From 15d8e3a327bc4ee96845163f962837cfcb4699bb Mon Sep 17 00:00:00 2001
From: Kam Nasim <kam.nasim@windriver.com>
Date: Tue, 6 Feb 2018 15:25:00 -0500
Subject: [PATCH] CGTS-8849: Security: Set immutable attribute and permissions

Signed-off-by: Dongqi Chen <chen.dq@neusoft.com>
---
 SPECS/tboot.spec | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec
index f04dd17..1673095 100644
--- a/SPECS/tboot.spec
+++ b/SPECS/tboot.spec
@@ -33,9 +33,21 @@ CFLAGS="$RPM_OPT_FLAGS"; export CFLAGS
 LDFLAGS="$RPM_LD_FLAGS"; export LDFLAGS
 make debug=y %{?_smp_mflags}
 
+# On updating this package, we want to clear the immutable
+# attribute so that the module files can get overwritten
+if [ $1 -gt 1 ]; then
+    chattr -i /boot/tboot.gz /boot/tboot-syms
+fi
+exit 0
+
 %install
 make debug=y DISTDIR=$RPM_BUILD_ROOT install
 
+%post
+# Set immutable attribute on tboot modules
+chattr +i /boot/tboot.gz /boot/tboot-syms
+exit 0
+
 %files
 %doc README COPYING docs/* lcptools/lcptools2.txt lcptools/Linux_LCP_Tools_User_Manual.pdf
 %config %{_sysconfdir}/grub.d/20_linux_tboot
@@ -71,8 +83,8 @@ make debug=y DISTDIR=$RPM_BUILD_ROOT install
 %{_mandir}/man8/lcp_writepol.8.gz
 %{_mandir}/man8/tb_polgen.8.gz
 %{_mandir}/man8/txt-stat.8.gz
-/boot/tboot.gz
-/boot/tboot-syms
+%attr(0400,root,root) /boot/tboot.gz
+%attr(0400,root,root) /boot/tboot-syms
 
 %changelog
 * Fri Sep 7 2018 Tony Camuso <tcamuso@redhat.com> - 1:1.9.7-1
-- 
1.8.3.1