[RFC PATCH 1/3] Define a new debhelper dh_installfile-sigs and postinst autoscript

To: debian-dpkg@lists.debian.org
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Subject: [RFC PATCH 1/3] Define a new debhelper dh_installfile-sigs and postinst autoscript
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
Date: Fri, 8 Aug 2014 12:57:39 -0400
Message-id: <[🔎] 1407517061-22451-2-git-send-email-zohar@linux.vnet.ibm.com>
In-reply-to: <[🔎] 1407517061-22451-1-git-send-email-zohar@linux.vnet.ibm.com>
References: <[🔎] 1407517061-22451-1-git-send-email-zohar@linux.vnet.ibm.com>

This patch defines a debhelper dh_installfile-sigs and autoscript
postinst-file-sigs to install the ELF file and script signatures
stored in the sha256sums file.
---
 autoscripts/postinst-file-sigs | 17 ++++++++++++++++
 dh                             |  1 +
 dh_installfile-sigs            | 46 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 64 insertions(+)
 create mode 100644 autoscripts/postinst-file-sigs
 create mode 100755 dh_installfile-sigs

diff --git a/autoscripts/postinst-file-sigs b/autoscripts/postinst-file-sigs
new file mode 100644
index 0000000..8430d0b
--- /dev/null
+++ b/autoscripts/postinst-file-sigs
@@ -0,0 +1,17 @@
+file=$(dpkg-query --control-path #PACKAGE# sha256sums)
+if [ "$1" = "configure" ]; then
+	if [ -e "${file}" ]; then
+		while read -r line; do
+			fn=$(echo "${line}" | awk '{print $2}')
+			sig=$(echo "${line}" | awk '{print $3}')
+			if [ ! -n "$sig" ]; then
+				continue;
+			fi
+
+			file --brief $fn | grep -e 'ELF' -e 'script' > /dev/null
+			if [ $? -eq 0 ]; then
+				setfattr -n 'security.ima' -v 0x$sig $fn
+			fi
+		done < "${file}"
+	fi
+fi
diff --git a/dh b/dh
index f3bd321..4f80f75 100755
--- a/dh
+++ b/dh
@@ -373,6 +373,7 @@ my @i = qw{
 	dh_installifupdown
 	dh_installinfo
 	dh_installinit
+	dh_installfile-sigs
 	dh_installmenu
 	dh_installmime
 	dh_installmodules
diff --git a/dh_installfile-sigs b/dh_installfile-sigs
new file mode 100755
index 0000000..200932d
--- /dev/null
+++ b/dh_installfile-sigs
@@ -0,0 +1,46 @@
+#!/usr/bin/perl -w
+
+=head1 NAME
+
+dh_installfile-sigs - install file signatures in the DEBIAN/sha256sums file as xattrs
+
+=cut
+
+use strict;
+use Cwd;
+use Debian::Debhelper::Dh_Lib;
+
+=head1 SYNOPSIS
+
+B<dh_installfile-sigs>
+
+=head1 DESCRIPTION
+
+B<dh_installfile-sigs> is a debhelper program that is responsible for automatically
+generating the F<postinst> commands needed to install file signatures contained in
+the F<DEBIAN/sha256sums> file.  These commands are inserted into the maintainer
+scripts by L<dh_installdeb(1)>.
+
+=cut
+
+init();
+
+foreach my $package (@{$dh{DOPACKAGES}}) {
+
+	if (! $dh{NOSCRIPTS}) {
+		autoscript($package,"postinst","postinst-file-sigs","s!#PACKAGE#!$package!g");
+	}
+}
+
+
+=head1 SEE ALSO
+
+L<debhelper(7)>
+
+This program is a part of debhelper.
+
+=head1 AUTHOR
+
+Mimi Zohar <zohar@linux.vnet.ibm.com>
+
+=cut
-- 
1.8.1.4

Reply to:

References:
- [RFC PATCH 0/3] Including file signatures in .deb packages]
  - From: Mimi Zohar <zohar@linux.vnet.ibm.com>

Prev by Date: [RFC PATCH 0/3] Including file signatures in .deb packages]
Next by Date: [RFC PATCH 2/3] Temporarily define a deb helper dh_sha256sums
Previous by thread: [RFC PATCH 0/3] Including file signatures in .deb packages]
Next by thread: [RFC PATCH 2/3] Temporarily define a deb helper dh_sha256sums
Index(es):
- Date
- Thread