On Mon, 2016-02-29 at 16:27 +0200, Dmitry Rozhkov wrote: > With Integrity Measurement Architecture (IMA) enabled Linux > kernel the security.ima extended attribute gets overwritten > when setting times on a file with a futimens() call. So it's safer > to set xattrs after times. > > The patch was submitted upstream in > https://github.com/libarchive/libarchive/pull/664 > > Signed-off-by: Dmitry Rozhkov <[email protected]> > --- > .../0001-Set-xattrs-after-setting-times.patch | 54 > ++++++++++++++++++++++ > .../libarchive/libarchive_3.1.2.bb | 1 + > 2 files changed, 55 insertions(+) > create mode 100644 meta/recipes-extended/libarchive/libarchive/0001 > -Set-xattrs-after-setting-times.patch > > diff --git a/meta/recipes-extended/libarchive/libarchive/0001-Set > -xattrs-after-setting-times.patch b/meta/recipes > -extended/libarchive/libarchive/0001-Set-xattrs-after-setting > -times.patch > new file mode 100644 > index 0000000..beded5c > --- /dev/null > +++ b/meta/recipes-extended/libarchive/libarchive/0001-Set-xattrs > -after-setting-times.patch > @@ -0,0 +1,54 @@ > +From 545ded56095c570426fe102ff2192889681ea75c Mon Sep 17 00:00:00 > 2001 > +From: Dmitry Rozhkov <[email protected]> > +Date: Mon, 29 Feb 2016 14:38:25 +0200 > +Subject: [PATCH] Set xattrs after setting times > + > +With Integrity Measurement Architecture (IMA) enabled Linux > +kernel the security.ima extended attribute gets overwritten > +when setting times on a file with a futimens() call. So it's safer > +to set xattrs after times. > +--- > + libarchive/archive_write_disk_posix.c | 21 +++++++++++---------- > + 1 file changed, 11 insertions(+), 10 deletions(-)
Patch looks good but we need an "Upstream-Status: Submitted [ https://github.com/libarchive/libarchive/pull/664]"; header in the patch itself please. Cheers, Richard > +diff --git a/libarchive/archive_write_disk_posix.c > b/libarchive/archive_write_disk_posix.c > +index 0fc6193..27c9c1e 100644 > +--- a/libarchive/archive_write_disk_posix.c > ++++ b/libarchive/archive_write_disk_posix.c > +@@ -1620,16 +1620,6 @@ _archive_write_disk_finish_entry(struct > archive *_a) > + } > + > + /* > +- * Security-related extended attributes (such as > +- * security.capability on Linux) have to be restored last, > +- * since they're implicitly removed by other file changes. > +- */ > +- if (a->todo & TODO_XATTR) { > +- int r2 = set_xattrs(a); > +- if (r2 < ret) ret = r2; > +- } > +- > +- /* > + * Some flags prevent file modification; they must be > restored after > + * file contents are written. > + */ > +@@ -1648,6 +1638,17 @@ _archive_write_disk_finish_entry(struct > archive *_a) > + } > + > + /* > ++ * Security-related extended attributes (such as > ++ * security.capability or security.ima on Linux) have to be > restored last, > ++ * since they're implicitly removed by other file changes > like setting > ++ * times. > ++ */ > ++ if (a->todo & TODO_XATTR) { > ++ int r2 = set_xattrs(a); > ++ if (r2 < ret) ret = r2; > ++ } > ++ > ++ /* > + * Mac extended metadata includes ACLs. > + */ > + if (a->todo & TODO_MAC_METADATA) { > +-- > +2.5.0 > diff --git a/meta/recipes-extended/libarchive/libarchive_3.1.2.bb > b/meta/recipes-extended/libarchive/libarchive_3.1.2.bb > index 89c8faf..ed677ac 100644 > --- a/meta/recipes-extended/libarchive/libarchive_3.1.2.bb > +++ b/meta/recipes-extended/libarchive/libarchive_3.1.2.bb > @@ -35,6 +35,7 @@ SRC_URI = " > http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ > file://pkgconfig.patch \ > file://libarchive-CVE-2015-2304.patch \ > file://mkdir.patch \ > + file://0001-Set-xattrs-after-setting-times.patch \ > " > > SRC_URI[md5sum] = "efad5a503f66329bb9d2f4308b5de98a" > -- > 2.5.0 > -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
