rsync - Jan 2017 - [PATCH v2 1/2] xattrs: Skip security.evm extended attribute

On 01/06/2017 12:27 AM, L. A. Walsh wrote:
> Stefan Berger wrote:
>> The security.evm extended attribute is fully owned by the Linux kernel
>> and cannot be directly written from userspace. Therefore, we can always
>> skip it.
> ---  (see below "...")...
>
>    Please put this on a switch or option.
>
> The security.evm field seems only special on Mandatory Access
> systems (from https://lwn.net/Articles/449719/), and seems like it
> should be copyable by root on non-Mandatory Access systems.
>
> At the very least, a "dd" from one file system to another, would
copy it,
> so the security doesn't rely on it being copied WITH the rest of
> its attrs, but with the field being a check on those fields not being
> modified.
>
> ....
>
> Reading further, a better solution might be to provide a list
> of extended attributes to ***exclude*** from copying, making your
> patch "general case", as well as an option to ONLY copy a list of
> xattrs, that match an expression or list.
libattr for example has a config file that contains descriptions on how 
to handle individual extended attributes.

http://git.savannah.gnu.org/cgit/attr.git/tree/xattr.conf

Here we list security.evm as one that cannot be written by the kernel. 
This may change in the future. So, one other general solution may be to 
ignore xattr write failures and continue.

GNU tar for example requires to use --xattrs-include=pattern to indicate 
which extended attributes to put into the archive. It also support 
--xattrs-exclude=pattern. Maybe something along those lines could work?

https://www.gnu.org/software/tar/manual/html_node/Extended-File-Attributes.html

rsync also has the issue that it may end up removing an extended 
attribute, such as security.ima, that is set by the kernel once a file 
appears but that was not read from the source file. How would we handle 
this case? Another option?

>
> I'm against hardcoding specific cases into rsync, as they won't
apply
> to all systems rsync runs on as well as hard-coding current trends
> in integrity-measurement (which may be subject to change).
Ok.

    Stefan

On Mon, Jan 9, 2017 at 2:31 PM, Stefan Berger <stefanb at
linux.vnet.ibm.com>
wrote:
> GNU tar for example requires to use --xattrs-include=pattern to indicate
> which extended attributes to put into the archive. It also support
> --xattrs-exclude=pattern. Maybe something along those lines could work?
>
The latest git version now has a modifier to the filter options that lets
you specify include/exclude rules that only apply to xattr names. These can
be used to control what names get read from of the source files
(sender-side rules) and what names get deleted from the destination files
(receiver side rules). I've just done some simple testing, and it seems to
work fine.

..wayne..
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.samba.org/pipermail/rsync/attachments/20170122/3612e01f/attachment.html>

On 01/22/2017 09:15 PM, Wayne Davison wrote:
> On Mon, Jan 9, 2017 at 2:31 PM, Stefan Berger 
> <stefanb at linux.vnet.ibm.com <mailto:stefanb at
linux.vnet.ibm.com>> wrote:
>
>     GNU tar for example requires to use --xattrs-include=pattern to
>     indicate which extended attributes to put into the archive. It
>     also support --xattrs-exclude=pattern. Maybe something along those
>     lines could work?
>
>
> The latest git version now has a modifier to the filter options that 
> lets you specify include/exclude rules that only apply to xattr names. 
> These can be used to control what names get read from of the source 
> files (sender-side rules) and what names get deleted from the 
> destination files (receiver side rules). I've just done some simple 
> testing, and it seems to work fine.
:-) Thanks. I'll try it when I get a chance.

    Stefan

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.samba.org/pipermail/rsync/attachments/20170123/c3de8ff8/attachment.html>