diff options
| -rw-r--r-- | src/libimcv/plugins/imv_os/imv_os_database.c | 21 | ||||
| -rw-r--r-- | src/libpts/plugins/imv_attestation/attest.c | 4 | ||||
| -rw-r--r-- | src/libpts/plugins/imv_attestation/attest_db.c | 51 | ||||
| -rw-r--r-- | src/libpts/plugins/imv_attestation/attest_db.h | 4 |
4 files changed, 49 insertions, 31 deletions
diff --git a/src/libimcv/plugins/imv_os/imv_os_database.c b/src/libimcv/plugins/imv_os/imv_os_database.c index a4cc015ec..3cdbebfbb 100644 --- a/src/libimcv/plugins/imv_os/imv_os_database.c +++ b/src/libimcv/plugins/imv_os/imv_os_database.c @@ -46,8 +46,7 @@ METHOD(imv_os_database_t, check_packages, status_t, char *product, *package, *release, *cur_release; chunk_t name, version; os_type_t os_type; - os_package_state_t package_state; - int pid, gid; + int pid, gid, security, blacklist; int count = 0, count_ok = 0, count_no_match = 0, count_blacklist = 0; enumerator_t *e; status_t status = SUCCESS; @@ -110,9 +109,9 @@ METHOD(imv_os_database_t, check_packages, status_t, /* Enumerate over all acceptable versions */ e = this->db->query(this->db, - "SELECT release, security FROM versions " + "SELECT release, security, blacklist FROM versions " "WHERE product = ? AND package = ?", - DB_INT, pid, DB_INT, gid, DB_TEXT, DB_INT); + DB_INT, pid, DB_INT, gid, DB_TEXT, DB_INT, DB_INT); if (!e) { free(package); @@ -122,7 +121,7 @@ METHOD(imv_os_database_t, check_packages, status_t, found = FALSE; match = FALSE; - while (e->enumerate(e, &cur_release, &package_state)) + while (e->enumerate(e, &cur_release, &security, &blacklist)) { found = TRUE; if (streq(release, cur_release) || streq("*", cur_release)) @@ -137,17 +136,18 @@ METHOD(imv_os_database_t, check_packages, status_t, { if (match) { - if (package_state == OS_PACKAGE_STATE_BLACKLIST) + if (blacklist) { DBG2(DBG_IMV, "package '%s' (%s) is blacklisted", package, release); count_blacklist++; - state->add_bad_package(state, package, package_state); + state->add_bad_package(state, package, + OS_PACKAGE_STATE_BLACKLIST); } else { - DBG2(DBG_IMV, "package '%s' (%s)%N is ok", package, release, - os_package_state_names, package_state); + DBG2(DBG_IMV, "package '%s' (%s)%s is ok", package, release, + security ? " [s]" : ""); count_ok++; } } @@ -155,7 +155,8 @@ METHOD(imv_os_database_t, check_packages, status_t, { DBG1(DBG_IMV, "package '%s' (%s) no match", package, release); count_no_match++; - state->add_bad_package(state, package, package_state); + state->add_bad_package(state, package, + OS_PACKAGE_STATE_SECURITY); } } else diff --git a/src/libpts/plugins/imv_attestation/attest.c b/src/libpts/plugins/imv_attestation/attest.c index 031883ab1..6cefb2124 100644 --- a/src/libpts/plugins/imv_attestation/attest.c +++ b/src/libpts/plugins/imv_attestation/attest.c @@ -250,7 +250,7 @@ static void do_args(int argc, char *argv[]) continue; } case 'B': - attest->set_security(attest, OS_PACKAGE_STATE_BLACKLIST); + attest->set_package_state(attest, OS_PACKAGE_STATE_BLACKLIST); continue; case 'C': if (!attest->set_component(attest, optarg, op == OP_ADD)) @@ -330,7 +330,7 @@ static void do_args(int argc, char *argv[]) } continue; case 'Y': - attest->set_security(attest, OS_PACKAGE_STATE_SECURITY); + attest->set_package_state(attest, OS_PACKAGE_STATE_SECURITY); continue; case '1': attest->set_algo(attest, PTS_MEAS_ALGO_SHA1); diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c index 3bbf499a2..749ba2544 100644 --- a/src/libpts/plugins/imv_attestation/attest_db.c +++ b/src/libpts/plugins/imv_attestation/attest_db.c @@ -144,9 +144,9 @@ struct private_attest_db_t { bool utc; /** - * Package security state + * Package security or blacklist state */ - os_package_state_t security; + os_package_state_t package_state; /** * Sequence number for ordering entries @@ -733,10 +733,10 @@ METHOD(attest_db_t, set_relative, void, this->relative = TRUE; } -METHOD(attest_db_t, set_security, void, - private_attest_db_t *this, os_package_state_t security) +METHOD(attest_db_t, set_package_state, void, + private_attest_db_t *this, os_package_state_t package_state) { - this->security = security; + this->package_state = package_state; } METHOD(attest_db_t, set_sequence, void, @@ -1018,20 +1018,23 @@ METHOD(attest_db_t, list_packages, void, { enumerator_t *e; char *package, *version; - os_package_state_t security; - int gid, gid_old = 0, spaces, count = 0, t; + os_package_state_t package_state; + int blacklist, security, gid, gid_old = 0, spaces, count = 0, t; time_t timestamp; if (this->pid) { e = this->db->query(this->db, - "SELECT p.id, p.name, v.release, v.security, v.time " + "SELECT p.id, p.name, " + "v.release, v.security, v.blacklist, v.time " "FROM packages AS p JOIN versions AS v ON v.package = p.id " "WHERE v.product = ? ORDER BY p.name, v.release", - DB_INT, this->pid, DB_INT, DB_TEXT, DB_TEXT, DB_INT, DB_INT); + DB_INT, this->pid, + DB_INT, DB_TEXT, DB_TEXT, DB_INT, DB_INT, DB_INT); if (e) { - while (e->enumerate(e, &gid, &package, &version, &security, &t)) + while (e->enumerate(e, &gid, &package, + &version, &security, &blacklist, &t)) { if (gid != gid_old) { @@ -1047,8 +1050,17 @@ METHOD(attest_db_t, list_packages, void, } } timestamp = t; + if (blacklist) + { + package_state = OS_PACKAGE_STATE_BLACKLIST; + } + else + { + package_state = security ? OS_PACKAGE_STATE_SECURITY : + OS_PACKAGE_STATE_UPDATE; + } printf(" %T (%s)%N\n", ×tamp, this->utc, version, - os_package_state_names, security); + os_package_state_names, package_state); count++; } e->destroy(e); @@ -1794,17 +1806,22 @@ METHOD(attest_db_t, add, bool, if (this->version_set && this->gid && this->pid) { time_t t = time(NULL); + int security, blacklist; + + security = this->package_state == OS_PACKAGE_STATE_SECURITY; + blacklist = this->package_state == OS_PACKAGE_STATE_BLACKLIST; success = this->db->execute(this->db, NULL, "INSERT INTO versions " - "(package, product, release, security, time) " - "VALUES (?, ?, ?, ?, ?)", - DB_UINT, this->gid, DB_UINT, this->pid, DB_TEXT, - this->version, DB_UINT, this->security, DB_INT, t) == 1; + "(package, product, release, security, blacklist, time) " + "VALUES (?, ?, ?, ?, ?, ?)", + DB_UINT, this->gid, DB_INT, this->pid, DB_TEXT, + this->version, DB_INT, security, DB_INT, blacklist, + DB_INT, t) == 1; printf("'%s' package %s (%s)%N %sinserted into database\n", this->product, this->package, this->version, - os_package_state_names, this->security, + os_package_state_names, this->package_state, success ? "" : "could not be "); } return success; @@ -1982,7 +1999,7 @@ attest_db_t *attest_db_create(char *uri) .set_version = _set_version, .set_algo = _set_algo, .set_relative = _set_relative, - .set_security = _set_security, + .set_package_state = _set_package_state, .set_sequence = _set_sequence, .set_owner = _set_owner, .set_utc = _set_utc, diff --git a/src/libpts/plugins/imv_attestation/attest_db.h b/src/libpts/plugins/imv_attestation/attest_db.h index 0d29be997..d0a48d844 100644 --- a/src/libpts/plugins/imv_attestation/attest_db.h +++ b/src/libpts/plugins/imv_attestation/attest_db.h @@ -160,9 +160,9 @@ struct attest_db_t { void (*set_relative)(attest_db_t *this); /** - * Set the package security state + * Set the package security or blacklist state */ - void (*set_security)(attest_db_t *this, os_package_state_t security); + void (*set_package_state)(attest_db_t *this, os_package_state_t package_state); /** * Set the sequence number |