unowned directories */
+ if (XFA_SKIPPING(action) || (op & FAF_UNOWNED)) {
+ rpmlog(RPMLOG_DEBUG, "fsverity skipping early: path %s dest %s\n",
+ path, dest);
+ goto exit;
+ }
+
+ /*
+ * Do not install signatures for config files unless the
+ * user explicitly asks for it.
+ */
+ if (rpmfiFFlags(fi) & RPMFILE_CONFIG) {
+ if (!(rpmfiFMode(fi) & (S_IXUSR|S_IXGRP|S_IXOTH)) &&
+ !sign_config_files) {
+ rpmlog(RPMLOG_DEBUG, "fsverity skipping: path %s dest %s\n",
+ path, dest);
+
+ goto exit;
+ }
+ }
+
+ /*
+ * Right now fsverity doesn't deal with symlinks or directories, so do
+ * not try to install signatures for non regular files.
+ */
+ if (!S_ISREG(rpmfiFMode(fi))) {
+ rpmlog(RPMLOG_DEBUG, "fsverity skipping non regular: path %s dest %s\n",
+ path, dest);
+ goto exit;
+ }
+
+ signature = rpmfiVSignature(fi, &len);
+ if (!signature || !len) {
+ rpmlog(RPMLOG_DEBUG, "fsverity no signature for: path %s dest %s\n",
+ path, dest);
+ goto exit;
+ }
+
+ memset(&arg, 0, sizeof(arg));
+ arg.version = 1;
+ arg.hash_algorithm = FS_VERITY_HASH_ALG_SHA256;
+ arg.block_size = RPM_FSVERITY_BLKSZ;
+ arg.sig_ptr = (uintptr_t)signature;
+ arg.sig_size = len;
+
+ buffer = pgpHexStr(signature, arg.sig_size);
+ rpmlog(RPMLOG_DEBUG, "applying signature: %s\n", buffer);
+ free(buffer);
+
+ fd = open(path, O_RDONLY);
+ if (fd < 0) {
+ rpmlog(RPMLOG_ERR, "failed to open path %s\n", path);
+ goto exit;
+ }
+
+ /*
+ * Enable fsverity on the file.
+ * fsverity not supported by file system (ENOTTY) and fsverity not
+ * enabled on file system are expected and not considered
+ * errors. Every other non-zero error code will result in the
+ * installation failing.
+ */
+ if (ioctl(fd, FS_IOC_ENABLE_VERITY, &arg) != 0) {
+ switch(errno) {
+ case EBADMSG:
+ rpmlog(RPMLOG_DEBUG, "invalid or malformed fsverity signature for %s\n", path);
+ rc = RPMRC_FAIL;
+ break;
+ case EEXIST:
+ rpmlog(RPMLOG_DEBUG, "fsverity signature already enabled %s\n",
+ path);
+ rc = RPMRC_FAIL;
+ break;
+ case EINVAL:
+ rpmlog(RPMLOG_DEBUG, "invalid arguments for ioctl %s\n", path);
+ rc = RPMRC_FAIL;
+ break;
+ case EKEYREJECTED:
+ rpmlog(RPMLOG_DEBUG, "signature doesn't match file %s\n", path);
+ rc = RPMRC_FAIL;
+ break;
+ case EMSGSIZE:
+ rpmlog(RPMLOG_DEBUG, "invalid signature size for %s\n", path);
+ rc = RPMRC_FAIL;
+ break;
+ case ENOPKG:
+ rpmlog(RPMLOG_DEBUG, "unsupported signature algoritm (%i) for %s\n",
+ arg.hash_algorithm, path);
+ rc = RPMRC_FAIL;
+ break;
+ case ETXTBSY:
+ rpmlog(RPMLOG_DEBUG, "file is open by other process %s\n",
+ path);
+ rc = RPMRC_FAIL;
+ break;
+ case ENOTTY:
+ rpmlog(RPMLOG_DEBUG, "fsverity not supported by file system for %s\n",
+ path);
+ break;
+ case EOPNOTSUPP:
+ rpmlog(RPMLOG_DEBUG, "fsverity not enabled on file system for %s\n",
+ path);
+ break;
+ default:
+ rpmlog(RPMLOG_DEBUG, "failed to enable verity (errno %i) for %s\n",
+ errno, path);
+ rc = RPMRC_FAIL;
+ break;
+ }
+ }
+
+ rpmlog(RPMLOG_DEBUG, "fsverity enabled signature for: path %s dest %s\n",
+ path, dest);
+ close(fd);
+exit:
+ return rc;
+}
+
+static rpmRC fsverity_init(rpmPlugin plugin, rpmts ts)
+{
+ sign_config_files = rpmExpandNumeric("%{?_fsverity_sign_config_files}");
+
+ rpmlog(RPMLOG_DEBUG, "fsverity_init\n");
+
+ return RPMRC_OK;
+}
+
+struct rpmPluginHooks_s fsverity_hooks = {
+ .init = fsverity_init,
+ .fsm_file_prepare = fsverity_fsm_file_prepare,
+};
--
2.27.0