From 7bf194e5c4bf3f4e94e57d40d96ae991c015cb8c Mon Sep 17 00:00:00 2001 From: Panu Matilainen Date: Fri, 10 Jan 2025 16:14:59 +0200 Subject: [PATCH] Ignore EPERM for root when setting IMA signature xattr This lets installations succeed even if the ima plugin happens to be installed in a rootless container, where IMA isn't supported. We can't specifically test for rootless container, but I don't know what other situation would result in EPERM for root when setting IMA so it seems like a reasonable heuristic for this. Testing this is a bit tricky: we expect the install to succeed in all cases, but whether IMA actually gets set depends on the container. Fixes: #3234 --- plugins/ima.c | 4 +++- tests/rpmsigdig.at | 31 +++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/plugins/ima.c b/plugins/ima.c index b61b23929a..e0ba4d2ed6 100644 --- a/plugins/ima.c +++ b/plugins/ima.c @@ -71,7 +71,9 @@ static rpmRC ima_fsm_file_prepare(rpmPlugin plugin, rpmfi fi, int fd, else xx = lsetxattr(path, XATTR_NAME_IMA, fsig, len, 0); if (xx < 0) { - int is_err = errno != EOPNOTSUPP; + /* unsupported fs or root inside rootless container? */ + int is_err = !(errno == EOPNOTSUPP || + (errno == EPERM && getuid() == 0)); rpmlog(is_err?RPMLOG_ERR:RPMLOG_DEBUG, "ima: could not apply signature on '%s': %s\n", diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at index 23ade36cf1..aad7007362 100644 --- a/tests/rpmsigdig.at +++ b/tests/rpmsigdig.at @@ -1891,6 +1891,37 @@ hello-1.0.tar.gz:(none) []) RPMTEST_CLEANUP +# Test that installing an ima signed package works. +# The installation should succeed in all cases, but whether setting the +# IMA signature succeeds depends on container privileges - in rootless +# we can't do this. +AT_SETUP([install ima file signatures]) +AT_KEYWORDS([install ima signature]) +AT_SKIP_IF([$IMA_DISABLED]) + +RPMTEST_SETUP + +cat << EOF > expout +# file: /usr/share/example1 +security.ima=0sAwIEpZglVABIMEYCIQDlEXva+nO6rrHx3EbsqkaYGmLUF3RaM1MlcrY9xtldFgIhAMeJEHrFuR4tkV4d88e3hBT2s/UImdRMHeOB0Ok438gr + +EOF + +touch canary +# different expectations in a rootless container +if ! setfattr -n security.ima canary 2> /dev/null; then + rm expout + touch expout +fi + +RPMTEST_CHECK([ +runroot rpm -U /data/RPMS/imatest-1.0-1.fc34.noarch.rpm +runroot_other getfattr --absolute-names -d -m security.ima /usr/share/example1 +], +[0], +[expout], +[]) +RPMTEST_CLEANUP AT_SETUP([--delsign with misplaced ima signature]) AT_KEYWORDS([rpmsign ima signature])