Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RPMFI_FLAGS_ONLY_FILENAMES doesn't prevent file signatures #2425

Closed
pmatilai opened this issue Mar 10, 2023 · 0 comments · Fixed by #2497
Closed

RPMFI_FLAGS_ONLY_FILENAMES doesn't prevent file signatures #2425

pmatilai opened this issue Mar 10, 2023 · 0 comments · Fixed by #2497
Assignees
@pmatilai
Labels
bug
Milestone
4.19.0-beta

Comments

@pmatilai
Copy link
Member

RPMFI_NOFILESIGNATURES and RPMFI_NOVERITYSIGNATURES should be included in the RPMFI_FLAGS_ONLY_FILENAMES mask but are not, so eg rpmfiNew (ts, h, RPMTAG_BASENAMES, RPMFI_FLAGS_ONLY_FILENAMES) ends up loading both IMA and FSVERITY signatures into the file iterator when it should not.

The signatures aren't relevant for bunch of other operations too, so review the other masks too, at least RPMFI_FLAGS_FILETRIGGER should include both signature disablers and RPMFI_FLAGS_ONLY_FILENAMES would inherit it from there.
@pmatilai pmatilai added the bug label Mar 10, 2023
@pmatilai pmatilai added this to the 4.19.0-beta milestone Apr 27, 2023
pmatilai added a commit to pmatilai/rpm that referenced this issue Apr 27, 2023
@pmatilai
Fix file signatures getting loaded when not asked for
c6db62b 
Our compound masks for disabling file info bits per operation never got
updated to include the two separate file signature types. This was
discovered by rpm-ostree on older rpm version crashing on an IMA signature
despite passing in RPMFI_FLAGS_ONLY_FILENAMES.

Add the file signatures to the most obvious masks, and add a simple test
as well.

Fixes: rpm-software-management#2425
@pmatilai pmatilai mentioned this issue Apr 27, 2023
Merged
@pmatilai pmatilai self-assigned this Apr 27, 2023
pmatilai added a commit that referenced this issue Apr 28, 2023
@pmatilai
Fix file signatures getting loaded when not asked for
14aac7d 
Our compound masks for disabling file info bits per operation never got
updated to include the two separate file signature types. This was
discovered by rpm-ostree on older rpm version crashing on an IMA signature
despite passing in RPMFI_FLAGS_ONLY_FILENAMES.

Add the file signatures to the most obvious masks, and add a simple test
as well.

Fixes: #2425
dmnks pushed a commit to dmnks/rpm that referenced this issue Aug 1, 2023
@pmatilai @dmnks
Fix file signatures getting loaded when not asked for
cd023fa 
Our compound masks for disabling file info bits per operation never got
updated to include the two separate file signature types. This was
discovered by rpm-ostree on older rpm version crashing on an IMA signature
despite passing in RPMFI_FLAGS_ONLY_FILENAMES.

Add the file signatures to the most obvious masks, and add a simple test
as well.

Fixes: rpm-software-management#2425
(cherry picked from commit 14aac7d)
dmnks pushed a commit that referenced this issue Aug 1, 2023
@pmatilai @dmnks
Fix file signatures getting loaded when not asked for
d127096 
Our compound masks for disabling file info bits per operation never got
updated to include the two separate file signature types. This was
discovered by rpm-ostree on older rpm version crashing on an IMA signature
despite passing in RPMFI_FLAGS_ONLY_FILENAMES.

Add the file signatures to the most obvious masks, and add a simple test
as well.

Fixes: #2425
(cherry picked from commit 14aac7d)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pmatilai pmatilai

Labels
bug
Projects
RPM
Status: Done
Milestone
4.19.0-beta
Development

Successfully merging a pull request may close this issue.

Fix file signatures getting loaded when not asked for pmatilai/rpm
1 participant
@pmatilai