-
Notifications
You must be signed in to change notification settings - Fork 0
Security Hooks for rpm
In order to be able to implement the needed functionality in MSM security plug-in, the rpm itself needs a set of security hooks in key places during the installation process. These hooks should be generic enough to satisfy the need of any security plug-in for rpm that can be based either on Linux LSMs (SELinux, Smack, Tomoyo and etc.) as well as run-time integrity verification systems, as IMA/EVM.
There are 12 hooks currently made for the rpm.
This hook should be used by the security plug-in to initialize itself and its data. The hook is called before package installation begins and it is a good place to read the internal policy files or any other metadata that plug-in might use.
This hook is called after the installation of the package is finished (successfully or not) and should be used by the plug-in to free any allocated memory and finish its execution.
This hook is called before the beginning of rpm transaction and allows the plug-in to perform the pre-checks on the group of packages to be installed. Currently this hook isn't used in the MSM plug-in, but can be useful for other security plug-ins.
This hook is called after the rpm transaction has finished. It allows the security plug-in to perform any post-transaction checks or additional processing. This hook isn't currently used by the MSM plug-in.
This hook is called before the installation of a single package begins. If the rpm transaction contains multiple packages, this hook will be called for each package separately. Using this hook rpm security plugin is able to access the metadata the package might have such as package header and embedded to it information. For MSM security plug-in this is the main hook where the security manifest is parsed and decision on package installation is done.
This hook is called after the installation of a single package. If the rpm transaction contains multiple packages, this hook will be called for each package separately. MSM security plugin uses this hook to perform latest checks on the package as well as to label the installed files on the filesystem.
This hook is called before any maintainer script is executed and hook gets full set of command line script parameters. It is a responsibility of the hook to call execution of the script and provide the exit status. This hook should be used by a security plug-in to setup a proper security context for the script execution. Current MSM plug-in implementation doesn't change the default security context while executing the maintainer scripts.
This is first of the three file hooks that are needed by the security plugin to perform an operation of a certain file from the package. In MSM plug-in it is used to initialise the cryptographic hash that will be computed for each file from the package.
This is the second of the file hooks. In MSM it is used to update the cryptographic hash value of the file content.
The last file hook allows the plugin to finish the file processing and is used in MSM to finilise the cryptographic hash value.
The main purpose of this hook is to give ability for a security plugin to perform its own independent (and potentially stricter) control over the package verification. It also allows a security plugin to store the information about the package source in its internal metadata (potentially stricter controlled) in order to enforce its own policies. In MSM security plug-in this hook is used to verify the SW source of the package using its internal database of trusted keys. The primary reason for having its own database is an ability to strictly control the software keys and don't mix them with other keys that might be on the system's keyring. In Tizen OS in the future there is a plan to use a separate Certificate Manager in order to store and manage the system code certificates.
rpmRC SECURITYHOOK_FILE_CONFLICT_FUNC(rpmts ts, rpmte te, rpmfi fi, Header oldHeader, rpmfi oldFi, int rpmrc)
This hook can be used by the plug-ins in order to enforce stricter control over the case when files on the disk can be overwritten by newly installed packages. The basic rpm doesn't allow such cases by default, but it has an option ("--replacefiles") that allows such overwriting to happen. However from the security point of view it should not be possible to substitute system binaries or components from a package that is coming from an untrusted source. Such hook provides a possibility to monitor such cases and deny the installation.