From 9c287867531d6ab932d74d891d61fd6f7ac4da44 Mon Sep 17 00:00:00 2001 From: Darren Kenny Date: Tue, 22 Feb 2022 16:57:00 +0000 Subject: ima: Install on filesystems without xattr support without failing If an RPM contains IMA signed digests and rpm-plugin-ima is installed, then any attempt to install to a filesystem that doesn't support extended attributes will cause the RPM installation to fail. This can be seen, for example, if installing a file /boot, which is usually a vFAT filesystem. The rpm-plugin for selinux fixed this some time back, and that same logic can be applied to IMA too - where, if a failure to set an extended attribute results in an errno that is set to EOPNOTSUPP, then this should not cause a complete failure, but should instead just be logged at a debug level. Signed-off-by: Darren Kenny Backported from commit 7db2efa95d859cebda2b095ffdffac42812bd6d9 --- plugins/ima.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/plugins/ima.c b/plugins/ima.c index a30ccb4a6..215d3aee5 100644 --- a/plugins/ima.c +++ b/plugins/ima.c @@ -69,10 +69,14 @@ static rpmRC ima_fsm_file_prepare(rpmPlugin plugin, rpmfi fi, fsig = rpmfiFSignature(fi, &len); if (fsig && (check_zero_hdr(fsig, len) == 0)) { if (lsetxattr(path, XATTR_NAME_IMA, fsig, len, 0) < 0) { - rpmlog(RPMLOG_ERR, + int is_err = errno != EOPNOTSUPP; + + rpmlog(is_err?RPMLOG_ERR:RPMLOG_DEBUG, "ima: could not apply signature on '%s': %s\n", path, strerror(errno)); - rc = RPMRC_FAIL; + if (is_err) { + rc = RPMRC_FAIL; + } } } -- cgit v1.2.1