sync IMA digest lists bugfix patches from openEuler-21.03

2021-10-12 19:37:08 +08:00 · 2021-10-12 19:37:08 +08:00 · ab317e6bc0
commit ab317e6bc0
parent 62250a3c24
2 changed files with 74 additions and 1 deletions
--- a/fix-lsetxattr-error-in-container.patch
+++ b/fix-lsetxattr-error-in-container.patch
@ -0,0 +1,65 @@
+From e71114d3b9ccaac80ad8bd198af5acb362f2f28e Mon Sep 17 00:00:00 2001
+From: Zhang Tianxing <zhangtianxing3@huawei.com>
+Date: Sat, 18 Oct 2021 20:48:02 +0800
+Subject: [PATCH] fix lsetxattr error in container
+
+The digest list plugin in rpm will set security.ima xattr to IMA digest lists
+when installing or updating an rpm package. However, in a container without
+CAP_SYS_ADMIN, we'll get error messages when calling lsetxattr.
+
+This patch is to skip lsetxattr when CAP_SYS_ADMIN is missing.
+
+Signed-off-by: Zhang Tianxing <zhangtianxing3@huawei.com>
+---
+ plugins/digest_list.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/plugins/digest_list.c b/plugins/digest_list.c
+index 992a7e8..4283d5e 100644
+--- a/plugins/digest_list.c
+++ b/plugins/digest_list.c
+@@ -26,6 +26,7 @@
+ #include <sys/stat.h>
+ #include <openssl/sha.h>
+ #include <sys/xattr.h>
+#include <sys/capability.h>
+ #include <linux/xattr.h>
+ #include <asm/byteorder.h>
+ #include <sys/wait.h>
+@@ -388,6 +389,11 @@ static int process_digest_list(rpmte te, int parser, int pre)
+ 	struct stat st;
+ 	ssize_t size;
+ 	int type = rpmteType(te);
+
+	struct __user_cap_header_struct cap_header_data;
+	cap_user_header_t cap_header = &cap_header_data;
+	struct __user_cap_data_struct cap_data_data;
+	cap_user_data_t cap_data = &cap_data_data;
+ 	rpmRC ret = RPMRC_OK;
+ 
+ 	path = malloc(PATH_MAX);
+@@ -445,7 +451,21 @@ static int process_digest_list(rpmte te, int parser, int pre)
+ 				ret = RPMRC_FAIL;
+ 				goto out;
+ 			}
+		}
+
+		/* don't call lsetxattr without CAP_SYS_ADMIN */
+		cap_header->pid = getpid();
+		cap_header->version = _LINUX_CAPABILITY_VERSION_1;
+		if (capget(cap_header, cap_data) < 0) {
+			ret = -ENOENT;
+			goto out;
+		}
+		if (!(cap_data->effective & CAP_TO_MASK(CAP_SYS_ADMIN))) {
+			ret = -EPERM;
+			goto out;
+		}
+ 
+		if (!digest_list_signed) {
+ 			/* Write RPM header sig to security.ima */
+ 			ret = write_rpm_digest_list_ima_xattr(te, path);
+ 		} else {
+-- 
+2.27.0
+
--- a/rpm.spec
+++ b/rpm.spec
@ -1,6 +1,6 @@
 Name:          rpm
 Version:       4.15.1
-Release:       28
+Release:       29
 Summary:       RPM Package Manager
 License:       GPLv2+
 URL:           http://www.rpm.org/
@ -84,6 +84,8 @@ Patch71: CVE-2021-20266.patch
 Patch72: backport-build-prioritize-large-packages.patch
 Patch73: backport-Fix-data-race-in-packageBinaries-function.patch

+Patch74: fix-lsetxattr-error-in-container.patch
+
 BuildRequires: gcc autoconf automake libtool make gawk popt-devel openssl-devel readline-devel 
 BuildRequires: zlib-devel libzstd-devel xz-devel bzip2-devel libarchive-devel ima-evm-utils-devel
 BuildRequires: dbus-devel fakechroot elfutils-devel elfutils-libelf-devel ima-evm-utils
@ -365,6 +367,12 @@ make check || (cat tests/rpmtests.log; exit 0)
 %{_mandir}/man1/gendiff.1*

 %changelog
+* Tue Oct 12 2021 Anakin Zhang <benjamin93@163.com> - 4.15.1-29
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix lsetxattr error in container
+
 * Thu Jul 08 2021 shixuantong <shixuantong@huawei.com> - 4.15.1-28
 - Type:bugfix
 - ID:NA