From 7617171d4ee420ba4867dd7bc71751e18bd6e369 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Fri, 10 Jan 2025 16:14:59 +0200
Subject: [PATCH] Ignore EPERM for root when setting IMA signature xattr

This lets installations succeed even if the ima plugin happens to be
installed in a rootless container, where IMA isn't supported. We can't
specifically test for rootless container, but I don't know what other
situation would result in EPERM for root when setting IMA so it seems
like a reasonable heuristic for this.

Testing this is a bit tricky: we expect the install to succeed in all cases,
but whether IMA actually gets set depends on the container.

Fixes: #3234
---
 plugins/ima.c      |  4 +++-
 tests/rpmsigdig.at | 25 +++++++++++++++++++++++++
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/plugins/ima.c b/plugins/ima.c
index b61b23929a..e0ba4d2ed6 100644
--- a/plugins/ima.c
+++ b/plugins/ima.c
@@ -71,7 +71,9 @@ static rpmRC ima_fsm_file_prepare(rpmPlugin plugin, rpmfi fi, int fd,
 	    else
 		xx = lsetxattr(path, XATTR_NAME_IMA, fsig, len, 0);
 	    if (xx < 0) {
-		int is_err = errno != EOPNOTSUPP;
+		/* unsupported fs or root inside rootless container? */
+		int is_err = !(errno == EOPNOTSUPP ||
+			      (errno == EPERM && getuid() == 0));
 
 	        rpmlog(is_err?RPMLOG_ERR:RPMLOG_DEBUG,
 			"ima: could not apply signature on '%s': %s\n",
diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
index 23ade36cf1..afbe5fd343 100644
--- a/tests/rpmsigdig.at
+++ b/tests/rpmsigdig.at
@@ -1889,6 +1889,31 @@ rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" /tmp/hello-1.0-1.src.rpm
 hello-1.0.tar.gz:(none)
 ],
 [])
+
+# Test that installing an ima signed package works.
+# The installation should succeed in all cases, but whether setting the
+# IMA signature succeeds depends on container privileges - in rootless
+# we can't do this.
+RPMTEST_CHECK([
+runroot rpm -U /data/RPMS/imatest-1.0-1.fc34.noarch.rpm
+
+cat << EOF > imaout
+# file: /usr/share/example1
+security.ima=0sAwIEpZglVABIMEYCIQDlEXva+nO6rrHx3EbsqkaYGmLUF3RaM1MlcrY9xtldFgIhAMeJEHrFuR4tkV4d88e3hBT2s/UImdRMHeOB0Ok438gr
+EOF
+
+touch canary
+if setfattr -n security.ima canary 2> /dev/null; then
+    cp imaout expout
+else
+    touch expout
+fi
+runroot_other getfattr --absolute-names -m security.ima /usr/share/example1
+],
+[0],
+[expout],
+[])
+
 RPMTEST_CLEANUP