[PATCH v2 1/2] xattrs: Skip security.evm extended attribute

Stefan Berger stefanb at linux.vnet.ibm.com
Mon Jan 9 22:31:18 UTC 2017


On 01/06/2017 12:27 AM, L. A. Walsh wrote:
> Stefan Berger wrote:
>> The security.evm extended attribute is fully owned by the Linux kernel
>> and cannot be directly written from userspace. Therefore, we can always
>> skip it.
> ---  (see below "...")...
>
>    Please put this on a switch or option.
>
> The security.evm field seems only special on Mandatory Access
> systems (from https://lwn.net/Articles/449719/), and seems like it
> should be copyable by root on non-Mandatory Access systems.
>
> At the very least, a "dd" from one file system to another, would copy it,
> so the security doesn't rely on it being copied WITH the rest of
> its attrs, but with the field being a check on those fields not being
> modified.
>
> ....
>
> Reading further, a better solution might be to provide a list
> of extended attributes to ***exclude*** from copying, making your
> patch "general case", as well as an option to ONLY copy a list of
> xattrs, that match an expression or list.

libattr for example has a config file that contains descriptions on how 
to handle individual extended attributes.

http://git.savannah.gnu.org/cgit/attr.git/tree/xattr.conf

Here we list security.evm as one that cannot be written by the kernel. 
This may change in the future. So, one other general solution may be to 
ignore xattr write failures and continue.

GNU tar for example requires to use --xattrs-include=pattern to indicate 
which extended attributes to put into the archive. It also support 
--xattrs-exclude=pattern. Maybe something along those lines could work?

https://www.gnu.org/software/tar/manual/html_node/Extended-File-Attributes.html

rsync also has the issue that it may end up removing an extended 
attribute, such as security.ima, that is set by the kernel once a file 
appears but that was not read from the source file. How would we handle 
this case? Another option?


>
> I'm against hardcoding specific cases into rsync, as they won't apply
> to all systems rsync runs on as well as hard-coding current trends
> in integrity-measurement (which may be subject to change).

Ok.

    Stefan




More information about the rsync mailing list