setfattr to set security.ima fails with error "Invalid argument"

setfattr to set security.ima fails with error "Invalid argument"

[Lakshmi Ramasubramanian]

I am running Ubuntu 4.18.0-17 (x86_64)
"ext4" is the mounted file system for the drive.

When trying to set security.ima extended attribute on any file I get 
error "Invalid argument".

setfattr -n security.ima -v foo /boot/vmlinuz-4.18.0-17-generic
setfattr: /boot/vmlinuz-4.18.0-17-generic: Invalid argument

If I try any other name for the extended, say, foo I see error 
"Operation not supported".

setfattr -n foo -v bar /boot/vmlinuz-4.18.0-17-generic
setfattr: /boot/vmlinuz-4.18.0-17-generic: Operation not supported

Note that if use "user." prefix in the extended attribute's name it 
works fine. For example,

setfattr -n user.foo -v user.bar /boot/vmlinuz-4.18.0-17-generic

getfattr -d /boot/vmlinuz-4.18.0-17-generic
getfattr: Removing leading '/' from absolute path names
# file: boot/vmlinuz-4.18.0-17-generic
user.foo="user.bar"

I have tried setting "user_xattr" option in /etc/fstab.

Do I have enable any other option\config to allow setting\updating 
security.ima attribute?

thanks,
  -lakshmi

Re: setfattr to set security.ima fails with error "Invalid argument"

[Ignaz Forster]

Am 03.05.19 um 23:59 Uhr schrieb Lakshmi Ramasubramanian:
> When trying to set security.ima extended attribute on any file I get 
> error "Invalid argument".
> 
> setfattr -n security.ima -v foo /boot/vmlinuz-4.18.0-17-generic
> setfattr: /boot/vmlinuz-4.18.0-17-generic: Invalid argument

"foo" is not a valid value.
If you just want to test setting *any* value you may try 
"0sBAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxg==".

> If I try any other name for the extended, say, foo I see error 
> "Operation not supported".
> 
> setfattr -n foo -v bar /boot/vmlinuz-4.18.0-17-generic
> setfattr: /boot/vmlinuz-4.18.0-17-generic: Operation not supported

You need to use a namespace, see `man 7 xattr` for more information 
about extended attributes.

Ignaz