Ignore EPERM when setting IMA signature xattr

This lets installations succeed even if the ima plugin happens to be installed in a container, where IMA isn't supported. We don't know it failure was because of a container so this is far from ideal, but failing an install just because some package dragged in the ima plugin as a dependency is worse. Counter-intuitively, the test verifies that the IMA xattr didn't get installed because that's the expected result, when inside a container. Fixes: rpm-software-management#3234
pmatilai · Jan 10, 2025 · ecb7d4a · ecb7d4a
1 parent 34efe10
commit ecb7d4a
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/plugins/ima.c b/plugins/ima.c
@@ -71,7 +71,7 @@ static rpmRC ima_fsm_file_prepare(rpmPlugin plugin, rpmfi fi, int fd,
 	    else
 		xx = lsetxattr(path, XATTR_NAME_IMA, fsig, len, 0);
 	    if (xx < 0) {
-		int is_err = errno != EOPNOTSUPP;
+		int is_err = (errno != EOPNOTSUPP && errno != EPERM);
 
 	        rpmlog(is_err?RPMLOG_ERR:RPMLOG_DEBUG,
 			"ima: could not apply signature on '%s': %s\n",

diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
@@ -1889,6 +1889,17 @@ rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" /tmp/hello-1.0-1.src.rpm
 hello-1.0.tar.gz:(none)
 ],
 [])
+
+# Test that installing an ima signed package works.
+# The catch is, in a container like this we actually skip setting security.ima
+RPMTEST_CHECK([
+runroot rpm -U /data/RPMS/imatest-1.0-1.fc34.noarch.rpm
+runroot_other getfattr --absolute-names -m security.ima /usr/share/example1
+],
+[0],
+[],
+[])
+
 RPMTEST_CLEANUP