import keylime-7.3.0-12.el9_3

1 year ago · 97ff2a2e64
parent 8b3980342b
commit 97ff2a2e64
3 changed files with 128 additions and 4 deletions
--- a/SOURCES/0012-Restore-create-allowlist.patch
+++ b/SOURCES/0012-Restore-create-allowlist.patch
@ -0,0 +1,59 @@
+--- a/scripts/create_runtime_policy.sh	2023-10-09 17:04:26.121194607 +0200
+++ b/scripts/create_runtime_policy.sh	2023-10-09 17:06:02.089855614 +0200
+@@ -42,7 +42,7 @@
+     exit $NOARGS;
+ fi
+ 
+-ALGO=sha1sum
+ALGO=sha256sum
+ 
+ ALGO_LIST=("sha1sum" "sha256sum" "sha512sum")
+ 
+@@ -78,7 +78,7 @@
+ 
+ 
+ # Where to look for initramfs image
+-INITRAMFS_LOC="/boot/"
+INITRAMFS_LOC="/boot"
+ if [ -d "/ostree" ]; then
+     # If we are on an ostree system change where we look for initramfs image
+     loc=$(grep -E "/ostree/[^/]([^/]*)" -o /proc/cmdline | head -n 1 | cut -d / -f 3)
+@@ -121,7 +121,7 @@
+             cp -r /tmp/ima/$i-extracted-unmk/. /tmp/ima/$i-extracted
+         fi
+     elif [[ -x "/usr/lib/dracut/skipcpio" ]] ; then
+-        /usr/lib/dracut/skipcpio $i | gunzip -c | cpio -i -d 2> /dev/null
+        /usr/lib/dracut/skipcpio $i | gunzip -c 2> /dev/null | cpio -i -d 2> /dev/null
+     else
+         echo "ERROR: No tools for initramfs image processing found!"
+         break
+@@ -130,9 +130,26 @@
+     find -type f -exec $ALGO "./{}" \; | sed "s| \./\./| /|" >> $OUTPUT
+ done
+ 
+-# Convert to runtime policy
+-echo "Converting created allowlist to Keylime runtime policy"
+-python3 $WORKING_DIR/../keylime/cmd/convert_runtime_policy.py -a $OUTPUT -o $OUTPUT
+# when ROOTFS_LOC = '/', the path starts on allowlist ends up with double '//'
+#
+# Example:
+#
+# b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c  //bar
+#
+# Replace the unwanted '//' with a single '/'
+sed -i 's| /\+| /|g'  $ALLOWLIST_DIR/${OUTPUT}
+
+# When the file name contains newlines or backslashes, the output of sha256sum
+# adds a backslash at the beginning of the line.
+#
+# Example:
+#
+# $ echo foo > ba\\r
+# $ sha256sum ba\\r
+# \b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c  ba\\r
+#
+# Remove the unwanted backslash prefix
+sed -i 's/^\\//g' $ALLOWLIST_DIR/${OUTPUT}
+ 
+ # Clean up
+ rm -rf /tmp/ima
--- a/SOURCES/0013-Set-generator-and-timestamp-in-create-policy.patch
+++ b/SOURCES/0013-Set-generator-and-timestamp-in-create-policy.patch
@ -0,0 +1,44 @@
+diff --git a/keylime/cloud_verifier_common.py b/keylime/cloud_verifier_common.py
+index a7399d2..c0f416d 100644
+--- a/keylime/cloud_verifier_common.py
+++ b/keylime/cloud_verifier_common.py
+@@ -8,7 +8,7 @@ from keylime.agentstates import AgentAttestState, AgentAttestStates, TPMClockInf
+ from keylime.common import algorithms
+ from keylime.db.verifier_db import VerfierMain
+ from keylime.failure import Component, Event, Failure
+-from keylime.ima import file_signatures
+from keylime.ima import file_signatures, ima
+ from keylime.ima.types import RuntimePolicyType
+ from keylime.tpm import tpm_util
+ from keylime.tpm.tpm_main import Tpm
+@@ -271,7 +271,7 @@ def process_get_status(agent: VerfierMain) -> Dict[str, Any]:
+         logger.debug('The contents of the agent %s attribute "mb_refstate" are %s', agent.agent_id, agent.mb_refstate)
+ 
+     has_runtime_policy = 0
+-    if agent.ima_policy.generator and agent.ima_policy.generator > 1:
+    if agent.ima_policy.generator and agent.ima_policy.generator > ima.RUNTIME_POLICY_GENERATOR.EmptyAllowList:
+         has_runtime_policy = 1
+ 
+     response = {
+diff --git a/keylime/cmd/create_policy.py b/keylime/cmd/create_policy.py
+index 0841d64..086b92a 100755
+--- a/keylime/cmd/create_policy.py
+++ b/keylime/cmd/create_policy.py
+@@ -6,6 +6,7 @@ import argparse
+ import binascii
+ import collections
+ import copy
+import datetime
+ import gzip
+ import json
+ import multiprocessing
+@@ -580,6 +581,9 @@ def main() -> None:
+     policy["excludes"] = sorted(list(set(policy["excludes"])))
+     policy["ima"]["ignored_keyrings"] = sorted(list(set(policy["ima"]["ignored_keyrings"])))
+ 
+    policy["meta"]["generator"] = ima.RUNTIME_POLICY_GENERATOR.LegacyAllowList
+    policy["meta"]["timestamp"] = str(datetime.datetime.now())
+
+     try:
+         ima.validate_runtime_policy(policy)
+     except ima.ImaValidationError as ex:
--- a/SPECS/keylime.spec
+++ b/SPECS/keylime.spec
@ -9,7 +9,7 @@

 Name:    keylime
 Version: 7.3.0
-Release: 9%{?dist}
+Release: 12%{?dist}
 Summary: Open source TPM software for Bootstrapping and Maintaining Trust

 URL:            https://github.com/keylime/keylime
@ -28,6 +28,8 @@ Patch: 0008-verifier-should-read-parameters-from-verifier.conf-o.patch
 Patch: 0009-CVE-2023-38201.patch
 Patch: 0010-CVE-2023-38200.patch
 Patch: 0011-Automatically-update-agent-API-version.patch
+Patch: 0012-Restore-create-allowlist.patch
+Patch: 0013-Set-generator-and-timestamp-in-create-policy.patch

 License: ASL 2.0 and MIT

@ -183,13 +185,19 @@ done

 # Ship some scripts.
 mkdir -p %{buildroot}/%{_datadir}/%{srcname}/scripts
-for s in create_runtime_policy.sh \
-         create_mb_refstate \
+for s in create_mb_refstate \
         ek-openssl-verify; do
    install -Dpm 755 scripts/${s} \
        %{buildroot}/%{_datadir}/%{srcname}/scripts/${s}
 done

+# On RHEL 9.3, install create_runtime_policy.sh as create_allowlist.sh
+# The convert_runtime_policy.py script to convert allowlist and excludelist into
+# runtime policy is not called anymore.
+# See: https://issues.redhat.com/browse/RHEL-11866
+install -Dpm 755 scripts/create_runtime_policy.sh \
+        %{buildroot}/%{_datadir}/%{srcname}/scripts/create_allowlist.sh
+
 # Ship configuration templates.
 cp -r ./templates %{buildroot}%{_datadir}/%{srcname}/templates/

@ -353,7 +361,7 @@ fi
 %attr(400,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
 %{_tmpfilesdir}/%{srcname}.conf
 %{_sysusersdir}/%{srcname}.conf
-%{_datadir}/%{srcname}/scripts/create_runtime_policy.sh
+%{_datadir}/%{srcname}/scripts/create_allowlist.sh
 %{_datadir}/%{srcname}/scripts/ek-openssl-verify
 %{_datadir}/%{srcname}/templates
 %{_bindir}/keylime_upgrade_config
@ -362,6 +370,19 @@ fi
 %license LICENSE

 %changelog
+* Tue Oct 17 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.3.0-12
+- Set the generator and timestamp in create_policy.py
+  Related: RHEL-11866
+
+* Mon Oct 09 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.3.0-11
+- Suppress unnecessary error message
+  Related: RHEL-11866
+
+* Fri Oct 06 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.3.0-10
+- Restore allowlist generation script
+  Resolves: RHEL-11866
+  Resolves: RHEL-11867
+
 * Wed Sep 06 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-9
 - Rebuild for properly tagging the resulting build
  Resolves: RHEL-1898