diff options
author | Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com> | 2016-02-29 18:37:15 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-03-02 22:39:43 +0000 |
commit | d8acef272d18b120a8363df1e90743693e5713be (patch) | |
tree | b31f343f79f6fe19b6d56cbca8bf7227b6b0539a | |
parent | 431c1e171f1d027abd977ebcba352efd2251982e (diff) | |
download | poky-d8acef272d18b120a8363df1e90743693e5713be.tar.gz |
libarchive: Set xattrs after setting times
With Integrity Measurement Architecture (IMA) enabled in Linux
kernel the security.ima extended attribute gets overwritten
when setting times on a file with a futimens() call. So it's safer
to set xattrs after times.
(From OE-Core rev: 9bef9e0a9904beeaea1417f9b66089e7555beb26)
Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-extended/libarchive/libarchive/0001-Set-xattrs-after-setting-times.patch | 59 | ||||
-rw-r--r-- | meta/recipes-extended/libarchive/libarchive_3.1.2.bb | 1 |
2 files changed, 60 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/0001-Set-xattrs-after-setting-times.patch b/meta/recipes-extended/libarchive/libarchive/0001-Set-xattrs-after-setting-times.patch new file mode 100644 index 0000000000..6d74e867e6 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/0001-Set-xattrs-after-setting-times.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From 545ded56095c570426fe102ff2192889681ea75c Mon Sep 17 00:00:00 2001 | ||
2 | From: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com> | ||
3 | Date: Mon, 29 Feb 2016 14:38:25 +0200 | ||
4 | Subject: [PATCH] Set xattrs after setting times | ||
5 | |||
6 | With Integrity Measurement Architecture (IMA) enabled in Linux | ||
7 | kernel the security.ima extended attribute gets overwritten | ||
8 | when setting times on a file with a futimens() call. So it's safer | ||
9 | to set xattrs after times. | ||
10 | |||
11 | Upstream-Status: Submitted [https://github.com/libarchive/libarchive/pull/664] | ||
12 | |||
13 | Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com> | ||
14 | |||
15 | --- | ||
16 | libarchive/archive_write_disk_posix.c | 21 +++++++++++---------- | ||
17 | 1 file changed, 11 insertions(+), 10 deletions(-) | ||
18 | |||
19 | diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c | ||
20 | index 0fc6193..27c9c1e 100644 | ||
21 | --- a/libarchive/archive_write_disk_posix.c | ||
22 | +++ b/libarchive/archive_write_disk_posix.c | ||
23 | @@ -1620,16 +1620,6 @@ _archive_write_disk_finish_entry(struct archive *_a) | ||
24 | } | ||
25 | |||
26 | /* | ||
27 | - * Security-related extended attributes (such as | ||
28 | - * security.capability on Linux) have to be restored last, | ||
29 | - * since they're implicitly removed by other file changes. | ||
30 | - */ | ||
31 | - if (a->todo & TODO_XATTR) { | ||
32 | - int r2 = set_xattrs(a); | ||
33 | - if (r2 < ret) ret = r2; | ||
34 | - } | ||
35 | - | ||
36 | - /* | ||
37 | * Some flags prevent file modification; they must be restored after | ||
38 | * file contents are written. | ||
39 | */ | ||
40 | @@ -1648,6 +1638,17 @@ _archive_write_disk_finish_entry(struct archive *_a) | ||
41 | } | ||
42 | |||
43 | /* | ||
44 | + * Security-related extended attributes (such as | ||
45 | + * security.capability or security.ima on Linux) have to be restored last, | ||
46 | + * since they're implicitly removed by other file changes like setting | ||
47 | + * times. | ||
48 | + */ | ||
49 | + if (a->todo & TODO_XATTR) { | ||
50 | + int r2 = set_xattrs(a); | ||
51 | + if (r2 < ret) ret = r2; | ||
52 | + } | ||
53 | + | ||
54 | + /* | ||
55 | * Mac extended metadata includes ACLs. | ||
56 | */ | ||
57 | if (a->todo & TODO_MAC_METADATA) { | ||
58 | -- | ||
59 | 2.5.0 | ||
diff --git a/meta/recipes-extended/libarchive/libarchive_3.1.2.bb b/meta/recipes-extended/libarchive/libarchive_3.1.2.bb index 89c8faf5ef..ed677ac318 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.1.2.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.1.2.bb | |||
@@ -35,6 +35,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ | |||
35 | file://pkgconfig.patch \ | 35 | file://pkgconfig.patch \ |
36 | file://libarchive-CVE-2015-2304.patch \ | 36 | file://libarchive-CVE-2015-2304.patch \ |
37 | file://mkdir.patch \ | 37 | file://mkdir.patch \ |
38 | file://0001-Set-xattrs-after-setting-times.patch \ | ||
38 | " | 39 | " |
39 | 40 | ||
40 | SRC_URI[md5sum] = "efad5a503f66329bb9d2f4308b5de98a" | 41 | SRC_URI[md5sum] = "efad5a503f66329bb9d2f4308b5de98a" |