[PATCH v2 2/2] xattrs: Properly handle security.ima extended attribute
Stefan Berger
stefanb at linux.vnet.ibm.com
Thu Dec 1 12:28:19 UTC 2016
This patch addresses the proper handling of the security.ima
extended attribute in the following two cases:
- The security.ima extended attribute is not writeable if its value
represents a hash, since hash values are only writeable by the kernel.
We therefore ignore errors when security.ima could not be written.
- Similarly, when the kernel creates a security.ima extended
attribute with a hash value for a new file, we don't want to erase
the security.ima xattr (erasing is possible).
---
xattrs.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/xattrs.c b/xattrs.c
index 3b72e61..64fc84a 100644
--- a/xattrs.c
+++ b/xattrs.c
@@ -1024,10 +1024,16 @@ static int rsync_xal_set(const char *fname, item_list *xalp,
}
if (sys_lsetxattr(fname, name, rxas[i].datum, rxas[i].datum_len) < 0) {
- rsyserr(FERROR_XFER, errno,
- "rsync_xal_set: lsetxattr(\"%s\",\"%s\") failed",
- full_fname(fname), name);
- ret = -1;
+ if (!strcmp(name, "security.ima")) {
+ /* security.ima may not be writeable
+ * if it's a hash -- skip error output
+ */
+ } else {
+ rsyserr(FERROR_XFER, errno,
+ "rsync_xal_set: lsetxattr(\"%s\",\"%s\") failed",
+ full_fname(fname), name);
+ ret = -1;
+ }
} else /* make sure caller sets mtime */
sxp->st.st_mtime = (time_t)-1;
}
@@ -1044,7 +1050,8 @@ static int rsync_xal_set(const char *fname, item_list *xalp,
: HAS_PREFIX(name, SYSTEM_PREFIX))
continue;
- if (!strcmp(name, "security.evm"))
+ if (!strcmp(name, "security.evm") ||
+ !strcmp(name, "security.ima"))
continue;
#endif
if (am_root < 0 && name_len > RPRE_LEN
--
2.7.4
More information about the rsync
mailing list