This patch addresses the proper handling of the security.ima extended attribute in the following two cases:
- The security.ima extended attribute is not writeable if its value represents a hash, since hash values are only writeable by the kernel. We therefore ignore errors when security.ima could not be written. - Similarly, when the kernel creates a security.ima extended attribute with a hash value for a new file, we don't want to erase the security.ima xattr (erasing is possible). --- xattrs.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/xattrs.c b/xattrs.c index 3b72e61..64fc84a 100644 --- a/xattrs.c +++ b/xattrs.c @@ -1024,10 +1024,16 @@ static int rsync_xal_set(const char *fname, item_list *xalp, } if (sys_lsetxattr(fname, name, rxas[i].datum, rxas[i].datum_len) < 0) { - rsyserr(FERROR_XFER, errno, - "rsync_xal_set: lsetxattr(\"%s\",\"%s\") failed", - full_fname(fname), name); - ret = -1; + if (!strcmp(name, "security.ima")) { + /* security.ima may not be writeable + * if it's a hash -- skip error output + */ + } else { + rsyserr(FERROR_XFER, errno, + "rsync_xal_set: lsetxattr(\"%s\",\"%s\") failed", + full_fname(fname), name); + ret = -1; + } } else /* make sure caller sets mtime */ sxp->st.st_mtime = (time_t)-1; } @@ -1044,7 +1050,8 @@ static int rsync_xal_set(const char *fname, item_list *xalp, : HAS_PREFIX(name, SYSTEM_PREFIX)) continue; - if (!strcmp(name, "security.evm")) + if (!strcmp(name, "security.evm") || + !strcmp(name, "security.ima")) continue; #endif if (am_root < 0 && name_len > RPRE_LEN -- 2.7.4 -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html