This patch addresses the proper handling of the security.ima
extended attribute in the following two cases:
- The security.ima extended attribute is not writeable if its value
represents a hash, since hash values are only writeable by the kernel.
We therefore ignore errors when security.ima could not be written.
- Similarly, when the kernel creates a security.ima extended
attribute with a hash value for a new file, we don't want to erase
the security.ima xattr (erasing is possible).
---
xattrs.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/xattrs.c b/xattrs.c
index 3b72e61..64fc84a 100644
--- a/xattrs.c
+++ b/xattrs.c
@@ -1024,10 +1024,16 @@ static int rsync_xal_set(const char *fname, item_list
*xalp,
}
if (sys_lsetxattr(fname, name, rxas[i].datum,
rxas[i].datum_len) < 0) {
- rsyserr(FERROR_XFER, errno,
- "rsync_xal_set: lsetxattr(\"%s\",\"%s\")
failed",
- full_fname(fname), name);
- ret = -1;
+ if (!strcmp(name, "security.ima")) {
+ /* security.ima may not be writeable
+ * if it's a hash -- skip error output
+ */
+ } else {
+ rsyserr(FERROR_XFER, errno,
+ "rsync_xal_set:
lsetxattr(\"%s\",\"%s\") failed",
+ full_fname(fname), name);
+ ret = -1;
+ }
} else /* make sure caller sets mtime */
sxp->st.st_mtime = (time_t)-1;
}
@@ -1044,7 +1050,8 @@ static int rsync_xal_set(const char *fname, item_list
*xalp,
: HAS_PREFIX(name, SYSTEM_PREFIX))
continue;
- if (!strcmp(name, "security.evm"))
+ if (!strcmp(name, "security.evm") ||
+ !strcmp(name, "security.ima"))
continue;
#endif
if (am_root < 0 && name_len > RPRE_LEN
--
2.7.4
--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
