[PATCH v2 2/2] xattrs: Properly handle security.ima extended attribute

Stefan Berger stefanb at linux.vnet.ibm.com
Thu Dec 1 12:28:19 UTC 2016


This patch addresses the proper handling of the security.ima
extended attribute in the following two cases:

- The security.ima extended attribute is not writeable if its value
represents a hash, since hash values are only writeable by the kernel.
We therefore ignore errors when security.ima could not be written.

- Similarly, when the kernel creates a security.ima extended
attribute with a hash value for a new file, we don't want to erase
the security.ima xattr (erasing is possible).
---
 xattrs.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/xattrs.c b/xattrs.c
index 3b72e61..64fc84a 100644
--- a/xattrs.c
+++ b/xattrs.c
@@ -1024,10 +1024,16 @@ static int rsync_xal_set(const char *fname, item_list *xalp,
 		}
 
 		if (sys_lsetxattr(fname, name, rxas[i].datum, rxas[i].datum_len) < 0) {
-			rsyserr(FERROR_XFER, errno,
-				"rsync_xal_set: lsetxattr(\"%s\",\"%s\") failed",
-				full_fname(fname), name);
-			ret = -1;
+			if (!strcmp(name, "security.ima")) {
+				/* security.ima may not be writeable
+				 * if it's a hash -- skip error output
+				 */
+			} else {
+				rsyserr(FERROR_XFER, errno,
+					"rsync_xal_set: lsetxattr(\"%s\",\"%s\") failed",
+					full_fname(fname), name);
+				ret = -1;
+			}
 		} else /* make sure caller sets mtime */
 			sxp->st.st_mtime = (time_t)-1;
 	}
@@ -1044,7 +1050,8 @@ static int rsync_xal_set(const char *fname, item_list *xalp,
 			      : HAS_PREFIX(name, SYSTEM_PREFIX))
 			continue;
 
-		if (!strcmp(name, "security.evm"))
+		if (!strcmp(name, "security.evm") ||
+		    !strcmp(name, "security.ima"))
 			continue;
 #endif
 		if (am_root < 0 && name_len > RPRE_LEN
-- 
2.7.4




More information about the rsync mailing list