diff options
| author | Darren Kenny <darren.kenny@oracle.com> | 2022-02-22 16:57:00 +0000 |
|---|---|---|
| committer | Michal Domonkos <mdomonko@redhat.com> | 2022-07-01 10:52:14 +0200 |
| commit | 9c287867531d6ab932d74d891d61fd6f7ac4da44 (patch) | |
| tree | 393f15e1e0a048fa12ace8b3deca6934db088228 | |
| parent | cb7f454b48017f5d21818b163a208f3c83daf9d9 (diff) | |
| download | rpm-9c287867531d6ab932d74d891d61fd6f7ac4da44.tar.gz | |
ima: Install on filesystems without xattr support without failing
If an RPM contains IMA signed digests and rpm-plugin-ima is installed,
then any attempt to install to a filesystem that doesn't support
extended attributes will cause the RPM installation to fail.
This can be seen, for example, if installing a file /boot, which is
usually a vFAT filesystem.
The rpm-plugin for selinux fixed this some time back, and that same
logic can be applied to IMA too - where, if a failure to set an extended
attribute results in an errno that is set to EOPNOTSUPP, then this
should not cause a complete failure, but should instead just be logged
at a debug level.
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Backported from commit 7db2efa95d859cebda2b095ffdffac42812bd6d9
| -rw-r--r-- | plugins/ima.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/plugins/ima.c b/plugins/ima.c index a30ccb4a6..215d3aee5 100644 --- a/plugins/ima.c +++ b/plugins/ima.c @@ -69,10 +69,14 @@ static rpmRC ima_fsm_file_prepare(rpmPlugin plugin, rpmfi fi, fsig = rpmfiFSignature(fi, &len); if (fsig && (check_zero_hdr(fsig, len) == 0)) { if (lsetxattr(path, XATTR_NAME_IMA, fsig, len, 0) < 0) { - rpmlog(RPMLOG_ERR, + int is_err = errno != EOPNOTSUPP; + + rpmlog(is_err?RPMLOG_ERR:RPMLOG_DEBUG, "ima: could not apply signature on '%s': %s\n", path, strerror(errno)); - rc = RPMRC_FAIL; + if (is_err) { + rc = RPMRC_FAIL; + } } } |