From 50f2248579aadb7f2d6be064c20f2f331149e2fe Mon Sep 17 00:00:00 2001 From: Elena Reshetova Date: Thu, 6 Sep 2012 10:52:12 +0300 Subject: Moving to use libmagic directly for file content check --- packaging/rpm.changes | 4 +++ packaging/rpm.spec | 1 - packaging/security_4.9.1.patch | 73 +++++++++++++++++++++--------------------- 3 files changed, 40 insertions(+), 38 deletions(-) diff --git a/packaging/rpm.changes b/packaging/rpm.changes index 1563836..c5fac79 100644 --- a/packaging/rpm.changes +++ b/packaging/rpm.changes @@ -1,3 +1,7 @@ +* Thu Sep 6 2012 Elena Reshetova - 4.9.0 +- Changes to the security plugin + - Using libmagic instead of file utility to check file's content + * Wed Sep 5 2012 Elena Reshetova - 4.9.0 - Changes to the security plugin - Removing the fopen check before setting xattr diff --git a/packaging/rpm.spec b/packaging/rpm.spec index cebe019..b83d13b 100644 --- a/packaging/rpm.spec +++ b/packaging/rpm.spec @@ -139,7 +139,6 @@ that are used to build packages using the RPM Package Manager. Summary: MSM security plugin for rpm Group: Development/Libraries Requires: rpm = %{version}-%{release} -Requires: file %description security-plugin This package contains the MSM security plugin for rpm that performs diff --git a/packaging/security_4.9.1.patch b/packaging/security_4.9.1.patch index 53c0471..e943951 100644 --- a/packaging/security_4.9.1.patch +++ b/packaging/security_4.9.1.patch @@ -121,7 +121,7 @@ diff -Nuarp rpm/configure.ac rpm-security/configure.ac + +AS_IF([test "$with_msm" = yes],[ + AC_DEFINE(WITH_MSM, 1, [Build with msm support?]) -+ WITH_MSM_LIB="`xml2-config --libs` -lcap -lattr -lsmack" ++ WITH_MSM_LIB="`xml2-config --libs` -lcap -lattr -lsmack -lmagic" + WITH_MSM_INCLUDE="`xml2-config --cflags`" +]) +AC_SUBST(WITH_MSM_LIB) @@ -964,7 +964,7 @@ diff -Nuarp rpm/security/Makefile.msm rpm-security/security/Makefile.msm diff -Nuarp rpm/security/msm.c rpm-security/security/msm.c --- rpm/security/msm.c 1970-01-01 02:00:00.000000000 +0200 +++ rpm-security/security/msm.c 2012-08-06 13:32:38.137823835 +0300 -@@ -0,0 +1,903 @@ +@@ -0,0 +1,915 @@ +/* + * This file is part of MSM security plugin + * Greatly based on the code of MSSF security plugin @@ -1041,6 +1041,7 @@ diff -Nuarp rpm/security/msm.c rpm-security/security/msm.c +static fileconflict *allfileconflicts = NULL; +static char* ownSmackLabel = NULL; +static int SmackEnabled = 0; ++static magic_t cookie; + +rpmRC SECURITYHOOK_INIT_FUNC(rpmts _ts, const char *_opts) +{ @@ -1095,6 +1096,16 @@ diff -Nuarp rpm/security/msm.c rpm-security/security/msm.c + } + + rpmlog(RPMLOG_DEBUG, "rpm security context: %s\n", ownSmackLabel); ++ ++ cookie = magic_open(0); ++ if (!cookie) ++ return RPMRC_FAIL; ++ ++ if (magic_load(cookie, NULL) != 0) { ++ rpmlog(RPMLOG_ERR, "cannot load magic database - %s\n", magic_error(cookie)); ++ magic_close(cookie); ++ return RPMRC_FAIL; ++ } + + return RPMRC_OK; +} @@ -1698,7 +1709,7 @@ diff -Nuarp rpm/security/msm.c rpm-security/security/msm.c + ctx->path = NULL; + ctx->ino = 0; + if (rpmteType(ctx->te) == TR_ADDED) { -+ if (msmSetFileXAttributes(ctx->mfx, file->path) < 0) { ++ if (msmSetFileXAttributes(ctx->mfx, file->path, cookie) < 0) { + rpmlog(RPMLOG_ERR, "Setting of extended attributes failed for file %s from package %s\n", + file->path, rpmteN(ctx->te)); + return RPMRC_FAIL; @@ -1819,6 +1830,7 @@ diff -Nuarp rpm/security/msm.c rpm-security/security/msm.c + } + + msmFreePointer((void**)&ownSmackLabel); ++ magic_close(cookie); + + return RPMRC_OK; +} @@ -2139,7 +2151,7 @@ diff -Nuarp rpm/security/msmconfig.c rpm-security/security/msmconfig.c diff -Nuarp rpm/security/msm.h rpm-security/security/msm.h --- rpm/security/msm.h 1970-01-01 02:00:00.000000000 +0200 +++ rpm-security/security/msm.h 2012-08-06 12:49:34.377011655 +0300 -@@ -0,0 +1,467 @@ +@@ -0,0 +1,469 @@ +/* + * This file is part of MSM security plugin + * Greatly based on the code of MSSF security plugin @@ -2199,6 +2211,7 @@ diff -Nuarp rpm/security/msm.h rpm-security/security/msm.h +#include +#include +#include ++#include + +/** \ingroup msm + * List definitions. @@ -2533,9 +2546,10 @@ diff -Nuarp rpm/security/msm.h rpm-security/security/msm.h + * Set extended attributes of the file based on manifest. + * @param mfx package manifest + * @param filepath path of the file ++ * @param cookie magic cookie + * @return 0 on success, else -1 + */ -+int msmSetFileXAttributes(manifest_x *mfx, const char* filepath); ++int msmSetFileXAttributes(manifest_x *mfx, const char* filepath, magic_t cookie); + +/** \ingroup msm + * Set setup the request section of manifest. @@ -4173,7 +4187,7 @@ diff -Nuarp rpm/security/msmmatch.c rpm-security/security/msmmatch.c diff -Nuarp rpm/security/msmxattr.c rpm-security/security/msmxattr.c --- rpm/security/msmxattr.c 1970-01-01 02:00:00.000000000 +0200 +++ rpm-security/security/msmxattr.c 2012-08-06 13:37:44.891344948 +0300 -@@ -0,0 +1,1331 @@ +@@ -0,0 +1,1316 @@ +/* + * This file is part of MSM security plugin + * Greatly based on the code of MSSF security plugin @@ -4215,6 +4229,7 @@ diff -Nuarp rpm/security/msmxattr.c rpm-security/security/msmxattr.c +#include +#include +#include ++#include + +#include "msm.h" + @@ -5292,46 +5307,30 @@ diff -Nuarp rpm/security/msmxattr.c rpm-security/security/msmxattr.c + } +} + -+static int is_executable(const char* path) ++static int is_executable(const char* path, magic_t cookie) +{ -+ char buffer[1024]; -+ int result; -+ char string[] = "file \""; -+ char* ptr = NULL, *ptr1 = NULL; -+ FILE* pipe; ++ const char* buffer = NULL; ++ int result = -1; ++ char* ptr = NULL; + -+ if (!path) -+ return -1; ++ if ((!path) || (!cookie)) ++ return result; + -+ char* str = calloc(strlen(path) + 8, sizeof (char*)); -+ strncpy(str, string, 6); -+ strncpy(str + 6, path, strlen(path)); -+ strncpy(str + 6 + strlen(path), "\"", 1); ++ buffer = magic_file(cookie, path); + -+ pipe = popen(str, "r"); -+ if (!pipe) { -+ msmFreePointer((void**)&str); -+ return -1; -+ } -+ -+ result = -1; ++ rpmlog(RPMLOG_DEBUG, "buffer: %s\n", buffer); + -+ if(fgets(buffer, 1023, pipe) != NULL) { -+ ptr = strchr(buffer,':'); -+ if (ptr!= NULL) { -+ ptr1 = strstr(ptr,"executable"); -+ if (ptr1) result = 0; -+ ptr1 = strstr(ptr,"ELF"); -+ if (ptr1) result = 0; -+ } ++ if (buffer != NULL) { ++ ptr = strstr(buffer,"executable"); ++ if (ptr) result = 0; ++ ptr = strstr(buffer,"ELF"); ++ if (ptr) result = 0; + } + -+ msmFreePointer((void**)&str); -+ pclose(pipe); + return result; +} + -+int msmSetFileXAttributes(manifest_x *mfx, const char* filepath) ++int msmSetFileXAttributes(manifest_x *mfx, const char* filepath, magic_t cookie) +{ + provide_x *provide = NULL; + filesystem_x *filesystem = NULL; @@ -5420,7 +5419,7 @@ diff -Nuarp rpm/security/msmxattr.c rpm-security/security/msmxattr.c + label, filepath, strerror(errno)); + } + -+ if ((is_executable(filepath)) == 0) { ++ if ((is_executable(filepath, cookie)) == 0) { + if ((exec_label) && (strcmp(exec_label, "none") == 0)) { + // do not set SMACK64EXEC + rpmlog(RPMLOG_INFO, "not setting SMACK64EXEC for %s as requested in manifest\n", filepath); -- cgit v1.2.3