Exempt src.rpm packages from file signature business #3470
Conversation
dmnks
changed the title
|
Should be fixed now, based on the above discussion. Note that I'm not a huge fan of the additional |
|
Argh, what a strange CI failure, looking now... |
|
A silly memory leak in my code! Fixing now... |
|
... aaand fixed. |
Hmm. I thought we wouldn't need any new NULL checks because I thought that's what happens with --noplugins anyway, but apparently --noplugins ends up initializing an empty rpmPlugins struct, and just falling through with that. Adding NULL checks isn't the end of the world, just a little annoying indeed. One observation from a closer look is that we also have various per-te plugin hooks in psm, and those shouldn't be called on an src.rpm either. I don't think they get called currently ... yup, because the src.rpm unpack sneaks its way around it. It's weird that you can add src.rpm's to a transaction but then not do anything with them there. Except okay, check dependencies, that is why it's permitted. So with all that, perhaps the easiest way is probably to temporarily replace ts->plugins with an empty set during rpmInstallSourcePackage(). It's a bit dirty of course, a cleaner way would be passing plugins through psm to fsm, but that requires changing a whole lot of stuff on the way and we prefer a small backportable patch for this. Another possibility might be checking for src.rpm centrally from RPMPLUGINS_SET_HOOK_FUNC, we could pass a te/NULL to it and let it "return" NULL hookFunc for any src.rpm. Hmm 🤔 |
Oh, I didn't realize that. That seems like a good precedent for doing just that, instead of messing around with NULL checks just to accommodate for this very use case.
Yeah, I don't think any non-fsm hooks get called for src.rpms. Only binary packages are added to the transaction set in Running with
Why would that be needed, though, assuming the above is true?
Right, that would indeed be another way, I'll exercise that as an option 😄 |
Hmm? rpmInstallSourcePackage() is the route through which any source rpm is "installed" and ends up calling the fsm hooks. So if you swap the ts->plugins for an empty set during that, it should achieve this thing we're trying to do here 😅 But, it does feel kinda dirty. |
Sure, I was just wondering why you'd suggested that as a solution, instead of what this PR currently does? That said, I agree it would be nicer perhaps 😄 |
|
To clarify a bit: If we were to go without the NULL checks, we could just return the empty plugins struct in |
|
The issue with fsmPlugins() returning an empty set is that you need to free it too someplace. The one from rpmts gets freed along with the ts itself and cannot be freed from the places where fsmPlugins() is called, whereas the other case has to. Possible, but perhaps a bit murky. ...and hence the suggestion wrt rpmInstallSourcePackage(): creating + freeing it is easily contained. Just ugly otherwise 😅 |
|
Oh, now it makes sense, thanks 😄 Indeed, I haven't thought about freeing it but of course... |
|
But yup, handling it in RPMPLUGINS_SET_HOOK_FUNC seems kinda attractive too because it then covers all the plugin hooks, regardless of what gets called just now vs in the future etc. And doesn't have the "hold your nose" factor 😄 |
Funnily enough, we never really checked if the actual unpacking works. Use a per-test topdir since the global default ($RPMTEST/build) is shared among all the tests and thus not exactly tidy.
|
Here's a variant that's a blend of all the above options we've discussed. This one makes use of This way, we don't need to pass around a It's also cleaner than swapping out the plugin list with an empty one temporarily (this would have to be done from within Lastly, as it often happens, one discovers tasty bugs while looking in dusty corners, which is exactly what happened here: It turns out the combination of binary and source packages (e.g. Let me know if you like this approach or not. If not, the other workable alternative is passing around the |
rpmInstallSourcePackage() grabs the transaction element with the index of 0, which only works correctly if the src.rpm package is the only one in the set. That's not the case if some binary packages have been part of the same install command in rpmInstall() so we need to make sure the set is emptied beforehand. Add a test to go with.
lib/rpminstall.cc
Outdated
| @@ -667,15 +668,23 @@ int rpmInstall(rpmts ts, struct rpmInstallArguments_s * ia, ARGV_t fileArgv) | |||
| rpmcliProgressState = 0; | |||
| rpmcliProgressTotal = 0; | |||
| rpmcliProgressCurrent = 0; | |||
|
|
|||
| tsflags = rpmtsFlags(ts); | |||
| otsflags = rpmtsSetFlags(ts, (tsflags | RPMTRANS_FLAG_NOPLUGINS)); | |||
There was a problem hiding this comment.
Using NOPLUGINS seems fine, but it needs to be set inside rpmInstallSourcePackage() as that's the lowest level public API we have for that.
There was a problem hiding this comment.
Ah right, haven't considered that at all. Sigh 😄
|
Let's go with the empty-list variant after all. Since we need to do the disabling as low as in |
dmnks
force-pushed
the
ima-srpm-v2
branch
2 times, most recently
from
1431cba to
d4bf03b
Compare
File signatures make no sense in source packages as they don't ship binaries to be installed on the target system, they're just fancy archives unpacked into %_topdir for packaging purposes. Disable the respective flags when processing a src.rpm and log a debug message as a heads-up, but don't skip the rest, header signatures are still relevant for source rpms, as is the deletion of existing file signatures.
lib/psm.cc
Outdated
| @@ -150,6 +150,7 @@ rpmRC rpmInstallSourcePackage(rpmts ts, FD_t fd, | |||
| Header h = NULL; | |||
| rpmpsm psm = NULL; | |||
| rpmte te = NULL; | |||
| rpmPlugins plugins = NULL; | |||
There was a problem hiding this comment.
I'd call this "origplugins" or something like that to make its purpose clearer.
Source packages aren't really "installed", just unpacked, and plugins operate on real transactions by design, so disable the tsm/psm/fsm and scriptlet hooks for those. This doesn't include the init and cleanup hooks but those should be harmless and only do non-destructive actions anyway. Do this by simply replacing the plugins list with an empty one for the duration of src.rpm unpacking. This also is in line with what we do for --noplugins. This fixes, in particular, src.rpm installations done by a regular user (a fairly common case) on systems equipped with a plugin that needs root privileges (e.g. the ima plugin), which would otherwise cause a spurious warning or even failure (see RhBug:2316785). Reuse the plugin development test, we don't have anything better at the moment and it does the job well.
Don't add file signatures to source packages and if they happen to be present (i.e. built with an older rpm version), ignore them when unpacking (by not running plugins at all for source packages).
AC (taken from original bug):