diff --git a/plugins/ima.c b/plugins/ima.c index b61b23929a..e0ba4d2ed6 100644 --- a/plugins/ima.c +++ b/plugins/ima.c @@ -71,7 +71,9 @@ static rpmRC ima_fsm_file_prepare(rpmPlugin plugin, rpmfi fi, int fd, else xx = lsetxattr(path, XATTR_NAME_IMA, fsig, len, 0); if (xx < 0) { - int is_err = errno != EOPNOTSUPP; + /* unsupported fs or root inside rootless container? */ + int is_err = !(errno == EOPNOTSUPP || + (errno == EPERM && getuid() == 0)); rpmlog(is_err?RPMLOG_ERR:RPMLOG_DEBUG, "ima: could not apply signature on '%s': %s\n", diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at index 23ade36cf1..03c004ce21 100644 --- a/tests/rpmsigdig.at +++ b/tests/rpmsigdig.at @@ -1891,6 +1891,37 @@ hello-1.0.tar.gz:(none) []) RPMTEST_CLEANUP +# Test that installing an ima signed package works. +# The installation should succeed in all cases, but whether setting the +# IMA signature succeeds depends on container privileges - in rootless +# we can't do this. +AT_SETUP([install ima file signatures]) +AT_KEYWORDS([install ima signature]) +AT_SKIP_IF([$IMA_DISABLED]) + +RPMTEST_SETUP +RPMTEST_CHECK([ +runroot rpm -U /data/RPMS/imatest-1.0-1.fc34.noarch.rpm + +cat << EOF > imaout +# file: /usr/share/example1 +security.ima=0sAwIEpZglVABIMEYCIQDlEXva+nO6rrHx3EbsqkaYGmLUF3RaM1MlcrY9xtldFgIhAMeJEHrFuR4tkV4d88e3hBT2s/UImdRMHeOB0Ok438gr +EOF + +touch canary +if setfattr -n security.ima canary 2> /dev/null; then + cp imaout expout +else + touch expout +fi +runroot_other getfattr --absolute-names -d -m security.ima /usr/share/example1 +], +[0], +[expout], +[]) + +RPMTEST_CLEANUP + AT_SETUP([--delsign with misplaced ima signature]) AT_KEYWORDS([rpmsign ima signature])