* [PATCH] libarchive: Set xattrs after setting times
@ 2016-02-29 14:27 Dmitry Rozhkov
2016-02-29 14:49 ` Richard Purdie
0 siblings, 1 reply; 2+ messages in thread
From: Dmitry Rozhkov @ 2016-02-29 14:27 UTC (permalink / raw)
To: openembedded-core
With Integrity Measurement Architecture (IMA) enabled Linux
kernel the security.ima extended attribute gets overwritten
when setting times on a file with a futimens() call. So it's safer
to set xattrs after times.
The patch was submitted upstream in
https://github.com/libarchive/libarchive/pull/664
Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
---
.../0001-Set-xattrs-after-setting-times.patch | 54 ++++++++++++++++++++++
.../libarchive/libarchive_3.1.2.bb | 1 +
2 files changed, 55 insertions(+)
create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Set-xattrs-after-setting-times.patch
diff --git a/meta/recipes-extended/libarchive/libarchive/0001-Set-xattrs-after-setting-times.patch b/meta/recipes-extended/libarchive/libarchive/0001-Set-xattrs-after-setting-times.patch
new file mode 100644
index 0000000..beded5c
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/0001-Set-xattrs-after-setting-times.patch
@@ -0,0 +1,54 @@
+From 545ded56095c570426fe102ff2192889681ea75c Mon Sep 17 00:00:00 2001
+From: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
+Date: Mon, 29 Feb 2016 14:38:25 +0200
+Subject: [PATCH] Set xattrs after setting times
+
+With Integrity Measurement Architecture (IMA) enabled Linux
+kernel the security.ima extended attribute gets overwritten
+when setting times on a file with a futimens() call. So it's safer
+to set xattrs after times.
+---
+ libarchive/archive_write_disk_posix.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c
+index 0fc6193..27c9c1e 100644
+--- a/libarchive/archive_write_disk_posix.c
++++ b/libarchive/archive_write_disk_posix.c
+@@ -1620,16 +1620,6 @@ _archive_write_disk_finish_entry(struct archive *_a)
+ }
+
+ /*
+- * Security-related extended attributes (such as
+- * security.capability on Linux) have to be restored last,
+- * since they're implicitly removed by other file changes.
+- */
+- if (a->todo & TODO_XATTR) {
+- int r2 = set_xattrs(a);
+- if (r2 < ret) ret = r2;
+- }
+-
+- /*
+ * Some flags prevent file modification; they must be restored after
+ * file contents are written.
+ */
+@@ -1648,6 +1638,17 @@ _archive_write_disk_finish_entry(struct archive *_a)
+ }
+
+ /*
++ * Security-related extended attributes (such as
++ * security.capability or security.ima on Linux) have to be restored last,
++ * since they're implicitly removed by other file changes like setting
++ * times.
++ */
++ if (a->todo & TODO_XATTR) {
++ int r2 = set_xattrs(a);
++ if (r2 < ret) ret = r2;
++ }
++
++ /*
+ * Mac extended metadata includes ACLs.
+ */
+ if (a->todo & TODO_MAC_METADATA) {
+--
+2.5.0
diff --git a/meta/recipes-extended/libarchive/libarchive_3.1.2.bb b/meta/recipes-extended/libarchive/libarchive_3.1.2.bb
index 89c8faf..ed677ac 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.1.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.1.2.bb
@@ -35,6 +35,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
file://pkgconfig.patch \
file://libarchive-CVE-2015-2304.patch \
file://mkdir.patch \
+ file://0001-Set-xattrs-after-setting-times.patch \
"
SRC_URI[md5sum] = "efad5a503f66329bb9d2f4308b5de98a"
--
2.5.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] libarchive: Set xattrs after setting times
2016-02-29 14:27 [PATCH] libarchive: Set xattrs after setting times Dmitry Rozhkov
@ 2016-02-29 14:49 ` Richard Purdie
0 siblings, 0 replies; 2+ messages in thread
From: Richard Purdie @ 2016-02-29 14:49 UTC (permalink / raw)
To: Dmitry Rozhkov, openembedded-core
On Mon, 2016-02-29 at 16:27 +0200, Dmitry Rozhkov wrote:
> With Integrity Measurement Architecture (IMA) enabled Linux
> kernel the security.ima extended attribute gets overwritten
> when setting times on a file with a futimens() call. So it's safer
> to set xattrs after times.
>
> The patch was submitted upstream in
> https://github.com/libarchive/libarchive/pull/664
>
> Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
> ---
> .../0001-Set-xattrs-after-setting-times.patch | 54
> ++++++++++++++++++++++
> .../libarchive/libarchive_3.1.2.bb | 1 +
> 2 files changed, 55 insertions(+)
> create mode 100644 meta/recipes-extended/libarchive/libarchive/0001
> -Set-xattrs-after-setting-times.patch
>
> diff --git a/meta/recipes-extended/libarchive/libarchive/0001-Set
> -xattrs-after-setting-times.patch b/meta/recipes
> -extended/libarchive/libarchive/0001-Set-xattrs-after-setting
> -times.patch
> new file mode 100644
> index 0000000..beded5c
> --- /dev/null
> +++ b/meta/recipes-extended/libarchive/libarchive/0001-Set-xattrs
> -after-setting-times.patch
> @@ -0,0 +1,54 @@
> +From 545ded56095c570426fe102ff2192889681ea75c Mon Sep 17 00:00:00
> 2001
> +From: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
> +Date: Mon, 29 Feb 2016 14:38:25 +0200
> +Subject: [PATCH] Set xattrs after setting times
> +
> +With Integrity Measurement Architecture (IMA) enabled Linux
> +kernel the security.ima extended attribute gets overwritten
> +when setting times on a file with a futimens() call. So it's safer
> +to set xattrs after times.
> +---
> + libarchive/archive_write_disk_posix.c | 21 +++++++++++----------
> + 1 file changed, 11 insertions(+), 10 deletions(-)
Patch looks good but we need an "Upstream-Status: Submitted [
https://github.com/libarchive/libarchive/pull/664]" header in the patch
itself please.
Cheers,
Richard
> +diff --git a/libarchive/archive_write_disk_posix.c
> b/libarchive/archive_write_disk_posix.c
> +index 0fc6193..27c9c1e 100644
> +--- a/libarchive/archive_write_disk_posix.c
> ++++ b/libarchive/archive_write_disk_posix.c
> +@@ -1620,16 +1620,6 @@ _archive_write_disk_finish_entry(struct
> archive *_a)
> + }
> +
> + /*
> +- * Security-related extended attributes (such as
> +- * security.capability on Linux) have to be restored last,
> +- * since they're implicitly removed by other file changes.
> +- */
> +- if (a->todo & TODO_XATTR) {
> +- int r2 = set_xattrs(a);
> +- if (r2 < ret) ret = r2;
> +- }
> +-
> +- /*
> + * Some flags prevent file modification; they must be
> restored after
> + * file contents are written.
> + */
> +@@ -1648,6 +1638,17 @@ _archive_write_disk_finish_entry(struct
> archive *_a)
> + }
> +
> + /*
> ++ * Security-related extended attributes (such as
> ++ * security.capability or security.ima on Linux) have to be
> restored last,
> ++ * since they're implicitly removed by other file changes
> like setting
> ++ * times.
> ++ */
> ++ if (a->todo & TODO_XATTR) {
> ++ int r2 = set_xattrs(a);
> ++ if (r2 < ret) ret = r2;
> ++ }
> ++
> ++ /*
> + * Mac extended metadata includes ACLs.
> + */
> + if (a->todo & TODO_MAC_METADATA) {
> +--
> +2.5.0
> diff --git a/meta/recipes-extended/libarchive/libarchive_3.1.2.bb
> b/meta/recipes-extended/libarchive/libarchive_3.1.2.bb
> index 89c8faf..ed677ac 100644
> --- a/meta/recipes-extended/libarchive/libarchive_3.1.2.bb
> +++ b/meta/recipes-extended/libarchive/libarchive_3.1.2.bb
> @@ -35,6 +35,7 @@ SRC_URI = "
> http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
> file://pkgconfig.patch \
> file://libarchive-CVE-2015-2304.patch \
> file://mkdir.patch \
> + file://0001-Set-xattrs-after-setting-times.patch \
> "
>
> SRC_URI[md5sum] = "efad5a503f66329bb9d2f4308b5de98a"
> --
> 2.5.0
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-02-29 14:50 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-02-29 14:27 [PATCH] libarchive: Set xattrs after setting times Dmitry Rozhkov
2016-02-29 14:49 ` Richard Purdie
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.