On 01/06/2017 12:27 AM, L. A. Walsh wrote:
Stefan Berger wrote:
The security.evm extended attribute is fully owned by the Linux kernel
and cannot be directly written from userspace. Therefore, we can always
skip it.
---  (see below "...")...

   Please put this on a switch or option.

The security.evm field seems only special on Mandatory Access
systems (from https://lwn.net/Articles/449719/), and seems like it
should be copyable by root on non-Mandatory Access systems.

At the very least, a "dd" from one file system to another, would copy it,
so the security doesn't rely on it being copied WITH the rest of
its attrs, but with the field being a check on those fields not being
modified.

....

Reading further, a better solution might be to provide a list
of extended attributes to ***exclude*** from copying, making your
patch "general case", as well as an option to ONLY copy a list of
xattrs, that match an expression or list.

libattr for example has a config file that contains descriptions on how to handle individual extended attributes.

http://git.savannah.gnu.org/cgit/attr.git/tree/xattr.conf

Here we list security.evm as one that cannot be written by the kernel. This may change in the future. So, one other general solution may be to ignore xattr write failures and continue.

GNU tar for example requires to use --xattrs-include=pattern to indicate which extended attributes to put into the archive. It also support --xattrs-exclude=pattern. Maybe something along those lines could work?

https://www.gnu.org/software/tar/manual/html_node/Extended-File-Attributes.html

rsync also has the issue that it may end up removing an extended attribute, such as security.ima, that is set by the kernel once a file appears but that was not read from the source file. How would we handle this case? Another option?



I'm against hardcoding specific cases into rsync, as they won't apply
to all systems rsync runs on as well as hard-coding current trends
in integrity-measurement (which may be subject to change).

Ok.

   Stefan


--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Reply via email to