Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-3713

keylime refuse to use runtime policy with digests prefixed with \\

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • rhel-9.4
    • rhel-9.3.0
    • keylime
    • None
    • None
    • Critical
    • ZStream
    • rhel-sst-security-special-projects
    • ssg_security
    • None
    • Dev ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Approved Blocker
    • None
    • None
    • Release Note Not Required
    • Hide
      .Keylime refuses runtime policies whose digests start with a backslash

      The current script for generating runtime policies, `create_runtime_policy.sh`, uses SHA checksum functions, for example, `sha256sum`, to compute the file digest. However, when the input file name contains a backslash or `\n`, the checksum function adds a backslash before the digest in its output. In such cases, the generated policy file is malformed. When provided with the malformed policy file, the Keylime tenant produces the following or similar error message: `me.tenant - ERROR - Response code 400: Runtime policy is malformatted`. To work around the problem, remove the backslash from the malformed policy file manually by entering the following command: `sed -i 's/^\\//g' <malformed_file_name>`.
      Show
      .Keylime refuses runtime policies whose digests start with a backslash The current script for generating runtime policies, `create_runtime_policy.sh`, uses SHA checksum functions, for example, `sha256sum`, to compute the file digest. However, when the input file name contains a backslash or `\n`, the checksum function adds a backslash before the digest in its output. In such cases, the generated policy file is malformed. When provided with the malformed policy file, the Keylime tenant produces the following or similar error message: `me.tenant - ERROR - Response code 400: Runtime policy is malformatted`. To work around the problem, remove the backslash from the malformed policy file manually by entering the following command: `sed -i 's/^\\//g' <malformed_file_name>`.
    • In Progress
    • None

      Reported upstream as https://github.com/keylime/keylime/issues/1466

      What were you trying to do that didn't work?

      The current script create_runtime_policy.sh uses shaXXXsum functions to compute file digest. However, this script may add {{}} before the digest in some cases.
       {{$ echo foo > ba
      r
      $ sha256sum ba
      r
      \b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c ba
      r}}
       
      This is intentional, see e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1882187

      When trying to use such a policy I am getting similar errors
       2023-09-14 03:10:43.085 - keylime.tenant - ERROR - Response code 400: Runtime policy is malformatted: '
      ac9e9eb8981bcf841e1b6341e4d470c1d1dba396a16f6221840cb358b974d815' does not match '^[0-9a-f]{40,128}$'

       
      Either keylime should accept and strip
      }} before the digest (I would suggest) or keylime tools should be updated not to add this prefix (Either using the {{--zero
      option for sha256sum or by other means).

      Please provide the package NVR for which bug is seen:

      keylime 7.3.0-9.el9_3

      How reproducible:

      always

      Steps to reproduce

      1. create a file having
        in a filename and generate a keylime policy for it.
      2. register a system to a verifier using the created policy
      3.  

      Expected results

      no error

      Actual results

      runtime policy is refused due to being malformed

              scorreia@redhat.com Sergio Correia
              ksrot@redhat.com Karel Srot
              Sergio Correia Sergio Correia
              SSG Security QE SSG Security QE
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: