Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable hardening options in the build #3445

Merged
merged 5 commits into from
Nov 14, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -421,8 +421,8 @@ if (ENABLE_ASAN OR ENABLE_UBSAN)
add_compile_options(-fno-omit-frame-pointer)
endif()

# try to ensure some compiler sanity
foreach (flag -fno-strict-overflow -fno-delete-null-pointer-checks)
# try to ensure some compiler sanity and hardening options where supported
foreach (flag -fno-strict-overflow -fno-delete-null-pointer-checks -fhardened)
check_c_compiler_flag(${flag} found)
if (found)
add_compile_options(${flag})
Expand Down
6 changes: 4 additions & 2 deletions lib/fsm.cc
Original file line number Diff line number Diff line change
Expand Up @@ -474,13 +474,15 @@ static void removeSBITS(int dirfd, const char *path)
struct stat stb;
int flags = AT_SYMLINK_NOFOLLOW;
if (fstatat(dirfd, path, &stb, flags) == 0 && S_ISREG(stb.st_mode)) {
/* XXX TODO: actually check for the rc, but what to do there? */
int rc = 0;
/* We now know it's not a link so no need to worry about following */
if ((stb.st_mode & 06000) != 0) {
(void) fchmodat(dirfd, path, stb.st_mode & 0777, 0);
rc += fchmodat(dirfd, path, stb.st_mode & 0777, 0);
}
#ifdef WITH_CAP
if (stb.st_mode & (S_IXUSR|S_IXGRP|S_IXOTH)) {
(void) cap_set_fileat(dirfd, path, NULL);
rc += cap_set_fileat(dirfd, path, NULL);
}
#endif
}
Expand Down
2 changes: 1 addition & 1 deletion lib/keystore.cc
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,7 @@ static int acquire_write_lock(rpmtxn txn)
goto exit;
}

if ((fd = open(lockpath, O_WRONLY|O_CREAT)) == -1) {
if ((fd = open(lockpath, O_WRONLY|O_CREAT, 644)) == -1) {
rpmlog(RPMLOG_ERR, _("Can't create writelock for keyring at %s: %s\n"), keyringpath, strerror(errno));
} else if (flock(fd, LOCK_EX|LOCK_NB)) {
rpmlog(RPMLOG_ERR, _("Can't acquire writelock for keyring at %s\n"), keyringpath);
Expand Down
14 changes: 12 additions & 2 deletions plugins/audit.c
Original file line number Diff line number Diff line change
@@ -1,8 +1,10 @@
#include "system.h"

#include <errno.h>
#include <stdlib.h>
#include <libaudit.h>

#include <rpm/rpmlog.h>
#include <rpm/rpmstring.h>
#include <rpm/rpmts.h>
#include <rpm/rpmplugin.h>
Expand Down Expand Up @@ -82,8 +84,16 @@ static rpmRC audit_tsm_post(rpmPlugin plugin, rpmts ts, int res)
rasprintf(&eventTxt,
"op=%s %s sw_type=rpm key_enforce=%u gpg_res=%u %s",
op, nevra, enforce, verified, dir);
audit_log_user_comm_message(auditFd, AUDIT_SOFTWARE_UPDATE,
eventTxt, NULL, NULL, NULL, NULL, result);

if (audit_log_user_comm_message(auditFd, AUDIT_SOFTWARE_UPDATE,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe this deserves a TODO comment, like the one in removeSBITS(), just so we can grep for these (in theory) in the future.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Figured it's actually just as easy to do the right thing and make it a warning, just filter out the message you get when auditd isn't running, similarly to what we do in systemd_inhibit and dbus_announce.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh neat, seems like the innocent nitpick turned into something more useful 😄

Copy link
Member Author

@pmatilai pmatilai Nov 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup. This is the kind of stuff that happens when you just want something quickly out of the way and instead of stopping to think for a second (because this is not the thing you're interested just now) you think to work around it somehow. And then later realize doing the right thing would've been at least as simple 🤦 😄

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, having someone else stop you in the tracks, if just for a second, unlocks your hidden potential sometimes 😄

eventTxt, NULL, NULL, NULL, NULL, result) <= 0)
{
/* Filter out noise from containers and other novelties */
int ignore = (errno == ECONNREFUSED || errno == EPERM);
rpmlog(ignore ? RPMLOG_DEBUG : RPMLOG_WARNING,
_("logging an audit message failed: %s\n"),
strerror(errno));
}
free(nevra);
free(eventTxt);
}
Expand Down
1 change: 1 addition & 0 deletions tests/Dockerfile.fedora
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ RUN chmod -R a-w .

WORKDIR /srv/build
ENV CFLAGS="-Og -g"
ENV CXXFLAGS="-Og -g"
RUN cmake \
-DENABLE_WERROR=ON \
-DENABLE_ASAN=ON \
Expand Down
Loading