[PATCH v2 0/3] initramfs: add support for xattrs in the initial ram disk
luto at kernel.org
Sat May 11 22:44:12 UTC 2019
On Thu, May 9, 2019 at 4:27 AM Roberto Sassu <roberto.sassu at huawei.com> wrote:
> This patch set aims at solving the following use case: appraise files from
> the initial ram disk. To do that, IMA checks the signature/hash from the
> security.ima xattr. Unfortunately, this use case cannot be implemented
> currently, as the CPIO format does not support xattrs.
> This proposal consists in marshaling pathnames and xattrs in a file called
> .xattr-list. They are unmarshaled by the CPIO parser after all files have
> been extracted.
> The difference from v1 (https://lkml.org/lkml/2018/11/22/1182) is that all
> xattrs are stored in a single file and not per file (solves the file name
> limitation issue, as it is not necessary to add a suffix to files
> containing xattrs).
> The difference with another proposal
> (https://lore.kernel.org/patchwork/cover/888071/) is that xattrs can be
> included in an image without changing the image format, as opposed to
> defining a new one. As seen from the discussion, if a new format has to be
> defined, it should fix the issues of the existing format, which requires
> more time.
I read some of those emails. ISTM that adding TAR support should be
seriously considered. Sure, it's baroque, but it's very, very well
supported, and it does exactly what we need.
More information about the Linux-security-module-archive