Accepting request 989451 from security

OBS-URL: https://build.opensuse.org/request/show/989451
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rust-keylime?expand=0&rev=2

0001-main-die-when-cannot-drop-privileges.patch

@@ -0,0 +1,39 @@
+From e34692c33914f7c9598c1bc9030bf94ef525d5eb Mon Sep 17 00:00:00 2001
+From: Alberto Planas <aplanas@suse.com>
+Date: Tue, 12 Jul 2022 14:09:24 +0200
+Subject: [PATCH 2/2] main: die when cannot drop privileges
+
+If `run_as` parameter is set but the user is missing in the system,
+keylime will log an ERROR when trying to drop privileges, but continue
+the execution as the current user (usually `root`).  This can be a
+security issue, as the agent is running "silently" as a privileged user.
+
+This commit stop the execution if an error is found when dropping
+privileges for the agent service, and present an `info!` message with
+the current user and group.
+
+Signed-off-by: Alberto Planas <aplanas@suse.com>
+---
+ src/main.rs | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/main.rs b/src/main.rs
+index ef29eb2..d646d09 100644
+--- a/src/main.rs
++++ b/src/main.rs
+@@ -407,8 +407,10 @@ async fn main() -> Result<()> {
+ 
+     // Drop privileges
+     if let Some(user_group) = &config.run_as {
+-        permissions::chown(user_group, &mount);
+-        permissions::run_as(user_group);
++        permissions::chown(user_group, &mount)
++            .expect("Error when changing directory ownership");
++        permissions::run_as(user_group).expect("Error dropping privileges");
++        info!("Running the service as {}...", user_group);
+     }
+ 
+     info!("Starting server with API version {}...", API_VERSION);
+-- 
+2.37.0
+

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/keylime/rust-keylime.git</param>
-              <param name="changesrevision">b834667b4d775065be3d7677e8cb6ad209c43668</param></service></servicedata>
+              <param name="changesrevision">5b9072abae219bda0e9a95498b5aef4af5db1bda</param></service></servicedata>

keylime-user.conf

@@ -0,0 +1,2 @@
+# Type Name ID GECOS [HOME]
+u keylime - "Keylime agent" /var/lib/keylime

keylime.conf.diff

@@ -1,7 +1,7 @@
-Index: rust-keylime-0.1.0+git.1655143451.7c4121e/keylime.conf
+Index: rust-keylime-0.1.0+git.1657303637.5b9072a/keylime.conf
 ===================================================================
---- rust-keylime-0.1.0+git.1655143451.7c4121e.orig/keylime.conf
+--- rust-keylime-0.1.0+git.1657303637.5b9072a.orig/keylime.conf
-+++ rust-keylime-0.1.0+git.1655143451.7c4121e/keylime.conf
++++ rust-keylime-0.1.0+git.1657303637.5b9072a/keylime.conf
 @@ -4,7 +4,8 @@
  
  # Revocation IP & Port used by either the cloud_agent or keylime_ca to receive
@@ -32,3 +32,25 @@ Index: rust-keylime-0.1.0+git.1655143451.7c4121e/keylime.conf
  registrar_port = 8890
  
  # The keylime working directory.  Can be overriden by setting the KEYLIME_DIR
+@@ -127,3 +130,21 @@ tpm_signing_alg = rsassa
+ # handle (e.g. "0x81000000"). The Keylime agent will then not attempt to
+ # create a new EK upon startup, and neither will it flush the EK upon exit.
+ ek_handle = generate
++
++# The user account to switch to to drop privileges when started as root
++# If left empty, the agent will keep running with high privileges.
++# The user and group specified here must allow the user to access the
++# WORK_DIR (typically /var/lib/keylime) and /dev/tpmrm0. Therefore,
++# suggested value for the run_as parameter is keylime:tss.
++# The following commands should be used to set ownership before running the
++# agent:
++# chown keylime /var/lib/keylime
++#
++# If agent_data.json already exists:
++# chown keylime /var/lib/keylime/agent_data.json
++#
++# If cv_ca directory exists:
++# chown keylime /var/lib/keylime/cv_ca
++# chown keylime /var/lib/keylime/cv_ca/cacert.crt
++#
++run_as = keylime:tss

keylime_agent.service

@@ -1,8 +0,0 @@
-[Unit]
-Description=The Keylime compute agent
-
-[Service]
-ExecStart=/usr/bin/keylime_agent
-
-[Install]
-WantedBy=default.target

logrotate.keylime

@@ -1,8 +0,0 @@
-/var/log/keylime/*.log {
-    su keylime tss
-    weekly
-    missingok
-    rotate 4
-    copytruncate
-    minsize 1M
-}

rust-keylime-0.1.0+git.1655384301.b834667.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:cb272a91f71f4b197a28390da64a56319b45e9bf2878f31c8f700e1b2a6b8924
-size 115404

rust-keylime-0.1.0+git.1657303637.5b9072a.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:41af18ed5086bc5e4726275eb1407b7136073c9b08141fe866125305c41431ad
+size 119140

rust-keylime.changes

@@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Tue Jul 12 09:20:39 UTC 2022 - aplanas@suse.com
+
+- Update to version 0.1.0+git.1657303637.5b9072a:
+  * keys_handler: Use scopes to drop mutexes before await
+  * Enable usage of Rust IMA emulator in E2E tests.
+  * ima_emulator: Support PCR hash algorithms other than SHA-1
+  * ima_entry: add IMA entry parser ported from Python Keylime
+  * algorithms: Add conversion between our hash algorithms and OpenSSL's
+  * Remove unused functions revocation_ip_get and revocation_port_get. Change String to &str.
+  * Adjust function usage comments to account for new parameters.
+  * Load config file less at startup in src/common.rs
+  * GNUmakefile: Make target dependencies explicit
+  * permissions: Set supplementary groups when dropping privileges
+  * main: Use more descriptive message for missing files error
+  * Show path when fail to load the certificate
+  * tpm: Add serialization functions for structures in quotes
+- Requires tpm2.0-abrmd dependency, as the kernel resource manager
+  could be not enough
+- Downgrade /var/run/keylime permissions
+- Set "run_as" parameter to "keylime:tss"
+- Create the keylime user via systemd
+- Fix keylime service home directory
+- Add 0001-main-die-when-cannot-drop-privileges.patch to avoid the
+  execution as root when the run_as user is missing in the system
+
 -------------------------------------------------------------------
 Wed Jun 22 08:45:20 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
 

rust-keylime.spec

@@ -17,8 +17,15 @@
 
 
 %global rustflags '-Clink-arg=-Wl,-z,relro,-z,now'
+# Consolidate _distconfdir and _sysconfdir
+%if 0%{?_distconfdir:1}
+  %define _config_norepl %{nil}
+%else
+  %define _distconfdir   %{_sysconfdir}
+  %define _config_norepl %config(noreplace)
+%endif
 Name:           rust-keylime
-Version:        0.1.0+git.1655384301.b834667
+Version:        0.1.0+git.1657303637.5b9072a
 Release:        0
 Summary:        Rust implementation of the keylime agent
 License:        Apache-2.0 AND MIT
@@ -26,19 +33,23 @@ URL:            https://github.com/keylime/rust-keylime
 Source:         rust-keylime-%{version}.tar.xz
 Source1:        vendor.tar.xz
 Source2:        cargo_config
-Source3:        keylime_agent.service
+Source3:        keylime.xml
-Source4:        keylime.xml
+Source4:        keylime-user.conf
-Source5:        logrotate.keylime
+Source5:        tmpfiles.keylime
 # PATCH-FIX-OPENSUSE keylime.conf.diff
 Patch1:         keylime.conf.diff
+# PATCH-FIX-UPSTREAM 0001-main-die-when-cannot-drop-privileges.patch -- based on PR 423
+Patch2:         0001-main-die-when-cannot-drop-privileges.patch
 BuildRequires:  cargo
 BuildRequires:  firewall-macros
 BuildRequires:  libarchive-devel
 BuildRequires:  rust
+BuildRequires:  sysuser-tools
 BuildRequires:  tpm2-0-tss-devel
 BuildRequires:  zeromq-devel
 Requires:       libtss2-tcti-device0
 Requires:       logrotate
+Requires:       tpm2.0-abrmd
 ExcludeArch:    %{ix86} s390x ppc64 ppc64le armhfp armv7hl
 
 %description
@@ -52,47 +63,61 @@ cp %{SOURCE2} .cargo/config
 
 %build
 RUSTFLAGS=%{rustflags} cargo build --release --no-default-features --features "with-zmq"
+%sysusers_generate_pre %{SOURCE4} keylime keylime-user.conf
 
 %install
 RUSTFLAGS=%{rustflags} cargo install --frozen --no-default-features --features "with-zmq" --root=%{buildroot}%{_prefix} --path .
 
-install -Dpm 644 keylime.conf %{buildroot}%{_sysconfdir}/keylime.conf
+# TODO: move the configuration file into _distconfdir
-install -Dpm 644 %{SOURCE3} %{buildroot}%{_unitdir}/keylime_agent.service
+install -Dpm 0600 keylime.conf %{buildroot}%{_sysconfdir}/keylime.conf
-install -Dpm 644 %{SOURCE4} %{buildroot}%{_prefix}/lib/firewalld/services/keylime.xml
+install -Dpm 0644 ./dist/systemd/system/keylime_agent.service %{buildroot}%{_unitdir}/keylime_agent.service
-install -Dpm 644 %{SOURCE5} %{buildroot}%{_distconfdir}/logrotate.d/keylime
+install -Dpm 0644 ./dist/systemd/system/var-lib-keylime-secure.mount %{buildroot}%{_unitdir}/var-lib-keylime-secure.mount
+
+install -Dpm 0644 %{SOURCE3} %{buildroot}%{_prefix}/lib/firewalld/services/keylime.xml
+install -Dpm 0644 %{SOURCE4} %{buildroot}%{_sysusersdir}/keylime-user.conf
+install -Dpm 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/keylime.conf
 install -d %{buildroot}%{_localstatedir}/log/keylime
+install -d %{buildroot}%{_libexecdir}/keylime
 
 # Create work directory
-mkdir -p %{buildroot}%{_localstatedir}/keylime
+mkdir -p %{buildroot}%{_sharedstatedir}/keylime
 
 rm %{buildroot}%{_prefix}/.crates.toml
 rm %{buildroot}%{_prefix}/.crates2.json
 
 %pre
 %service_add_pre keylime_agent.service
+%service_add_pre var-lib-keylime-secure.mount
 
 %post
 %firewalld_reload
+%tmpfiles_create keylime.conf
 %service_add_post keylime_agent.service
+%service_add_post var-lib-keylime-secure.mount
 
 %preun
 %service_del_preun keylime_agent.service
+%service_del_preun var-lib-keylime-secure.mount
 
 %postun
 %service_del_postun keylime_agent.service
+%service_del_postun var-lib-keylime-secure.mount
 
 %files
 %doc README.md
 %license LICENSE
 %{_bindir}/keylime_agent
 %{_bindir}/keylime_ima_emulator
-%config(noreplace) %{_sysconfdir}/keylime.conf
+%config(noreplace) %attr (0600,keylime,tss) %{_sysconfdir}/keylime.conf
-%dir %attr(0700,root,root) %{_localstatedir}/keylime
+%{_unitdir}/keylime_agent.service
+%{_unitdir}/var-lib-keylime-secure.mount
 %dir %{_prefix}/lib/firewalld
 %dir %{_prefix}/lib/firewalld/services
 %{_prefix}/lib/firewalld/services/keylime.xml
-%{_unitdir}/keylime_agent.service
+%{_sysusersdir}/keylime-user.conf
-%{_distconfdir}/logrotate.d/keylime
+%{_tmpfilesdir}/keylime.conf
-%dir %attr(750,keylime,tss) %{_localstatedir}/log/keylime
+%dir %attr(0750,keylime,tss) %{_localstatedir}/log/keylime
+%dir %attr(0750,keylime,tss) %{_libexecdir}/keylime
+%dir %attr(0700,keylime,tss) %{_sharedstatedir}/keylime
 
 %changelog

tmpfiles.keylime

@@ -0,0 +1 @@
+d /run/keylime 0700 keylime tss

vendor.tar.xz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:0e4b91a6bff3824b1f58ff875102020400e200b4d4baa68c0b175bc0ee96f77d
+oid sha256:f3f8afa64ddb32cfa4f3749616f57cd47826f0bb8dfa3b99ed83e1c5ebf471d9
-size 20113908
+size 20105088