Skip to content

Commit

Permalink
Ignore EPERM for root when setting IMA signature xattr
Browse files Browse the repository at this point in the history
This lets installations succeed even if the ima plugin happens to be
installed in a rootless container, where IMA isn't supported. We can't
specifically test for rootless container, but I don't know what other
situation would result in EPERM for root when setting IMA so it seems
like a reasonable heuristic for this.

Testing this is a bit tricky: we expect the install to succeed in all cases,
but whether IMA actually gets set depends on the container.

Fixes: #3234
  • Loading branch information
pmatilai committed Jan 13, 2025
1 parent 48da1fc commit 5c97106
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 1 deletion.
4 changes: 3 additions & 1 deletion plugins/ima.c
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,9 @@ static rpmRC ima_fsm_file_prepare(rpmPlugin plugin, rpmfi fi, int fd,
else
xx = lsetxattr(path, XATTR_NAME_IMA, fsig, len, 0);
if (xx < 0) {
int is_err = errno != EOPNOTSUPP;
/* unsupported fs or root inside rootless container? */
int is_err = !(errno == EOPNOTSUPP ||
(errno == EPERM && getuid() == 0));

rpmlog(is_err?RPMLOG_ERR:RPMLOG_DEBUG,
"ima: could not apply signature on '%s': %s\n",
Expand Down
31 changes: 31 additions & 0 deletions tests/rpmsigdig.at
Original file line number Diff line number Diff line change
Expand Up @@ -1891,6 +1891,37 @@ hello-1.0.tar.gz:(none)
[])
RPMTEST_CLEANUP

# Test that installing an ima signed package works.
# The installation should succeed in all cases, but whether setting the
# IMA signature succeeds depends on container privileges - in rootless
# we can't do this.
AT_SETUP([install ima file signatures])
AT_KEYWORDS([install ima signature])
AT_SKIP_IF([$IMA_DISABLED])

RPMTEST_SETUP

cat << EOF > expout
# file: /usr/share/example1
security.ima=0sAwIEpZglVABIMEYCIQDlEXva+nO6rrHx3EbsqkaYGmLUF3RaM1MlcrY9xtldFgIhAMeJEHrFuR4tkV4d88e3hBT2s/UImdRMHeOB0Ok438gr

EOF

touch canary
# different expectations in a rootless container
if ! setfattr -n security.ima -v 0x0sAwIEpZglVABIMEYCIQDlEXva+nO6rrHx3EbsqkaYGmLUF3RaM1MlcrY9xtldFgIhAMeJEHrFuR4tkV4d88e3hBT2s/UImdRMHeOB0Ok438gr canary 2> /dev/null; then
rm expout
touch expout
fi

RPMTEST_CHECK([
runroot rpm -U /data/RPMS/imatest-1.0-1.fc34.noarch.rpm
runroot_other getfattr --absolute-names -d -m security.ima /usr/share/example1
],
[0],
[expout],
[])
RPMTEST_CLEANUP

AT_SETUP([--delsign with misplaced ima signature])
AT_KEYWORDS([rpmsign ima signature])
Expand Down

0 comments on commit 5c97106

Please sign in to comment.