-
Bug
-
Resolution: Done
-
Critical
-
rhel-9.3.0
-
None
-
None
-
Critical
-
ZStream
-
rhel-sst-security-special-projects
-
ssg_security
-
None
-
Dev ack
-
False
-
-
Yes
-
None
-
Approved Blocker
-
None
-
None
-
Release Note Not Required
-
-
In Progress
-
None
Reported upstream as https://github.com/keylime/keylime/issues/1466
What were you trying to do that didn't work?
The current script create_runtime_policy.sh uses shaXXXsum functions to compute file digest. However, this script may add {{}} before the digest in some cases.
{{$ echo foo > ba
r
$ sha256sum ba
r
\b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c ba
r}}
This is intentional, see e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1882187
When trying to use such a policy I am getting similar errors
2023-09-14 03:10:43.085 - keylime.tenant - ERROR - Response code 400: Runtime policy is malformatted: '
ac9e9eb8981bcf841e1b6341e4d470c1d1dba396a16f6221840cb358b974d815' does not match '^[0-9a-f]{40,128}$'
Either keylime should accept and strip
}} before the digest (I would suggest) or keylime tools should be updated not to add this prefix (Either using the {{--zero option for sha256sum or by other means).
Please provide the package NVR for which bug is seen:
keylime 7.3.0-9.el9_3
How reproducible:
always
Steps to reproduce
- create a file having
in a filename and generate a keylime policy for it. - register a system to a verifier using the created policy
Expected results
no error
Actual results
runtime policy is refused due to being malformed