auto importing rpm gpg public keys from keyserver

Andrea Arcangeli andrea at suse.de
Thu Jun 15 14:04:22 PDT 2006 

On Thu, Jun 15, 2006 at 04:44:46PM -0400, Jeff Johnson wrote:
> Ah, sounds like giving up the ability to do most syscalls. I'll take  
> a look.

Great!

One other important thing I didn't mention is to close all file
descriptors that points to potential sensible contents, before firing on
seccomp and starting parsing the untrusted data. The only way to
communicate with the rest of the world will be with the file descriptor
that are still open at the time seccomp has been enabled.

> Still, rpm is used on non-linux too, so marrying *.rpm reads to some
> exotic linux functionality is perhaps unattainable. My current

Yes, this is a valid concern but backwards compatibility is possible,
if the proc/pid/seccomp file doesn't exist you should go the usual less
secure way. This is valid for linux as well, seccomp is a kernel option,
it can be disabled at compile time.

> thoughts are  to use xml or yaml as an import/export markup within
> *.rpm packages. The markup parser is easier to retrofit sanity checks
> upon than binary integers  in arrays, and the markup parse isn't
> necessarily much slower than the byte  swapping and string skipping
> currently done by headerLoad().

It's up to you.

> Well if write(2) is still enabled ... but I'll take a look, thanks  
> for the ptr.

Yep, write is enabled, it's not a one-way communication. When seccomp is
fired on everthing gets freezed and you're left with what was mapped in
memory and with the fd open at the time of the freeze. Before firing up
seccomp you can also mmap xshm regions or framebuffer, and still access
the hardware or paint stuff etc... It can be used in a lot of ways. The
only major downside is that it's pratically usable only from C/C++.

static int mode1_syscalls[] = {
	__NR_seccomp_read, __NR_seccomp_write, __NR_seccomp_exit, __NR_seccomp_sigreturn,
	0, /* null terminated */
};


if you want to close your shell try: echo 1 >/proc/self/seccomp

> grep vsflags /usr/lib/rpm/macros

it's set to 0xf0000 here.

>>> hex(0xf0000 & rpm._RPMVSF_NOSIGNATURES)
'0xc0000'

It seems _RPMVSF_NOSIGNATURES is set, but I know signatures are enabled
by default in smart with my patch applied because I get to the pop-up
windows.

> Turning ts.setVSFlags() into a noop is the only way I can think of to  
> achieve "mandatory".

But how do I run this without it? I think if the package manager
should know better and not mess with disabling the signature checking
by default. I understand doing that in a young project like smart
because my patch isn't applied yet (to reduce the pain in testing), but
with my patch applied there's really no point to keep them off,
especially given it's so easy to remove the gpg keys from rpm db with
rpm -e gpg-pubkey-....

def get_rpm_public_key(filepath):
    f = file(filepath, 'r')
    ts = rpm.ts()
    ts.setVSFlags(rpm._RPMVSF_NOSIGNATURES)
    hdr = ts.hdrFromFdno(f.fileno())
    return hdr.sprintf("%|DSAHEADER?{%{DSAHEADER:pgpsig}}:"
                       "{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:"
                       "{%|SIGGPG?{%{SIGGPG:pgpsig}}:"
                       "{%|SIGPGP?{%{SIGPGP:pgpsig}}:"
                       "{(none)}|}|}|}|").split()[-1]

More information about the Smart mailing list