[PATCH v2 1/2] xattrs: Skip security.evm extended attribute
Stefan Berger
stefanb at linux.vnet.ibm.com
Mon Jan 9 22:31:18 UTC 2017
On 01/06/2017 12:27 AM, L. A. Walsh wrote:
> Stefan Berger wrote:
>> The security.evm extended attribute is fully owned by the Linux kernel
>> and cannot be directly written from userspace. Therefore, we can always
>> skip it.
> --- (see below "...")...
>
> Please put this on a switch or option.
>
> The security.evm field seems only special on Mandatory Access
> systems (from https://lwn.net/Articles/449719/), and seems like it
> should be copyable by root on non-Mandatory Access systems.
>
> At the very least, a "dd" from one file system to another, would copy it,
> so the security doesn't rely on it being copied WITH the rest of
> its attrs, but with the field being a check on those fields not being
> modified.
>
> ....
>
> Reading further, a better solution might be to provide a list
> of extended attributes to ***exclude*** from copying, making your
> patch "general case", as well as an option to ONLY copy a list of
> xattrs, that match an expression or list.
libattr for example has a config file that contains descriptions on how
to handle individual extended attributes.
http://git.savannah.gnu.org/cgit/attr.git/tree/xattr.conf
Here we list security.evm as one that cannot be written by the kernel.
This may change in the future. So, one other general solution may be to
ignore xattr write failures and continue.
GNU tar for example requires to use --xattrs-include=pattern to indicate
which extended attributes to put into the archive. It also support
--xattrs-exclude=pattern. Maybe something along those lines could work?
https://www.gnu.org/software/tar/manual/html_node/Extended-File-Attributes.html
rsync also has the issue that it may end up removing an extended
attribute, such as security.ima, that is set by the kernel once a file
appears but that was not read from the source file. How would we handle
this case? Another option?
>
> I'm against hardcoding specific cases into rsync, as they won't apply
> to all systems rsync runs on as well as hard-coding current trends
> in integrity-measurement (which may be subject to change).
Ok.
Stefan
More information about the rsync
mailing list