[AUTO-CHERRYPICK] SymCrypt-OpenSSL -- Update mechanism for creating keysinuse logging directory. - branch 3.0-dev (#13739)

CBL-Mariner-Bot · tobiasb-ms · web-flow · commit 4b9863ba9549 · 2025-05-13T10:46:53.000-04:00
Co-authored-by: Tobias Brick &lt;39196763+tobiasb-ms@users.noreply.github.com&gt;
diff --git a/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec b/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec
@@ -1,7 +1,7 @@
 Summary:        The SymCrypt engine for OpenSSL (SCOSSL) allows the use of OpenSSL with SymCrypt as the provider for core cryptographic operations
 Name:           SymCrypt-OpenSSL
 Version:        1.8.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -49,6 +49,7 @@ mkdir -p %{buildroot}%{_libdir}/engines-3/
 mkdir -p %{buildroot}%{_libdir}/ossl-modules/
 mkdir -p %{buildroot}%{_includedir}
 mkdir -p %{buildroot}%{_sysconfdir}/pki/tls/
+mkdir -p %{buildroot}%{_localstatedir}/log/keysinuse/
 
 # We still install the engine for backwards compatibility with legacy applications. Callers must
 # explicitly load the engine to use it. It will be removed in a future release.
@@ -57,15 +58,6 @@ install bin/SymCryptProvider/symcryptprovider.so %{buildroot}%{_libdir}/ossl-mod
 install SymCryptEngine/inc/e_scossl.h %{buildroot}%{_includedir}/e_scossl.h
 install SymCryptProvider/symcrypt_prov.cnf %{buildroot}%{_sysconfdir}/pki/tls/symcrypt_prov.cnf
 
-%post
-mkdir -p -m 1733 /var/log/keysinuse
-
-%preun
-# Remove the logging directory on uninstall, leaving it there on upgrade.
-if [ "${1}" = "0" ]; then
-    rm -rf /var/log/keysinuse
-fi
-
 %check
 ./bin/SslPlay/SslPlay
 
@@ -76,7 +68,21 @@ fi
 %{_includedir}/e_scossl.h
 %{_sysconfdir}/pki/tls/symcrypt_prov.cnf
 
+# The log directory for certsinuse logging has permissions set to 1733.
+# These permissions are a result of a security review to mitigate potential risks:
+# - Group and others are denied read access to prevent user-level code from inferring
+#   details about other running applications and their certsinuse usage.
+# - All users have write and execute permissions to create new log files and to 
+#   check file attributes (e.g., to ensure a log file hasn't been tampered with or 
+#   replaced by a symlink).
+# - The sticky bit is set to prevent malicious users from deleting the log files
+#   and interfering with certsinuse alerting mechanisms.
+%dir %attr(1733, root, root) %{_localstatedir}/log/keysinuse/
+
 %changelog
+* Thu May 08 2025 Tobias Brick <tobiasb@microsoft.com> - 1.8.0-2
+- Update mechanism for creating keysinuse logging directory.
+
 * Thu Mar 27 2025 Maxwell Moyer-McKee <mamckee@microsoft.com> - 1.8.0-1
 - Upgrade to SymCrypt-OpenSSL 1.8.0 with PBKDF2 and minor bugfixes
 
