SHA256
1
0
forked from pool/rust-keylime

Accepting request 1198288 from home:aplanas:branches:security

- Update vendored crates (bsc#1229952, bsc#1230029)
  * rustix 0.37.25
  * rustix 0.38.34
  * shlex  1.3.0
- Update to version 0.2.6+13:
  * Enable test functional/iak-idevid-persisted-and-protected
  * build(deps): bump uuid from 1.7.0 to 1.10.0
  * build(deps): bump openssl from 0.10.64 to 0.10.66
  * keylime-agent/src/revocation: Fix comment indentation
  * keylime/crypto: Fix indentation of documentation comment
  * build(deps): bump thiserror from 1.0.59 to 1.0.63
  * build(deps): bump serde_json from 1.0.116 to 1.0.120
  * dependabot: Extend to also monitor workflow actions
  * ci: Disable Packit CI on CentOS Stream 9
  * ci: use CODECOV_TOKEN when submitting coverage data
  * revocation: Use into() for unfallible transformation
  * secure_mount: Fix possible infinite loop
  * error: Rename enum variants to avoid clippy warning

OBS-URL: https://build.opensuse.org/request/show/1198288
OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=74
This commit is contained in:
Alberto Planas 2024-09-02 12:27:20 +00:00 committed by Git OBS Bridge
commit e4c8388ef3
20 changed files with 2151 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

55
README.suse Normal file
View File

@ -0,0 +1,55 @@
# Notes about the IMA policy
This IMA policy is provided as an example that can be later adapted to
more specific usage.
This was generated from a default tcb IMA policy from a 6.1.12 Linux
kernel, and extended with SELinux file types to filter out the part of
the system that we usually do not want to measure.
To use this policy, we need to copy it in "/etc/ima/ima-policy" and
systemd will load it after the SELinux policy has been loaded.
For this example, we used the initial set of SELinux attributes, that
group the file types under categories. From that list we selected
some of those attribute to deep more into the types that can be relevant for the IMA policy:
seinfo -a
The current selection cover full or partially the types under those
attributes:
base_file_type
base_ro_file_type
configfile
file_type
files_unconfined_type
init_script_file_type
init_sock_file_type
lockfile
logfile
non_auth_file_type
non_security_file_type
openshift_file_type
pidfile
pulseaudio_tmpfsfile
security_file_type
setfiles_domain
spoolfile
svirt_file_type
systemd_unit_file_type
tmpfile
tmpfsfile
Special mention to non_auth_file_type and non_security_file_type
(among other liske logfile or tmpfile), that should cover the most
relevant types of the dynamic part of the system.
The list should also include types from other attributes like
virt_image_type and others (see the policy file comments from a
complete list).
Sometimes is important to see what files are labeled under a specific
type, and for that we can use this:
semanage fcontext -l | grep $TYPE

7
_constraints Normal file
View File

@ -0,0 +1,7 @@
<constraints>
<hardware>
<disk>
<size unit="G">10</size>
</disk>
</hardware>
</constraints>

29
_service Normal file
View File

@ -0,0 +1,29 @@
<services>
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/keylime/rust-keylime.git</param>
<!-- <param name="versionformat">@PARENT_TAG@</param> -->
<param name="versionformat">@PARENT_TAG@+@TAG_OFFSET@</param>
<param name="scm">git</param>
<param name="revision">v0.2.6</param>
<param name="revision">master</param>
<param name="match-tag">*</param>
<param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
<param name="versionrewrite-replacement">\1</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">aplanas@suse.com</param>
</service>
<service mode="disabled" name="tar" />
<service mode="disabled" name="recompress">
<param name="file">*.tar</param>
<param name="compression">zst</param>
</service>
<service mode="disabled" name="set_version"/>
<!-- <service name="cargo_vendor" mode="disabled"> -->
<!-- <param name="src">rust-keylime</param> -->
<!-- <param name="compression">zst</param> -->
<!-- <param name="update">true</param> -->
<!-- </service> -->
<service name="cargo_audit" mode="disabled">
<param name="srcdir">rust-keylime</param>
</service>
</services>

4
_servicedata Normal file
View File

@ -0,0 +1,4 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/keylime/rust-keylime.git</param>
<param name="changesrevision">57992463535d15951ebaca77d1be4217ffaf74d6</param></service></servicedata>

5
cargo_config Normal file
View File

@ -0,0 +1,5 @@
[source.crates-io]
replace-with = "vendored-sources"
[source.vendored-sources]
directory = "vendor"

1048
ima-policy Normal file

File diff suppressed because it is too large Load Diff

13
ima-policy.service Normal file
View File

@ -0,0 +1,13 @@
[Unit]
Description=Load the IMA Policy
[Service]
Type=oneshot
RemainAfterExit=yes
Environment=IMA_SECFS_POLICY=/sys/kernel/security/ima/policy
Environment=IMA_POLICY=/etc/ima/ima-policy.POST-SYSTEMD
ExecStart=bash -c '[ -f $IMA_SECFS_POLICY ] && [ -f $IMA_POLICY ] && cat $IMA_POLICY > $IMA_SECFS_POLICY'
TimeoutStartSec=0
[Install]
WantedBy=basic.target

42
keylime-agent.conf.diff Normal file
View File

@ -0,0 +1,42 @@
Index: rust-keylime-0.2.0+git.1677002906.cf6c4f0/keylime-agent.conf
===================================================================
--- rust-keylime-0.2.0+git.1677002906.cf6c4f0.orig/keylime-agent.conf
+++ rust-keylime-0.2.0+git.1677002906.cf6c4f0/keylime-agent.conf
@@ -19,13 +19,15 @@ version = "2.2"
# of 'SHA256(public EK in PEM format)'.
#
# To override, set KEYLIME_AGENT_UUID environment variable.
-uuid = "d432fbb3-d2f1-4a97-9ef7-75bd81c00000"
+# uuid = "d432fbb3-d2f1-4a97-9ef7-75bd81c00000"
+uuid = "generate"
# The binding IP address and port for the agent server
#
# To override ip, set KEYLIME_AGENT_IP environment variable.
# To override port, set KEYLIME_AGENT_PORT environment variable.
-ip = "127.0.0.1"
+# ip = "127.0.0.1"
+ip = "0.0.0.0"
port = 9002
# Address and port where the verifier and tenant can connect to reach the agent.
@@ -41,7 +43,8 @@ contact_port = 9002
# To override registrar_ip, set KEYLIME_AGENT_REGISTRAR_IP environment variable.
# To override registrar_port, set KEYLIME_AGENT_REGISTRAR_PORT environment
# variable.
-registrar_ip = "127.0.0.1"
+# registrar_ip = "127.0.0.1"
+registrar_ip = "<REMOTE_IP>"
registrar_port = 8890
# Enable mTLS communication between agent, verifier and tenant.
@@ -151,7 +154,8 @@ revocation_actions_dir = "/usr/libexec/k
# KEYLIME_AGENT_REVOCATION_NOTIFICATION_IP environment variable.
# To override revocation_notification_port, set
# KEYLIME_AGENT_REVOCATION_NOTIFICATION_PORT environment variable.
-revocation_notification_ip = "127.0.0.1"
+# revocation_notification_ip = "127.0.0.1"
+revocation_notification_ip = "<REMOTE_IP>"
revocation_notification_port = 8992
# The path to the certificate to verify revocation messages received from the

2
keylime-user.conf Normal file
View File

@ -0,0 +1,2 @@
# Type Name ID GECOS [HOME]
u keylime - "Keylime agent" /var/lib/keylime

10
keylime.xml Normal file
View File

@ -0,0 +1,10 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Keylime</short>
<description>Keylime is a remote attestation tool that requires access to several ports.</description>
<port protocol="tcp" port="8881"/><!-- Verifier -->
<port protocol="tcp" port="8890"/><!-- Registrar -->
<port protocol="tcp" port="8891"/><!-- Registrar TLS -->
<port protocol="tcp" port="8992"/><!-- Revocation -->
<port protocol="tcp" port="9002"/><!-- Agent -->
</service>

BIN
rust-keylime-0.2.6+13.obscpio (Stored with Git LFS) Normal file

Binary file not shown.

BIN
rust-keylime-0.2.6+13.tar.zst (Stored with Git LFS) Normal file

Binary file not shown.

BIN
rust-keylime-0.2.6~0.tar.zst (Stored with Git LFS) Normal file

Binary file not shown.

743
rust-keylime.changes Normal file
View File

@ -0,0 +1,743 @@
-------------------------------------------------------------------
Mon Sep 02 11:53:27 UTC 2024 - aplanas@suse.com
- Update vendored crates (bsc#1229952, bsc#1230029)
* rustix 0.37.25
* rustix 0.38.34
* shlex 1.3.0
- Update to version 0.2.6+13:
* Enable test functional/iak-idevid-persisted-and-protected
* build(deps): bump uuid from 1.7.0 to 1.10.0
* build(deps): bump openssl from 0.10.64 to 0.10.66
* keylime-agent/src/revocation: Fix comment indentation
* keylime/crypto: Fix indentation of documentation comment
* build(deps): bump thiserror from 1.0.59 to 1.0.63
* build(deps): bump serde_json from 1.0.116 to 1.0.120
* dependabot: Extend to also monitor workflow actions
* ci: Disable Packit CI on CentOS Stream 9
* ci: use CODECOV_TOKEN when submitting coverage data
* revocation: Use into() for unfallible transformation
* secure_mount: Fix possible infinite loop
* error: Rename enum variants to avoid clippy warning
-------------------------------------------------------------------
Fri Jun 14 07:39:29 UTC 2024 - aplanas@suse.com
- Update to version 0.2.6~0:
* Bump version to 0.2.6
* build(deps): bump libc from 0.2.153 to 0.2.155
* build(deps): bump serde from 1.0.196 to 1.0.203
* rpm/fedora: Update rust macro usage
* config: Support hostnames in registrar_ip option
* added use of persisted IAK and IDevID and authorisation values
* config changes
* Adding /agent/info API to agent
* Fix leftover 'unnecessary qualification' warnings on tests
-------------------------------------------------------------------
Thu May 16 13:40:05 UTC 2024 - aplanas@suse.com
- Update to version 0.2.5~4:
* Fix 'unnecessary qualification' warnings
* fix IAK template to match IDevID
* rpm: fix COPR RPMs build for centos-stream-10
* Build COPR RPMs for centos-stream-10
-------------------------------------------------------------------
Thu May 02 07:31:40 UTC 2024 - aplanas@suse.com
- Update to version 0.2.5~0:
* Bump version to 0.2.5
* cargo: Relax required version for pest crate
* build(deps): bump log from 0.4.20 to 0.4.21
* build(deps): bump thiserror from 1.0.56 to 1.0.59
-------------------------------------------------------------------
Tue Apr 30 07:52:30 UTC 2024 - aplanas@suse.com
- actix-web update moves rustls as feature (bsc#1223234, CVE-2024-32650)
- Update to version 0.2.4~39:
* build(deps): bump openssl from 0.10.63 to 0.10.64
* build(deps): bump h2 from 0.3.24 to 0.3.26
* build(deps): bump serde_json from 1.0.107 to 1.0.116
* build(deps): bump actix-web from 4.4.1 to 4.5.1
* crypto: Enable TLS 1.3
* build(deps): bump tempfile from 3.9.0 to 3.10.1
* build(deps): bump mio from 0.8.4 to 0.8.11
* enable hex values to be used for tpm_ownerpassword
* config: Support IPv6 with or without brackets
* keylime: Implement a simple IP parser to remove brackets
* crypto: Implement CertificateBuilder to generate certificates
* tests: Fix coverage download by supporting arbitrary URL
* cargo: Add testing feature to keylime library
* Set X509 SAN with local DNSname/IP/IPv6
* Include newest Node20 versions for Github actions
* tpm: Add unit test for uncovered public functions
* crypto: Implement ECC key generation support
* crypto: Add test for match_cert_to_template()
* Fix minor typo, format and remove end whitespaces
* crypto: Make error types less specific
* tests/run.sh: Run tarpaulin with a single thread
* payloads: Remove explicit drop of channel transmitter
* crypto: Move to keylime library
* crypto: Add specific type for every possible error
* tpm: Rename origin of error as source in structures
* list_parser: Add source for error for backtrace
* algorithms: Make errors more specific
* typo fix for default path to measured boot log file
* README: remove mentions of libarchive as a dependency
* Dockerfile.wolfi: Update clang to version 17
* docker: Remove libarchive as a dependency
* rpm: Remove libarchive from dependencies
* cargo: Replace compress-tools with zip crate
* cargo: Bump ahash to version 0.8.7
* build(deps): bump serde from 1.0.195 to 1.0.196
* build(deps): bump libc from 0.2.152 to 0.2.153
* build(deps): bump reqwest from 0.11.23 to 0.11.24
* docker: Install configuration file in the correct path
* config: Make IAK/IDevID disabled by default
-------------------------------------------------------------------
Wed Jan 31 09:22:00 UTC 2024 - aplanas@suse.com
- Update to version 0.2.4+git.1706692574.a744517:
* Bump version to 0.2.4
* build(deps): bump uuid from 1.4.1 to 1.7.0
* keylime-agent.conf: Allow setting event logs paths
* Mutable log paths: allow IMA and MBA log paths to be overridden by keylime configuration.
* workflows: Update checkout action to version 4
* build(deps): bump serde from 1.0.188 to 1.0.195
* build(deps): bump pest_derive from 2.7.0 to 2.7.6
* build(deps): bump openssl from 0.10.62 to 0.10.63
* build(deps): bump config from 0.13.3 to 0.13.4
* build(deps): bump base64 from 0.21.4 to 0.21.7
* build(deps): bump tempfile from 3.8.0 to 3.9.0
* build(deps): bump pest from 2.7.0 to 2.7.6
* build(deps): bump actix-web from 4.4.0 to 4.4.1
* build(deps): bump reqwest from 0.11.22 to 0.11.23
* build(deps): bump h2 from 0.3.17 to 0.3.24
* build(deps): bump shlex from 1.1.0 to 1.3.0
* cargo: Bump tss-esapi to version 7.4.0
* workflows: Fix keylime-bot token usage
* tpm: Add error context for every possible error
* tpm: Add AlgorithmError to TpmError
* detect idevid template from certificates
* build(deps): bump wiremock from 0.5.18 to 0.5.22
* build(deps): bump thiserror from 1.0.48 to 1.0.56
* Make use of workspace dependencies
* build(deps): bump openssl from 0.10.57 to 0.10.62
* packit: Bump Fedora version used for code coverage
-------------------------------------------------------------------
Fri Dec 01 10:04:40 UTC 2023 - aplanas@suse.com
- Update to version 0.2.3+git.1701075380.a5dc985:
* build(deps): bump actix-rt from 2.8.0 to 2.9.0
* Bump version to 0.2.3
* build(deps): bump reqwest from 0.11.20 to 0.11.22
* Bump configuration version and fix enable_iak_idevid
* Enable test functional/iak-idevid-register-with-certificates
* Update packit plan with new tests
* Add certificates and certificate checking for IDevID and IAK keys (#669)
-------------------------------------------------------------------
Fri Nov 03 15:23:05 UTC 2023 - aplanas@suse.com
- Update to version 0.2.2+git.1697658634.9c7c6fa:
* build(deps): bump rustix from 0.37.11 to 0.37.25
* build(deps): bump tempfile from 3.6.0 to 3.8.0
* build(deps): bump base64 from 0.21.0 to 0.21.4
* build(deps): bump serde_json from 1.0.96 to 1.0.107
* build(deps): bump openssl from 0.10.55 to 0.10.57
* cargo: Bump serde to version 1.0.188
* tests: Fix tarpaulin issues with dropped -v option
* build(deps): bump signal-hook from 0.3.15 to 0.3.17
* build(deps): bump actix-web from 4.3.1 to 4.4.0
* build(deps): bump thiserror from 1.0.40 to 1.0.48
* Remove private_in_public
* Initial PR to add support for IDevID and IAK
* build(deps): bump uuid from 1.3.1 to 1.4.1
* build(deps): bump log from 0.4.17 to 0.4.20
* build(deps): bump reqwest from 0.11.16 to 0.11.20
* Do not use too specific version on cargo audit workflow
* Add workflow to run cargo-audit security audit
* README: update dependencies for Debian and Ubuntu
* Use latest versions of checkout/upload-artifacts
* docker: Add 'keylime' system user
* Use "currently" for swtpm emulator warning (#632)
* Update container workflow actions versions
* Build container image and push to quay.io
* README: update requirements
-------------------------------------------------------------------
Fri Jul 14 07:31:23 UTC 2023 - aplanas@suse.com
- Update to version 0.2.2+git.1689256829.3d2b627:
* Bump version to 0.2.2
* build(deps): bump tempfile from 3.5.0 to 3.6.0
* removing SIGINT stop signals from Dockerfiles and systemd service, as well as adding SIGTERM to IMA emulator as shutdown signal
-------------------------------------------------------------------
Wed Jul 12 14:17:39 UTC 2023 - aplanas@suse.com
- Update to version 0.2.1+git.1689167094.67ce0cf:
* cargo: Bump serde to version 1.0.166
* build(deps): bump libc from 0.2.142 to 0.2.147
* adding release Dockerfiles in 3 flavours: fedora, distroless and wolfi
* hash: add more configurable hash algorithm for public key digest
* cargo: Update clap to version 4.3.11
* cargo: Bump tokio crate version to 1.28.2
* Add an example of IMA policy
* main: Gracefully shutdown on SIGTERM or SIGINT
* cargo: Bump proc-macro2 crate version
* revocation: Parse revocation actions flexibly
* crypto: Add unit tests for x509 functions
* crypto: Make internal functions private
* config: Add unit test for the list to files mapping
* config: Make trusted_client_ca to accept lists
* lib: Implement parser for lists from config file
* build(deps): bump openssl from 0.10.48 to 0.10.55
* Add secure mount sanity test to packit testing.
* [packit] Do not let COPR project expire
-------------------------------------------------------------------
Wed Jun 7 09:08:22 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
- Recommends the IMA Policy subpackage only if SELinux is configured
-------------------------------------------------------------------
Mon Jun 05 08:41:33 UTC 2023 - aplanas@suse.com
- Update to version 0.2.1+git.1685699835.3c9d17c:
* Remove MOUNT_SECURE bool
* rpm: Remove unused directory and add dependency for mount
* keylime-agent/src: update API version to 2.1 to consistent with https://github.com/keylime/keylime/blob/master/docs/rest_apis.rst
* docker/fedora/keylime_rust.Dockerfile: add the logic of cloning and compiling rust-keylime
* [tests] Update test coverage task name regexp
* [tests] Simply coverage file URL parsing
-------------------------------------------------------------------
Thu Apr 27 09:34:45 UTC 2023 - aplanas@suse.com
- Update to version 0.2.1+git.1682587333.b497f1d:
* Bump version to 0.2.1
* Cargo: Update base64 to version 0.21
* build(deps): bump enumflags2 from 0.7.5 to 0.7.7
* build(deps): bump uuid from 1.3.0 to 1.3.1
* build(deps): bump libc from 0.2.141 to 0.2.142
* keylime-agent/src/common.rs: remove VTPM and IMA stub variables
* rpm/fedora: Use vendored dependencies for all versions
* packit: Enable building RPM on Copr for fedora-all
* rpm/fedora: Fix metadata patch
* build(deps): bump serde from 1.0.159 to 1.0.160
* build(deps): bump serde_json from 1.0.95 to 1.0.96
* cargo: Drop default features from actix-web
* cargo: Drop default features from reqwest crate
* cargo: Drop default features from config crate
* build(deps): bump tempfile from 3.4.0 to 3.5.0
* build(deps): bump libc from 0.2.140 to 0.2.141
-------------------------------------------------------------------
Fri Apr 14 07:42:55 UTC 2023 - aplanas@suse.com
- Update to version 0.2.0+git.1681457715.54484b7:
* build(deps): bump h2 from 0.3.14 to 0.3.17 (CVE-2023-26964,
bsc#1210344)
* build(deps): bump reqwest from 0.11.15 to 0.11.16
-------------------------------------------------------------------
Wed Apr 12 14:52:38 UTC 2023 - aplanas@suse.com
- Update to version 0.2.0+git.1681223954.646cf61:
* Allow setting measured boot log path for testing
* build(deps): bump base64 from 0.13.1 to 0.21.0
* build(deps): bump wiremock from 0.5.14 to 0.5.18
* Build Fedora and CentOS packages on Copr using packit
* build(deps): bump serde_json from 1.0.91 to 1.0.95
* build(deps): bump actix-rt from 2.7.0 to 2.8.0
* build(deps): bump base64 from 0.13.1 to 0.21.0
* build(deps): bump serde from 1.0.147 to 1.0.159
* build(deps): bump glob from 0.3.0 to 0.3.1
* Add missing test from keylime testsuite to e2e plan
* Fix typo in name of test for generating coverage
* build(deps): bump thiserror from 1.0.38 to 1.0.40
* build(deps): bump base64 from 0.13.1 to 0.21.0
* build(deps): bump actix-web from 4.2.1 to 4.3.1
* build(deps): bump serde from 1.0.145 to 1.0.147
* build(deps): bump libc from 0.2.139 to 0.2.140
* build(deps): bump futures from 0.3.25 to 0.3.27
* build(deps): bump reqwest from 0.11.12 to 0.11.15
* build(deps): bump config from 0.13.2 to 0.13.3
* build(deps): bump openssl from 0.10.45 to 0.10.48
* build(deps): bump tokio from 1.24.2 to 1.26.0
* Cargo: Update tempfile to 3.4.0 version
-------------------------------------------------------------------
Wed Mar 15 16:46:28 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
- Add keylime-ima-policy subpackage to provide a better IMA policy
-------------------------------------------------------------------
Thu Mar 02 15:12:27 UTC 2023 - aplanas@suse.com
- Update to version 0.2.0+git.1677691779.f7edd9a:
* Disable e2e on Rawhide due to RHBZ#2171376
* Change number of required uploaded files
* Coverage for rust agent as github action.
* config: Skip validation of keylime_dir during tests
-------------------------------------------------------------------
Thu Mar 2 15:11:47 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
- Create the certificiate directory
-------------------------------------------------------------------
Wed Feb 22 09:07:12 UTC 2023 - aplanas@suse.com
- Update to version 0.2.0+git.1677002906.cf6c4f0:
* Bump version to 0.2.0
* packit: Remove workaround for Fedora BZ#2158598
* ima-emulator: Implement graceful shutdown
* Update tss-esapi in Cargo.toml
* packit: Re-enable tests on Fedora Rawhide
* Deprecate `with-zmq` and `legacy-python-actions` features
-------------------------------------------------------------------
Thu Feb 16 12:51:38 UTC 2023 - aplanas@suse.com
- Drop zmq from the feature set
- Remove already merged patches:
* 0001-keylime-agent-remove-const_err-deny.patch
* 0001-Cargo.toml-tss-esapi-bindings.patch
- Update to version 0.1.0+git.1676549716.5382ed9:
* Cargo: Update clap minimum version to 3.2
* Cargo: Update uuid minimum version to 1.3
* Cargo: Update tokio minimum version to 1.24 and reduce features
* build(deps): bump tss-esapi from 7.1.0 to 7.2.0
* cargo deb: include shim.py in packaging
* build(deps): bump thiserror from 1.0.36 to 1.0.38
* keylime-agent.conf: Add comments on how to override options
* config: Fix overriding options with env vars
* Add missing e2e tests and reordering tests based on alphabetical order
* e2e tests: Fix test name
* Store associated U keys, auth tags, and payloads together
* Refactor ZeroMQ revocation listener to not block
* keylime-agent: Gracefully shutdown on SIGINT
* Refactor async code for keys and payloads
* main: Move payload related functions to payloads module
* main: Run ZeroMQ service in a separate task
* Remove unused option "openstack" for obtaining uuid
* algorithms: fix typo
* clippy: fix uninlined_format_args warnings
* clippy: fix needless_borrow warnings
* crypto, mTLS: allow certificate chain for trusted_client_ca
* build(deps): bump base64 from 0.13.0 to 0.13.1
* build(deps): bump serde_json from 1.0.85 to 1.0.91
* build(deps): bump libc from 0.2.133 to 0.2.139
* build(deps): bump bumpalo from 3.11.0 to 3.12.0
* build(deps): bump futures from 0.3.24 to 0.3.25
* Cargo.toml: tss-esapi bindings
* packit-ci: Disable Rawhide due to agent compilation issues
* packit-ci: Add hotfix for tpm2-tss Fedora BZ#2158598
* keylime-agent: remove const_err deny
* build(deps): bump tokio from 1.23.0 to 1.24.2
-------------------------------------------------------------------
Mon Jan 16 14:02:08 UTC 2023 - aplanas@suse.com
- Update to version 0.1.0+git.1672681780.762cec8:
* build(deps): bump openssl from 0.10.41 to 0.10.45
* build(deps): bump tokio from 1.21.1 to 1.23.0
* Disable dnf-makecache.service to save RAM
* CI tests: Do not remove Fedora tag repository
* add support for cargo deb
* Pacify clippy::needless-borrow
* Move tpm.rs from keylime-agent to the library
* Split crates into library and applications
- Add 0001-keylime-agent-remove-const_err-deny.patch
- Fix "cargo install" with workspaces
https://github.com/rust-lang/cargo/issues/7599
- Add 0001-Cargo.toml-tss-esapi-bindings.patch
-------------------------------------------------------------------
Fri Dec 09 13:10:40 UTC 2022 - aplanas@suse.com
- Update to version 0.1.0+git.1670590616.e80c67a:
* main: only read uuid from KeylimeConfig
* Enabling more e2e tests in Packit CI
* systemd: start agent after network is online
* Cargo: Drop unused dependencies rust-ini and toml
-------------------------------------------------------------------
Tue Oct 25 08:16:33 UTC 2022 - aplanas@suse.com
- Add cargo-audit service per policy
- Update to version 0.1.0+git.1666019359.f5de47b:
* README: mark Rust agent as the official one, fix cargo run command
-------------------------------------------------------------------
Wed Oct 12 07:51:22 UTC 2022 - aplanas@suse.com
- Drop bindgen.patch as is already upstream
- Update to version 0.1.0+git.1664480840.0ea0492:
* Increase unit testing
* Test all features with cargo tarpaulin
* Cargo.toml: tss-esapi bindings
-------------------------------------------------------------------
Mon Sep 26 14:15:04 UTC 2022 - aplanas@suse.com
- Rebase bindgen.patch and upstream the change
- Rebase keylime-agent.conf.diff
- Store the configuration file in /usr/etc/keylime/agent.conf
- Fix keylime user creation
- Drop webapp service port in firewall XML service file
- Update to version 0.1.0+git.1663769444.6318234:
* Update comments in the configuration file
* config: Align config locations with the python components
* config: Add configuration file version
* config: Add back support for KEYLIME_DIR env var
* Change configuration format to TOML
* Add support for using passphrase protected key
* Do not try to load TPM data generated by another TPM
* Allow using existing key and certificate
* Remove the agent TPM data from the config struct
* Rename the configuration options
* Use password to generate EK when provided
* Add tpm_ownerpassword option to keylime.conf
* Add cargo audit to CI static tests
* Add agent and faked_measured_boot_log tests context
* Appease clippy
-------------------------------------------------------------------
Wed Aug 10 13:39:08 UTC 2022 - aplanas@suse.com
- Update to version 0.1.0+git.1659977521.0186093:
* Fix display of mb measurement file path
* Add more helpful error when config file is not found
* Fix small comment about implementing TPM ownership
* main: die when cannot drop privileges
* keylime.conf: add run_as section
* Use Rust agent-specific config in Makefile
* Fix typo in listen_notifications option in keylime.conf
* tpm: Support pre-existing EK
* Set swtpm context which is later used for test filtering
* Add GitLeaks configuration to ignore RSA key used for testing
* Handle whitespace in keylime.conf
- Rename keylime.conf.diff to keylime-agent.conf.diff
- Drop 0001-main-die-when-cannot-drop-privileges.patch, as is already
merged upstream
- Add bindgen.patch to add more architectures
-------------------------------------------------------------------
Tue Jul 12 09:20:39 UTC 2022 - aplanas@suse.com
- Update to version 0.1.0+git.1657303637.5b9072a:
* keys_handler: Use scopes to drop mutexes before await
* Enable usage of Rust IMA emulator in E2E tests.
* ima_emulator: Support PCR hash algorithms other than SHA-1
* ima_entry: add IMA entry parser ported from Python Keylime
* algorithms: Add conversion between our hash algorithms and OpenSSL's
* Remove unused functions revocation_ip_get and revocation_port_get. Change String to &str.
* Adjust function usage comments to account for new parameters.
* Load config file less at startup in src/common.rs
* GNUmakefile: Make target dependencies explicit
* permissions: Set supplementary groups when dropping privileges
* main: Use more descriptive message for missing files error
* Show path when fail to load the certificate
* tpm: Add serialization functions for structures in quotes
- Requires tpm2.0-abrmd dependency, as the kernel resource manager
could be not enough
- Downgrade /var/run/keylime permissions
- Set "run_as" parameter to "keylime:tss"
- Create the keylime user via systemd
- Fix keylime service home directory
- Add 0001-main-die-when-cannot-drop-privileges.patch to avoid the
execution as root when the run_as user is missing in the system
-------------------------------------------------------------------
Wed Jun 22 08:45:20 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
- Update to version 0.1.0+git.1655384301.b834667:
* Update fmf plans to run test with IMA policy
* .github/dependabot.yml: prevent updates that require manifest change
- Add logrotate configuration for the agent service
- Requires libtss2-tcti-device0 to interact with the real device
- Drop legacy Python subpackage and feature
- Move conflicts into the Python version
-------------------------------------------------------------------
Wed Jun 15 09:52:48 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
- Drop CFSSL port from the keylime.xml firewalld rules
-------------------------------------------------------------------
Tue Jun 14 11:05:01 UTC 2022 - aplanas@suse.com
- Update to version 0.1.0+git.1655143451.7c4121e:
* Add dependabot for automatic dependency updates
* config: remove unused options
* persist AK, NK and mTLS certificate to disk
* Update tokio minimum version
* Adjust CI test name according to keylime-tests PR#125
* Make wiremock an optional dependency
* Drop unused dependency flate2
* Drop unused dependency rustc-serialize
* Update clap dependency to 3.1.18
* add support for "hash_ek" UUID creation
* tpm: add and use EKResult struct as return value for create_ek(..)
* replace custom marshall functions with the offical one
* update to tss-esapi 7.1.0
* quotes_handler: Rewind measured boot log file
* Add test /functional/measured-boot-swtpm-sanity to Packit CI plan
* OpenSSL on deb family is now libssl-dev
-------------------------------------------------------------------
Tue May 24 14:10:38 UTC 2022 - aplanas@suse.com
- Update to version 0.1.0+git.1653314004.ceda2ec:
* Skip serialization of optional fields
* Make support for legacy python revocation actions optional
* main: Do not try to load CA cert if mTLS is disabled
* CI: Add packit to run end-to-end tests
* GNUmakefile: Install shim.py
* Add service for secure mount
* secure_mount: Do not try to give ownership to root
* secure_mount: Rewrite check_mount()
* main: Ignore original ownership when unzipping files
* Drop privileges to run as normal user and group
* main: Mount secure mount before dropping the privileges
* main: Open files that require privilege at the beginning
* quotes_handler: Fix measured boot list encoding
* Fix typo in config_get()
* Add option to disable mTLS
* Update actix-web to 4, remove tokio 0.2 dependencies
* crypto: Add helper function to convert public key to PEM string
* Add ansasaki as maintainer
-------------------------------------------------------------------
Wed Apr 13 09:54:42 UTC 2022 - aplanas@suse.com
- Update to version 0.1.0+git.1649449492.59856c2:
* errors_handler: Add handler for 404 error
* errors_handler: Add tests for error handlers
* main: Add handler for actix request parsing errors
* main: Add default handlers for each scope
* main: Use actix middleware to log requests
* common: Change status code type from u32 to u16
* common: Use trait ToString for status on JsonWrapper::error
* quotes_handler: Add used measured boot path to warning message
* common: Rename JsonWrapper::new as JsonWrapper::success
* Generalize error JSON wrapping
* main: Use scopes to organize API
* Use JSON wrapper on error responses
* quotes_handler: Simplify integrity quote structures
* quotes_handler: Improve query parameters parsing
* quotes_handler: Add missing log messages
* keys_handler: Add API to verify derived key
* keys_handler: Remove workaround for missing JSON Content-Type
* keys_handler: Fix test for 256-bits keys
* Use shared JSON wrapper for HTTP responses
* ima: Avoid using unwrap() or panic!()
* Apply changes suggested by cargo fmt and cargo clippy
* ima: Read IMA measurement list begining at n-th entry.
* ima: Get ima_ml_entry from HTTP request
* version_handler: Introduce /version REST endpoint (#313)
* main: Do not error if payload_script is not found
* Remove revocation actions naming restriction
* Revert API version to 2.0
* Set working directory via KEYLIME_DIR env variable
-------------------------------------------------------------------
Fri Mar 4 16:02:57 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
- Add work_dir directory in /var/lib/keylime
- Add subpackage rust-keylime-python to execute revocation payload in Python
-------------------------------------------------------------------
Tue Mar 01 14:21:35 UTC 2022 - aplanas@suse.com
- Update to version 0.1.0+git.1645537954.2f1447d:
* Make zmq an optional dependency
* notifications_handler: Introduce /notifications/revocation REST endpoint
* revocation: Move out revocation message processing
* revocation: Make get_revocation_cert_path() public
* Install systemd unit file
-------------------------------------------------------------------
Tue Feb 22 12:34:16 UTC 2022 - aplanas@suse.com
- Update to version 0.1.0+git.1645023877.811a869:
* Make clippy happy.
* Add a --help message.
* Depend on Rust-TSS-ESAPI 7.0.0 stable
* main: Return error on initialization if python shim is missing
* common: Add hardcoded config defaults for revocation
* main: Add execution permissions to revocation actions
* revocation: Log revocation actions output
* revocation: Fix get_revocation_cert_path() comment
* gitignore: Add filters for some temporary files
* revocation: Do not ignore revocation actions from config
* revocation: Implement python actions support
* tests: Implement proof-of-concept python shim
* revocation: Implement lookup_action() function
* common: Add revocation actions configurations
* revocation: Enforce local action naming restriction
* revocation: Remove duplicate logger initialization
* crypto: unfiy import_x509 and load_x509
* update Cargo.lock
* common: update API version to v2.0
* tpm: drop zlib compression in quotes
* run agent webserver with mTLS enabled and add mtls_cert to registrar
* crypto: load and generate X509 certificates, mTLS context generation
* keylime.conf: add setting for Keylime CA
* Bump tss-esapi crate to 7.0.0-beta.1
* Update to fix typo
* Use Path and PathBuf consistently to represent paths
* Bump versions of some dependencies
* quotes_handler: Check quotes in tests
* tpm: Remove hard-coded struct sizes with std::mem::size_of
* tpm: Let compiler to infer arch-dependent integer types
* Use CString as the first argument of libc::chown
* keys_handler: Add API to get public key (#284)
* crypto: Fix algorithms used for revocation signature (#275)
* revocation: Use revocation certificate set by configuration (#300)
* common: Add revocation_cert to the global configuration structure
* ima_emulator: Fix running hash calculation on resumption
* keys_handler: Add test with encrypted payload
* main: Use condition variable to wait for payload encryption key
* main: Use Option to represent a combined key
* main: Redefine KeySet as a vector
* keys_handler, main: Move crypto operations to crypto module
* keys_handler: Make use of type safe payload deserialization
* Remove unused imports
* Remove duplicate CODEOWNERS file
* Remove panic when running rev action
* move global configuration into a single struct
* Add codeowners
-------------------------------------------------------------------
Mon Jan 10 13:06:42 UTC 2022 - aplanas@suse.com
- Update to version 0.1.0+git.1641587454.1248597:
* quotes_handler: send TPM2 event log for measured boot
* serialization: move serialization into separate module
* try to load AK from disk instead of always creating a new one
* update Cargo.lock file
* make hash, encryption and signing algorithm configurable
* tpm: remove get_sig_scheme(..) function
* hash: rename to algorithms and implement tss conversions
* cmd_exec: remove cmd_exec module
* secure_mount: fix mount of tmpfs for secure directory
* common: change default WORK_DIR to /var/lib/keylime
* tpm: remove special handling for PCR10
-------------------------------------------------------------------
Mon Dec 13 15:53:39 UTC 2021 - aplanas@suse.com
- Update to version 0.1.0+git.1639176416.fc90088:
* Code refactor to use updated tss-esapi
- Drop add_property_tag_variant_for_maxcapbuffer.patch, included in
the upstream crate
-------------------------------------------------------------------
Wed Nov 24 13:48:07 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
- Conflict with keylime-agent, keylime-config and keylime-firewalld
- Add keylime_ima_emulator tool
- Add patch add_property_tag_variant_for_maxcapbuffer.patch
-------------------------------------------------------------------
Fri Nov 19 13:02:48 UTC 2021 - aplanas@suse.com
- Update to version 0.1.0+git.1637095429.d5a3191:
* Run Fedora tests on unified Keylime test container
* ima_emulator: Print error message when TCTI envvar is not set
* Add keylime_ima_emulator executable for testing
* Fix 0mq problem
* ci: Check unit test coverage with cargo tarpaulin (#216)
* config: merge with Python keylime.conf and remove unused entries
* Add support for contact ip and port
* common: move get env or from config into sperate function
* keys_handler: Add unit tests
* quotes_handler: Add unit tests (#265)
* Fix bugs that occur after a delete and re-add from the tenant
* Retain the main loop running after payload execution (#249)
* keys_handler: verify HMAC in constant-time (#248)
* build: Adjust package dependencies to compile in Fedora (#245)
* Generate Cargo.lock file
* Add Ueno as a maintainer and set codeowners
* Fix clippy errors, update to newest TSS-ESAPI
- Drop generate-cargo-lock-file.patch (already in upstream)
-------------------------------------------------------------------
Mon Aug 16 14:23:13 UTC 2021 - aplanas@suse.com
- Update to version 0.1.0+git.1629114992.890e8c9:
* Add "v1.0" prefix to agent APIs
- Update generate-cargo-lock-file.patch
-------------------------------------------------------------------
Wed Jul 28 08:56:33 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
- Add generate-cargo-lock-file.patch to fix the build system in OBS
- Add keylime.conf.diff to adjust the default config file
- Adjust build requirements
- Add firewalld XML rules
- Add systemd keylime_agent.service
- Fix license tag
-------------------------------------------------------------------
Thu Jul 22 09:20:38 UTC 2021 - aplanas@suse.com
- Update to version 0.0.1+git.1626706730.a009476:
* libarchive-devel is needed to build on Fedora
* Accept sets of U and V keys; use new Key types
* Output mask info
* Fix for race condition bug
* Do not resend pubkey to CV after attestation
* Run payload script from a shell
* Write out data and run payload
* Decrypt payload after key handlers find symm key
* Add handler for U and V keys
* Add helper functions for handling U and V keys
* Some TPM fixes for IMA PCR validation
* Do not flush AK context as this causes an error
* Fix bug in revocation service
* Drop references to vmask
* Better documentation of consts
* Do not fail if EK cert is not present in TPM NV
* Add more verbose logging to better match Python agent
* Remove verify stub as we are not using it
* tests: Don't pass --allow-signing to swtpm_setup
* Fix typos
* Add dependency for libzmq3-dev / zeromq-devel
* Fix new clippy lints
* Add handling for Identity and Integrity quotes
* Add Quote functionality
* Add marshaling functions for TPM structs
-------------------------------------------------------------------
Tue Jun 08 11:59:11 UTC 2021 - aplanas@suse.com
- Update to version 0.0.1+git.1620935374.4df2148:
* Add function to read PCR mask
* Small fixes in TPM functions
* Send quote data to actixweb handlers
-------------------------------------------------------------------
Tue May 04 12:23:18 UTC 2021 - aplanas@suse.com
- Update to version 0.0.1+git.1618949271.f609525:
* Add more TPM helper functions
* Use PKeys consistently
* Rebase on tss-esapi 5.0
* Pass a PKeyRef to asym_verify
* Use #[[from] from thiserror
* Fix uppercase acronyms
* Add testing feature
* Remove port bindings for agent
* More verbose TPM and revocation error, verbose success
* Fix docker networking

4
rust-keylime.obsinfo Normal file
View File

@ -0,0 +1,4 @@
name: rust-keylime
version: 0.2.6+13
mtime: 1724838345
commit: 57992463535d15951ebaca77d1be4217ffaf74d6

152
rust-keylime.spec Normal file
View File

@ -0,0 +1,152 @@
#
# spec file for package rust-keylime
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%global rustflags '-Clink-arg=-Wl,-z,relro,-z,now'
# Consolidate _distconfdir and _sysconfdir
%if 0%{?_distconfdir:1}
%define _config_norepl %{nil}
%else
%define _distconfdir %{_sysconfdir}
%define _config_norepl %config(noreplace)
%endif
Name: rust-keylime
Version: 0.2.6+13
Release: 0
Summary: Rust implementation of the keylime agent
License: (Apache-2.0 OR MIT) AND BSD-3-Clause AND (Apache-2.0 OR MIT) AND Unicode-DFS-2016 AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR ISC OR MIT) AND (Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR MIT OR Zlib) AND (MIT OR Unlicense) AND (Apache-2.0 OR Zlib OR MIT) AND Apache-2.0 AND Apache-2.0 WITH LLVM-exception AND BSD-3-Clause AND ISC AND MIT
URL: https://github.com/keylime/rust-keylime
Source: rust-keylime-%{version}.tar.zst
Source1: vendor.tar.xz
Source2: cargo_config
Source3: keylime.xml
Source4: keylime-user.conf
Source5: tmpfiles.keylime
Source6: ima-policy
Source7: ima-policy.service
Source8: README.suse
# PATCH-FIX-OPENSUSE keylime-agent.conf.diff
Patch1: keylime-agent.conf.diff
BuildRequires: cargo-packaging
BuildRequires: clang
BuildRequires: firewall-macros
BuildRequires: libarchive-devel
BuildRequires: rust
BuildRequires: sysuser-tools
BuildRequires: tpm2-0-tss-devel
Requires: libtss2-tcti-device0
Requires: logrotate
Requires: tpm2.0-abrmd
Recommends: (keylime-ima-policy if selinux-policy-targeted)
Provides: user(keylime)
%sysusers_requires
# Disable this line if you wish to support all platforms. In most
# situations, you will likely only target tier1 arches for user facing
# components.
# ExclusiveArch: %_{rust_tier1_arches}
%description
Rust implementation of keylime agent. Keylime is system integrity
monitoring system.
%package -n keylime-ima-policy
Summary: IMA policy for Keylime agent
%description -n keylime-ima-policy
Subpackage of %{name} to provide an suggested IMA policy for Keylime agent
%prep
%autosetup -a1 -p1
mkdir .cargo
install -D -m 644 %{SOURCE2} .cargo/config
%build
%{cargo_build} --no-default-features
%sysusers_generate_pre %{SOURCE4} keylime keylime-user.conf
%install
# If https://github.com/Firstyear/cargo-packaging/pull/3 gets merged,
# replace it with:
#
# #{cargo_install -p keylime-agent} --no-default-features --features "with-zmq"
# #{cargo_install -p keylime-ima-emulator}
install -Dpm 0755 %{_builddir}/%{name}-%{version}/target/release/keylime_agent %{buildroot}%{_bindir}/keylime_agent
install -Dpm 0755 %{_builddir}/%{name}-%{version}/target/release/keylime_ima_emulator %{buildroot}%{_bindir}/keylime_ima_emulator
install -Dpm 0600 keylime-agent.conf %{buildroot}%{_distconfdir}/keylime/agent.conf
install -Dpm 0644 ./dist/systemd/system/keylime_agent.service %{buildroot}%{_unitdir}/keylime_agent.service
install -Dpm 0644 ./dist/systemd/system/var-lib-keylime-secure.mount %{buildroot}%{_unitdir}/var-lib-keylime-secure.mount
install -Dpm 0644 %{SOURCE3} %{buildroot}%{_prefix}/lib/firewalld/services/keylime.xml
install -Dpm 0644 %{SOURCE4} %{buildroot}%{_sysusersdir}/keylime-user.conf
install -Dpm 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/keylime.conf
install -d %{buildroot}%{_localstatedir}/log/keylime
install -d %{buildroot}%{_libexecdir}/keylime
# Create work directory and the certificate directory
mkdir -p %{buildroot}%{_sharedstatedir}/keylime/cv_ca
install -Dpm 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/ima/ima-policy
install -Dpm 0644 %{SOURCE7} %{buildroot}%{_unitdir}/ima-policy.service
# %_check
# %_{cargo_test}
%pre -f keylime.pre
%service_add_pre keylime_agent.service
%service_add_pre var-lib-keylime-secure.mount
%post
%firewalld_reload
%tmpfiles_create keylime.conf
%service_add_post keylime_agent.service
%service_add_post var-lib-keylime-secure.mount
%preun
%service_del_preun keylime_agent.service
%service_del_preun var-lib-keylime-secure.mount
%postun
%service_del_postun keylime_agent.service
%service_del_postun var-lib-keylime-secure.mount
%files
%doc README.md
%license LICENSE
%{_bindir}/keylime_agent
%{_bindir}/keylime_ima_emulator
%dir %attr(0700,keylime,tss) %{_distconfdir}/keylime
%_config_norepl %attr(0600,keylime,tss) %{_distconfdir}/keylime/agent.conf
%{_unitdir}/keylime_agent.service
%{_unitdir}/var-lib-keylime-secure.mount
%dir %{_prefix}/lib/firewalld
%dir %{_prefix}/lib/firewalld/services
%{_prefix}/lib/firewalld/services/keylime.xml
%{_sysusersdir}/keylime-user.conf
%{_tmpfilesdir}/keylime.conf
%dir %attr(0750,keylime,tss) %{_localstatedir}/log/keylime
%dir %attr(0750,keylime,tss) %{_libexecdir}/keylime
%dir %attr(0700,keylime,tss) %{_sharedstatedir}/keylime
%dir %attr(0700,keylime,tss) %{_sharedstatedir}/keylime/cv_ca
%files -n keylime-ima-policy
%dir %attr(0750,root,root) %{_sysconfdir}/ima
%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/ima/ima-policy
%{_unitdir}/ima-policy.service
%changelog

1
tmpfiles.keylime Normal file
View File

@ -0,0 +1 @@
d /run/keylime 0700 keylime tss

BIN
vendor.tar.xz (Stored with Git LFS) Normal file

Binary file not shown.