From cc7fc9144bf8d729d04591aac138f7d1b3a85f9b673e91d5ad761ba37295e221 Mon Sep 17 00:00:00 2001 From: Alberto Planas Dominguez Date: Fri, 15 Jul 2022 13:19:45 +0000 Subject: [PATCH] Accepting request 989445 from home:aplanas:branches:security - Update to version 0.1.0+git.1657303637.5b9072a: * keys_handler: Use scopes to drop mutexes before await * Enable usage of Rust IMA emulator in E2E tests. * ima_emulator: Support PCR hash algorithms other than SHA-1 * ima_entry: add IMA entry parser ported from Python Keylime * algorithms: Add conversion between our hash algorithms and OpenSSL's * Remove unused functions revocation_ip_get and revocation_port_get. Change String to &str. * Adjust function usage comments to account for new parameters. * Load config file less at startup in src/common.rs * GNUmakefile: Make target dependencies explicit * permissions: Set supplementary groups when dropping privileges * main: Use more descriptive message for missing files error * Show path when fail to load the certificate * tpm: Add serialization functions for structures in quotes - Requires tpm2.0-abrmd dependency, as the kernel resource manager could be not enough - Downgrade /var/run/keylime permissions - Set "run_as" parameter to "keylime:tss" - Create the keylime user via systemd - Fix keylime service home directory OBS-URL: https://build.opensuse.org/request/show/989445 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=20 --- ...main-die-when-cannot-drop-privileges.patch | 39 ++++++++++++++ _servicedata | 2 +- keylime-user.conf | 2 + keylime.conf.diff | 28 ++++++++-- keylime_agent.service | 8 --- logrotate.keylime | 8 --- ...eylime-0.1.0+git.1655384301.b834667.tar.xz | 3 -- ...eylime-0.1.0+git.1657303637.5b9072a.tar.xz | 3 ++ rust-keylime.changes | 24 +++++++++ rust-keylime.spec | 53 ++++++++++++++----- tmpfiles.keylime | 1 + vendor.tar.xz | 4 +- 12 files changed, 136 insertions(+), 39 deletions(-) create mode 100644 0001-main-die-when-cannot-drop-privileges.patch create mode 100644 keylime-user.conf delete mode 100644 keylime_agent.service delete mode 100644 logrotate.keylime delete mode 100644 rust-keylime-0.1.0+git.1655384301.b834667.tar.xz create mode 100644 rust-keylime-0.1.0+git.1657303637.5b9072a.tar.xz create mode 100644 tmpfiles.keylime diff --git a/0001-main-die-when-cannot-drop-privileges.patch b/0001-main-die-when-cannot-drop-privileges.patch new file mode 100644 index 0000000..0a1688f --- /dev/null +++ b/0001-main-die-when-cannot-drop-privileges.patch @@ -0,0 +1,39 @@ +From e34692c33914f7c9598c1bc9030bf94ef525d5eb Mon Sep 17 00:00:00 2001 +From: Alberto Planas +Date: Tue, 12 Jul 2022 14:09:24 +0200 +Subject: [PATCH 2/2] main: die when cannot drop privileges + +If `run_as` parameter is set but the user is missing in the system, +keylime will log an ERROR when trying to drop privileges, but continue +the execution as the current user (usually `root`). This can be a +security issue, as the agent is running "silently" as a privileged user. + +This commit stop the execution if an error is found when dropping +privileges for the agent service, and present an `info!` message with +the current user and group. + +Signed-off-by: Alberto Planas +--- + src/main.rs | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/main.rs b/src/main.rs +index ef29eb2..d646d09 100644 +--- a/src/main.rs ++++ b/src/main.rs +@@ -407,8 +407,10 @@ async fn main() -> Result<()> { + + // Drop privileges + if let Some(user_group) = &config.run_as { +- permissions::chown(user_group, &mount); +- permissions::run_as(user_group); ++ permissions::chown(user_group, &mount) ++ .expect("Error when changing directory ownership"); ++ permissions::run_as(user_group).expect("Error dropping privileges"); ++ info!("Running the service as {}...", user_group); + } + + info!("Starting server with API version {}...", API_VERSION); +-- +2.37.0 + diff --git a/_servicedata b/_servicedata index 65e651c..273470a 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ https://github.com/keylime/rust-keylime.git - b834667b4d775065be3d7677e8cb6ad209c43668 \ No newline at end of file + 5b9072abae219bda0e9a95498b5aef4af5db1bda \ No newline at end of file diff --git a/keylime-user.conf b/keylime-user.conf new file mode 100644 index 0000000..48ee0dc --- /dev/null +++ b/keylime-user.conf @@ -0,0 +1,2 @@ +# Type Name ID GECOS [HOME] +u keylime - "Keylime agent" /var/lib/keylime diff --git a/keylime.conf.diff b/keylime.conf.diff index 95c852e..82b6736 100644 --- a/keylime.conf.diff +++ b/keylime.conf.diff @@ -1,7 +1,7 @@ -Index: rust-keylime-0.1.0+git.1655143451.7c4121e/keylime.conf +Index: rust-keylime-0.1.0+git.1657303637.5b9072a/keylime.conf =================================================================== ---- rust-keylime-0.1.0+git.1655143451.7c4121e.orig/keylime.conf -+++ rust-keylime-0.1.0+git.1655143451.7c4121e/keylime.conf +--- rust-keylime-0.1.0+git.1657303637.5b9072a.orig/keylime.conf ++++ rust-keylime-0.1.0+git.1657303637.5b9072a/keylime.conf @@ -4,7 +4,8 @@ # Revocation IP & Port used by either the cloud_agent or keylime_ca to receive @@ -32,3 +32,25 @@ Index: rust-keylime-0.1.0+git.1655143451.7c4121e/keylime.conf registrar_port = 8890 # The keylime working directory. Can be overriden by setting the KEYLIME_DIR +@@ -127,3 +130,21 @@ tpm_signing_alg = rsassa + # handle (e.g. "0x81000000"). The Keylime agent will then not attempt to + # create a new EK upon startup, and neither will it flush the EK upon exit. + ek_handle = generate ++ ++# The user account to switch to to drop privileges when started as root ++# If left empty, the agent will keep running with high privileges. ++# The user and group specified here must allow the user to access the ++# WORK_DIR (typically /var/lib/keylime) and /dev/tpmrm0. Therefore, ++# suggested value for the run_as parameter is keylime:tss. ++# The following commands should be used to set ownership before running the ++# agent: ++# chown keylime /var/lib/keylime ++# ++# If agent_data.json already exists: ++# chown keylime /var/lib/keylime/agent_data.json ++# ++# If cv_ca directory exists: ++# chown keylime /var/lib/keylime/cv_ca ++# chown keylime /var/lib/keylime/cv_ca/cacert.crt ++# ++run_as = keylime:tss diff --git a/keylime_agent.service b/keylime_agent.service deleted file mode 100644 index 703051d..0000000 --- a/keylime_agent.service +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -Description=The Keylime compute agent - -[Service] -ExecStart=/usr/bin/keylime_agent - -[Install] -WantedBy=default.target diff --git a/logrotate.keylime b/logrotate.keylime deleted file mode 100644 index 812f8e5..0000000 --- a/logrotate.keylime +++ /dev/null @@ -1,8 +0,0 @@ -/var/log/keylime/*.log { - su keylime tss - weekly - missingok - rotate 4 - copytruncate - minsize 1M -} diff --git a/rust-keylime-0.1.0+git.1655384301.b834667.tar.xz b/rust-keylime-0.1.0+git.1655384301.b834667.tar.xz deleted file mode 100644 index a7bc8ad..0000000 --- a/rust-keylime-0.1.0+git.1655384301.b834667.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:cb272a91f71f4b197a28390da64a56319b45e9bf2878f31c8f700e1b2a6b8924 -size 115404 diff --git a/rust-keylime-0.1.0+git.1657303637.5b9072a.tar.xz b/rust-keylime-0.1.0+git.1657303637.5b9072a.tar.xz new file mode 100644 index 0000000..b3e4bc5 --- /dev/null +++ b/rust-keylime-0.1.0+git.1657303637.5b9072a.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41af18ed5086bc5e4726275eb1407b7136073c9b08141fe866125305c41431ad +size 119140 diff --git a/rust-keylime.changes b/rust-keylime.changes index 23403d3..8978fa2 100644 --- a/rust-keylime.changes +++ b/rust-keylime.changes @@ -1,3 +1,27 @@ +------------------------------------------------------------------- +Tue Jul 12 09:20:39 UTC 2022 - aplanas@suse.com + +- Update to version 0.1.0+git.1657303637.5b9072a: + * keys_handler: Use scopes to drop mutexes before await + * Enable usage of Rust IMA emulator in E2E tests. + * ima_emulator: Support PCR hash algorithms other than SHA-1 + * ima_entry: add IMA entry parser ported from Python Keylime + * algorithms: Add conversion between our hash algorithms and OpenSSL's + * Remove unused functions revocation_ip_get and revocation_port_get. Change String to &str. + * Adjust function usage comments to account for new parameters. + * Load config file less at startup in src/common.rs + * GNUmakefile: Make target dependencies explicit + * permissions: Set supplementary groups when dropping privileges + * main: Use more descriptive message for missing files error + * Show path when fail to load the certificate + * tpm: Add serialization functions for structures in quotes +- Requires tpm2.0-abrmd dependency, as the kernel resource manager + could be not enough +- Downgrade /var/run/keylime permissions +- Set "run_as" parameter to "keylime:tss" +- Create the keylime user via systemd +- Fix keylime service home directory + ------------------------------------------------------------------- Wed Jun 22 08:45:20 UTC 2022 - Alberto Planas Dominguez diff --git a/rust-keylime.spec b/rust-keylime.spec index 643d1bd..22da12a 100644 --- a/rust-keylime.spec +++ b/rust-keylime.spec @@ -17,8 +17,15 @@ %global rustflags '-Clink-arg=-Wl,-z,relro,-z,now' +# Consolidate _distconfdir and _sysconfdir +%if 0%{?_distconfdir:1} + %define _config_norepl %{nil} +%else + %define _distconfdir %{_sysconfdir} + %define _config_norepl %config(noreplace) +%endif Name: rust-keylime -Version: 0.1.0+git.1655384301.b834667 +Version: 0.1.0+git.1657303637.5b9072a Release: 0 Summary: Rust implementation of the keylime agent License: Apache-2.0 AND MIT @@ -26,19 +33,23 @@ URL: https://github.com/keylime/rust-keylime Source: rust-keylime-%{version}.tar.xz Source1: vendor.tar.xz Source2: cargo_config -Source3: keylime_agent.service -Source4: keylime.xml -Source5: logrotate.keylime +Source3: keylime.xml +Source4: keylime-user.conf +Source5: tmpfiles.keylime # PATCH-FIX-OPENSUSE keylime.conf.diff Patch1: keylime.conf.diff +# PATCH-FIX-UPSTREAM 0001-main-die-when-cannot-drop-privileges.patch -- based on PR 423 +Patch2: 0001-main-die-when-cannot-drop-privileges.patch BuildRequires: cargo BuildRequires: firewall-macros BuildRequires: libarchive-devel BuildRequires: rust +BuildRequires: sysuser-tools BuildRequires: tpm2-0-tss-devel BuildRequires: zeromq-devel Requires: libtss2-tcti-device0 Requires: logrotate +Requires: tpm2.0-abrmd ExcludeArch: %{ix86} s390x ppc64 ppc64le armhfp armv7hl %description @@ -52,47 +63,61 @@ cp %{SOURCE2} .cargo/config %build RUSTFLAGS=%{rustflags} cargo build --release --no-default-features --features "with-zmq" +%sysusers_generate_pre %{SOURCE4} keylime keylime-user.conf %install RUSTFLAGS=%{rustflags} cargo install --frozen --no-default-features --features "with-zmq" --root=%{buildroot}%{_prefix} --path . -install -Dpm 644 keylime.conf %{buildroot}%{_sysconfdir}/keylime.conf -install -Dpm 644 %{SOURCE3} %{buildroot}%{_unitdir}/keylime_agent.service -install -Dpm 644 %{SOURCE4} %{buildroot}%{_prefix}/lib/firewalld/services/keylime.xml -install -Dpm 644 %{SOURCE5} %{buildroot}%{_distconfdir}/logrotate.d/keylime +# TODO: move the configuration file into _distconfdir +install -Dpm 0600 keylime.conf %{buildroot}%{_sysconfdir}/keylime.conf +install -Dpm 0644 ./dist/systemd/system/keylime_agent.service %{buildroot}%{_unitdir}/keylime_agent.service +install -Dpm 0644 ./dist/systemd/system/var-lib-keylime-secure.mount %{buildroot}%{_unitdir}/var-lib-keylime-secure.mount + +install -Dpm 0644 %{SOURCE3} %{buildroot}%{_prefix}/lib/firewalld/services/keylime.xml +install -Dpm 0644 %{SOURCE4} %{buildroot}%{_sysusersdir}/keylime-user.conf +install -Dpm 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/keylime.conf install -d %{buildroot}%{_localstatedir}/log/keylime +install -d %{buildroot}%{_libexecdir}/keylime # Create work directory -mkdir -p %{buildroot}%{_localstatedir}/keylime +mkdir -p %{buildroot}%{_sharedstatedir}/keylime rm %{buildroot}%{_prefix}/.crates.toml rm %{buildroot}%{_prefix}/.crates2.json %pre %service_add_pre keylime_agent.service +%service_add_pre var-lib-keylime-secure.mount %post %firewalld_reload +%tmpfiles_create keylime.conf %service_add_post keylime_agent.service +%service_add_post var-lib-keylime-secure.mount %preun %service_del_preun keylime_agent.service +%service_del_preun var-lib-keylime-secure.mount %postun %service_del_postun keylime_agent.service +%service_del_postun var-lib-keylime-secure.mount %files %doc README.md %license LICENSE %{_bindir}/keylime_agent %{_bindir}/keylime_ima_emulator -%config(noreplace) %{_sysconfdir}/keylime.conf -%dir %attr(0700,root,root) %{_localstatedir}/keylime +%config(noreplace) %attr (0600,keylime,tss) %{_sysconfdir}/keylime.conf +%{_unitdir}/keylime_agent.service +%{_unitdir}/var-lib-keylime-secure.mount %dir %{_prefix}/lib/firewalld %dir %{_prefix}/lib/firewalld/services %{_prefix}/lib/firewalld/services/keylime.xml -%{_unitdir}/keylime_agent.service -%{_distconfdir}/logrotate.d/keylime -%dir %attr(750,keylime,tss) %{_localstatedir}/log/keylime +%{_sysusersdir}/keylime-user.conf +%{_tmpfilesdir}/keylime.conf +%dir %attr(0750,keylime,tss) %{_localstatedir}/log/keylime +%dir %attr(0750,keylime,tss) %{_libexecdir}/keylime +%dir %attr(0700,keylime,tss) %{_sharedstatedir}/keylime %changelog diff --git a/tmpfiles.keylime b/tmpfiles.keylime new file mode 100644 index 0000000..a07d3fa --- /dev/null +++ b/tmpfiles.keylime @@ -0,0 +1 @@ +d /run/keylime 0700 keylime tss diff --git a/vendor.tar.xz b/vendor.tar.xz index 287dad8..a1a390d 100644 --- a/vendor.tar.xz +++ b/vendor.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:0e4b91a6bff3824b1f58ff875102020400e200b4d4baa68c0b175bc0ee96f77d -size 20113908 +oid sha256:f3f8afa64ddb32cfa4f3749616f57cd47826f0bb8dfa3b99ed83e1c5ebf471d9 +size 20105088