Stephen Smalley wrote:
Sounds reasonable. libselinux would presumably fetch the context of the interpreter/helper via getfilecon(), then call security_compute_create() to see if there is a default transition defined for the interpreter/helper, and if not, then explicitly setexeccon() to rpm_script_t. Might want to also pass the result of the signature verify as a further input in selecting the desired domain.
Do you want just result or do you want {plaintext,signature,pubkey} triple?
I suppose a simple container struct with both could be arranged, something like
struct {
int verifiedreturncode; /* 0 == OK, 1 == notfound(unused), 2 == verifyfail, 3 == nottrusted 4 == nokey */
byte * plaintext;
size_t plaintextlen;
enum pktencodingtype /* OpenPGP, X.509, whatever */
byte * signature;
size_t signaturelen
byte * pubkey;
size_t pubkeylen;
};
starts to permit reasonably paranoid libselinux extensions into the land of signature verification.
Yes, there are a slew of issues involving algorithms and parsing and more that selinux perhaps
does not want to bite into quite yet.
73 de Jeff
