Accepting request 994443 from security

OBS-URL: https://build.opensuse.org/request/show/994443
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rust-keylime?expand=0&rev=3

0001-main-die-when-cannot-drop-privileges.patch

@@ -1,39 +0,0 @@
-From e34692c33914f7c9598c1bc9030bf94ef525d5eb Mon Sep 17 00:00:00 2001
-From: Alberto Planas <aplanas@suse.com>
-Date: Tue, 12 Jul 2022 14:09:24 +0200
-Subject: [PATCH 2/2] main: die when cannot drop privileges
-
-If `run_as` parameter is set but the user is missing in the system,
-keylime will log an ERROR when trying to drop privileges, but continue
-the execution as the current user (usually `root`).  This can be a
-security issue, as the agent is running "silently" as a privileged user.
-
-This commit stop the execution if an error is found when dropping
-privileges for the agent service, and present an `info!` message with
-the current user and group.
-
-Signed-off-by: Alberto Planas <aplanas@suse.com>
----
- src/main.rs | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/src/main.rs b/src/main.rs
-index ef29eb2..d646d09 100644
---- a/src/main.rs
-+++ b/src/main.rs
-@@ -407,8 +407,10 @@ async fn main() -> Result<()> {
- 
-     // Drop privileges
-     if let Some(user_group) = &config.run_as {
--        permissions::chown(user_group, &mount);
--        permissions::run_as(user_group);
-+        permissions::chown(user_group, &mount)
-+            .expect("Error when changing directory ownership");
-+        permissions::run_as(user_group).expect("Error dropping privileges");
-+        info!("Running the service as {}...", user_group);
-     }
- 
-     info!("Starting server with API version {}...", API_VERSION);
--- 
-2.37.0
-

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/keylime/rust-keylime.git</param>
-              <param name="changesrevision">5b9072abae219bda0e9a95498b5aef4af5db1bda</param></service></servicedata>
+              <param name="changesrevision">01860934f7308bc5ea1e68c8d858aea056620ce8</param></service></servicedata>

keylime-agent.conf.diff

@@ -0,0 +1,34 @@
+Index: rust-keylime-0.1.0+git.1659977521.0186093/keylime-agent.conf
+===================================================================
+--- rust-keylime-0.1.0+git.1659977521.0186093.orig/keylime-agent.conf
++++ rust-keylime-0.1.0+git.1659977521.0186093/keylime-agent.conf
+@@ -4,7 +4,8 @@
+ 
+ # Revocation IP & Port used by either the cloud_agent or keylime_ca to receive
+ # revocation events from the verifier.
+-receive_revocation_ip = 127.0.0.1
++# receive_revocation_ip = 127.0.0.1
++receive_revocation_ip = <REMOTE_IP>
+ receive_revocation_port = 8992
+ 
+ 
+@@ -13,7 +14,8 @@ receive_revocation_port = 8992
+ #=============================================================================
+ 
+ # The binding address and port for the agent server
+-cloudagent_ip = 127.0.0.1
++# cloudagent_ip = 127.0.0.1
++cloudagent_ip = 0.0.0.0
+ cloudagent_port = 9002
+ 
+ # Address and port where the verifier and tenant can connect to reach the agent.
+@@ -22,7 +24,8 @@ agent_contact_ip = 127.0.0.1
+ agent_contact_port = 9002
+ 
+ # The address and port of registrar server which agent communicate with
+-registrar_ip = 127.0.0.1
++# registrar_ip = 127.0.0.1
++registrar_ip = <REMOTE_IP>
+ registrar_port = 8890
+ 
+ # The keylime working directory.  Can be overriden by setting the KEYLIME_DIR

keylime.conf.diff

@@ -1,56 +0,0 @@
-Index: rust-keylime-0.1.0+git.1657303637.5b9072a/keylime.conf
-===================================================================
---- rust-keylime-0.1.0+git.1657303637.5b9072a.orig/keylime.conf
-+++ rust-keylime-0.1.0+git.1657303637.5b9072a/keylime.conf
-@@ -4,7 +4,8 @@
- 
- # Revocation IP & Port used by either the cloud_agent or keylime_ca to receive
- # revocation events from the verifier.
--receive_revocation_ip = 127.0.0.1
-+# receive_revocation_ip = 127.0.0.1
-+receive_revocation_ip = <REMOTE_IP>
- receive_revocation_port = 8992
- 
- 
-@@ -13,7 +14,8 @@ receive_revocation_port = 8992
- #=============================================================================
- 
- # The binding address and port for the agent server
--cloudagent_ip = 127.0.0.1
-+# cloudagent_ip = 127.0.0.1
-+cloudagent_ip = 0.0.0.0
- cloudagent_port = 9002
- 
- # Address and port where the verifier and tenant can connect to reach the agent.
-@@ -22,7 +24,8 @@ agent_contact_ip = 127.0.0.1
- agent_contact_port = 9002
- 
- # The address and port of registrar server which agent communicate with
--registrar_ip = 127.0.0.1
-+# registrar_ip = 127.0.0.1
-+registrar_ip = <REMOTE_IP>
- registrar_port = 8890
- 
- # The keylime working directory.  Can be overriden by setting the KEYLIME_DIR
-@@ -127,3 +130,21 @@ tpm_signing_alg = rsassa
- # handle (e.g. "0x81000000"). The Keylime agent will then not attempt to
- # create a new EK upon startup, and neither will it flush the EK upon exit.
- ek_handle = generate
-+
-+# The user account to switch to to drop privileges when started as root
-+# If left empty, the agent will keep running with high privileges.
-+# The user and group specified here must allow the user to access the
-+# WORK_DIR (typically /var/lib/keylime) and /dev/tpmrm0. Therefore,
-+# suggested value for the run_as parameter is keylime:tss.
-+# The following commands should be used to set ownership before running the
-+# agent:
-+# chown keylime /var/lib/keylime
-+#
-+# If agent_data.json already exists:
-+# chown keylime /var/lib/keylime/agent_data.json
-+#
-+# If cv_ca directory exists:
-+# chown keylime /var/lib/keylime/cv_ca
-+# chown keylime /var/lib/keylime/cv_ca/cacert.crt
-+#
-+run_as = keylime:tss

rust-keylime-0.1.0+git.1657303637.5b9072a.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:41af18ed5086bc5e4726275eb1407b7136073c9b08141fe866125305c41431ad
-size 119140

rust-keylime-0.1.0+git.1659977521.0186093.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c6e878e1b8ba3106f7ce152fd227fc2f6a3b17c6ffc98fc9a3093a41e6327336
+size 119944

rust-keylime.changes

@@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Wed Aug 10 13:39:08 UTC 2022 - aplanas@suse.com
+
+- Update to version 0.1.0+git.1659977521.0186093:
+  * Fix display of mb measurement file path
+  * Add more helpful error when config file is not found
+  * Fix small comment about implementing TPM ownership
+  * main: die when cannot drop privileges
+  * keylime.conf: add run_as section
+  * Use Rust agent-specific config in Makefile
+  * Fix typo in listen_notifications option in keylime.conf
+  * tpm: Support pre-existing EK
+  * Set swtpm context which is later used for test filtering
+  * Add GitLeaks configuration to ignore RSA key used for testing
+  * Handle whitespace in keylime.conf
+- Rename keylime.conf.diff to keylime-agent.conf.diff
+- Drop 0001-main-die-when-cannot-drop-privileges.patch, as is already
+  merged upstream
+- Add bindgen.patch to add more architectures
+
 -------------------------------------------------------------------
 Tue Jul 12 09:20:39 UTC 2022 - aplanas@suse.com
 

rust-keylime.spec

@@ -25,7 +25,7 @@
   %define _config_norepl %config(noreplace)
 %endif
 Name:           rust-keylime
-Version:        0.1.0+git.1657303637.5b9072a
+Version:        0.1.0+git.1659977521.0186093
 Release:        0
 Summary:        Rust implementation of the keylime agent
 License:        Apache-2.0 AND MIT
@@ -36,11 +36,12 @@ Source2:        cargo_config
 Source3:        keylime.xml
 Source4:        keylime-user.conf
 Source5:        tmpfiles.keylime
-# PATCH-FIX-OPENSUSE keylime.conf.diff
-Patch1:         keylime.conf.diff
-# PATCH-FIX-UPSTREAM 0001-main-die-when-cannot-drop-privileges.patch -- based on PR 423
-Patch2:         0001-main-die-when-cannot-drop-privileges.patch
+# PATCH-FIX-OPENSUSE keylime-agent.conf.diff
+Patch1:         keylime-agent.conf.diff
+# PATCH-FIX-OPENSUSE bindgen.patch
+Patch2:         bindgen.patch
 BuildRequires:  cargo
+BuildRequires:  clang
 BuildRequires:  firewall-macros
 BuildRequires:  libarchive-devel
 BuildRequires:  rust
@@ -50,7 +51,6 @@ BuildRequires:  zeromq-devel
 Requires:       libtss2-tcti-device0
 Requires:       logrotate
 Requires:       tpm2.0-abrmd
-ExcludeArch:    %{ix86} s390x ppc64 ppc64le armhfp armv7hl
 
 %description
 Rust implementation of keylime agent. Keylime is system integrity
@@ -69,7 +69,7 @@ RUSTFLAGS=%{rustflags} cargo build --release --no-default-features --features "w
 RUSTFLAGS=%{rustflags} cargo install --frozen --no-default-features --features "with-zmq" --root=%{buildroot}%{_prefix} --path .
 
 # TODO: move the configuration file into _distconfdir
-install -Dpm 0600 keylime.conf %{buildroot}%{_sysconfdir}/keylime.conf
+install -Dpm 0600 keylime-agent.conf %{buildroot}%{_sysconfdir}/keylime-agent.conf
 install -Dpm 0644 ./dist/systemd/system/keylime_agent.service %{buildroot}%{_unitdir}/keylime_agent.service
 install -Dpm 0644 ./dist/systemd/system/var-lib-keylime-secure.mount %{buildroot}%{_unitdir}/var-lib-keylime-secure.mount
 
@@ -108,7 +108,7 @@ rm %{buildroot}%{_prefix}/.crates2.json
 %license LICENSE
 %{_bindir}/keylime_agent
 %{_bindir}/keylime_ima_emulator
-%config(noreplace) %attr (0600,keylime,tss) %{_sysconfdir}/keylime.conf
+%config(noreplace) %attr (0600,keylime,tss) %{_sysconfdir}/keylime-agent.conf
 %{_unitdir}/keylime_agent.service
 %{_unitdir}/var-lib-keylime-secure.mount
 %dir %{_prefix}/lib/firewalld

vendor.tar.xz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:f3f8afa64ddb32cfa4f3749616f57cd47826f0bb8dfa3b99ed83e1c5ebf471d9
-size 20105088
+oid sha256:fcc10303f90db5ff1485a76892b1c7eef8904d848e26e67af928eeb96c071aa4
+size 20796756