Introduce write_rpm_pgp_sig

fe575a00 · Roberto Sassu · 610bda78 · fe575a00 · fe575a00 · fe575a00
6 changed file
--- a/dist/rpm/digest-list-tools.spec
+++ b/dist/rpm/digest-list-tools.spec
@@ -56,6 +56,7 @@ rm -rf $RPM_BUILD_ROOT
 %{_bindir}/setup_ima_digest_lists_demo
 %{_bindir}/upload_digest_lists
 %{_bindir}/verify_digest_lists
+%{_bindir}/write_rpm_pgp_sig
 %{_libdir}/libdigestlist-base.so
 %dir %{_libdir}/digestlist
 %{_libdir}/digestlist/libgenerator-compact.so
@@ -84,11 +85,13 @@ rm -rf $RPM_BUILD_ROOT
 %{_datarootdir}/digest-list-tools/setup_ima_digest_lists_demo.txt
 %{_datarootdir}/digest-list-tools/upload_digest_lists.txt
 %{_datarootdir}/digest-list-tools/verify_digest_lists.txt
+%{_datarootdir}/digest-list-tools/write_rpm_pgp_sig.txt
 %{_mandir}/man1/gen_digest_lists.1.gz
 %{_mandir}/man1/setup_ima_digest_lists.1.gz
 %{_mandir}/man1/setup_ima_digest_lists_demo.1.gz
 %{_mandir}/man1/verify_digest_lists.1.gz
 %{_mandir}/man1/upload_digest_lists.1.gz
+%{_mandir}/man1/write_rpm_pgp_sig.1.gz
 %{_mandir}/man1/%{name}.1.gz

 %changelog

--- a/docs/Makefile.am
+++ b/docs/Makefile.am
@@ -2,10 +2,12 @@ dist_pkgdata_DATA = gen_digest_lists.txt \
 		    setup_ima_digest_lists.txt \
 		    setup_ima_digest_lists_demo.txt \
 		    upload_digest_lists.txt \
-		    verify_digest_lists.txt
+		    verify_digest_lists.txt \
+		    write_rpm_pgp_sig.txt

 man1_MANS = gen_digest_lists.1 \
 	    setup_ima_digest_lists.1 \
 	    setup_ima_digest_lists_demo.1 \
 	    upload_digest_lists.1 \
-	    verify_digest_lists.1
+	    verify_digest_lists.1 \
+	    write_rpm_pgp_sig.1
--- a/docs/write_rpm_pgp_sig.1
+++ b/docs/write_rpm_pgp_sig.1
+.\" Text automatically generated by txt2man
+.TH untitled  "14 July 2020" "" ""
+.SH NAME
+\fBwrite_rpm_pgp_sig \fP- Add security.ima to a file with the RPM header
+\fB
+.RE
+\fB
+.SH SYNOPSIS
+.nf
+.fam C
+\fBwrite_rpm_pgp_sig\fP <RPM header> <PGP signature>
+
+
+.fam T
+.fi
+.fam T
+.fi
+.SH DESCRIPTION
+\fBwrite_rpm_pgp_sig\fP can be used to add security.ima to a file with the RPM
+header.
+.SH OPTIONS
+\fB-h\fP: display help
+.RE
+.PP
+
+.SH EXAMPLES
+Add security.ima:
+.PP
+# \fBwrite_rpm_pgp_sig\fP rpm-header rpm-header.sig
+.RE
+.PP
+
+.SH AUTHOR
+Written by Roberto Sassu, <roberto.sassu at huawei.com>.
+.RE
+.PP
+
+.SH COPYING
+Copyright (C) 2020 Huawei Technologies Duesseldorf GmbH. Free use of
+this software is granted under the terms of the GNU Public License 2.0
+(GPLv2).
--- a/docs/write_rpm_pgp_sig.txt
+++ b/docs/write_rpm_pgp_sig.txt
+NAME
+write_rpm_pgp_sig - Add security.ima to a file with the RPM header
+
+
+SYNOPSIS
+write_rpm_pgp_sig <RPM header> <PGP signature>
+
+
+DESCRIPTION
+write_rpm_pgp_sig can be used to add security.ima to a file with the RPM
+header.
+
+OPTIONS
+-h: display help
+
+
+EXAMPLES
+Add security.ima:
+
+# write_rpm_pgp_sig rpm-header rpm-header.sig
+
+
+AUTHOR
+Written by Roberto Sassu, <roberto.sassu at huawei.com>.
+
+
+COPYING
+Copyright (C) 2020 Huawei Technologies Duesseldorf GmbH. Free use of
+this software is granted under the terms of the GNU Public License 2.0
+(GPLv2).
--- a/src/Makefile.am
+++ b/src/Makefile.am
-bin_PROGRAMS=upload_digest_lists gen_digest_lists verify_digest_lists
+bin_PROGRAMS=upload_digest_lists gen_digest_lists verify_digest_lists \
+	     write_rpm_pgp_sig

 upload_digest_lists_CFLAGS=-I$(top_srcdir)/include
 upload_digest_lists_LDFLAGS=$(top_srcdir)/lib/libdigestlist-base.la
@@ -11,3 +12,7 @@ gen_digest_lists_SOURCES=gen_digest_lists.c
 verify_digest_lists_CFLAGS=-I$(top_srcdir)/include
 verify_digest_lists_LDFLAGS=$(top_srcdir)/lib/libdigestlist-base.la
 verify_digest_lists_SOURCES=verify_digest_lists.c
+
+write_rpm_pgp_sig_CFLAGS=-I$(top_srcdir)/include
+write_rpm_pgp_sig_LDFLAGS=$(top_srcdir)/lib/libdigestlist-base.la
+write_rpm_pgp_sig_SOURCES=write_rpm_pgp_sig.c
--- a/src/write_rpm_pgp_sig.c
+++ b/src/write_rpm_pgp_sig.c
+/*
+ * Copyright (C) 2020 Huawei Technologies Duesseldorf GmbH
+ *
+ * Author: Roberto Sassu <roberto.sassu@huawei.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * File: write_rpm_pgp_sig.c
+ *      Add security.ima to a file with the RPM header.
+ */
+
+#include <sys/mman.h>
+#include <unistd.h>
+
+#include "pgp.h"
+#include "xattr.h"
+
+int main(int argc, char *argv[])
+{
+	void *pgp_sig;
+	loff_t pgp_sig_len;
+	u8 *sig = NULL, *data = NULL, *issuer = NULL;
+	size_t sig_len, data_len;
+	u16 algo;
+	int ret, fd;
+
+	if (argc != 3) {
+		printf("Missing argument\n");
+		return -EINVAL;
+	}
+
+	ret = read_file_from_path(-1, argv[2], &pgp_sig, &pgp_sig_len);
+	if (ret < 0)
+		return ret;
+
+	ret = pgp_get_signature_data(pgp_sig, pgp_sig_len, &data, &data_len,
+				     &sig, &sig_len, &issuer, &algo);
+	if (ret < 0)
+		goto out;
+
+	write_ima_xattr(-1, argv[1], issuer, sizeof(uint32_t), sig, sig_len,
+			pgp_algo_mapping[algo]);
+
+	fd = openat(-1, argv[1], O_WRONLY | O_APPEND, 0644);
+	if (fd < 0) {
+		ret = -EACCES;
+		goto out;
+	}
+
+	ret = write_check(fd, data, data_len);
+	close(fd);
+out:
+	munmap(pgp_sig, pgp_sig_len);
+	free(data);
+	free(sig);
+	return ret;
+}