summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDmitry Rozhkov <dmitry.rozhkov@linux.intel.com>2016-02-29 18:37:15 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-03-02 22:39:43 +0000
commitd8acef272d18b120a8363df1e90743693e5713be (patch)
treeb31f343f79f6fe19b6d56cbca8bf7227b6b0539a
parent431c1e171f1d027abd977ebcba352efd2251982e (diff)
downloadpoky-d8acef272d18b120a8363df1e90743693e5713be.tar.gz
libarchive: Set xattrs after setting times
With Integrity Measurement Architecture (IMA) enabled in Linux kernel the security.ima extended attribute gets overwritten when setting times on a file with a futimens() call. So it's safer to set xattrs after times. (From OE-Core rev: 9bef9e0a9904beeaea1417f9b66089e7555beb26) Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/libarchive/libarchive/0001-Set-xattrs-after-setting-times.patch59
-rw-r--r--meta/recipes-extended/libarchive/libarchive_3.1.2.bb1
2 files changed, 60 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/0001-Set-xattrs-after-setting-times.patch b/meta/recipes-extended/libarchive/libarchive/0001-Set-xattrs-after-setting-times.patch
new file mode 100644
index 0000000000..6d74e867e6
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/0001-Set-xattrs-after-setting-times.patch
@@ -0,0 +1,59 @@
1From 545ded56095c570426fe102ff2192889681ea75c Mon Sep 17 00:00:00 2001
2From: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
3Date: Mon, 29 Feb 2016 14:38:25 +0200
4Subject: [PATCH] Set xattrs after setting times
5
6With Integrity Measurement Architecture (IMA) enabled in Linux
7kernel the security.ima extended attribute gets overwritten
8when setting times on a file with a futimens() call. So it's safer
9to set xattrs after times.
10
11Upstream-Status: Submitted [https://github.com/libarchive/libarchive/pull/664]
12
13Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
14
15---
16 libarchive/archive_write_disk_posix.c | 21 +++++++++++----------
17 1 file changed, 11 insertions(+), 10 deletions(-)
18
19diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c
20index 0fc6193..27c9c1e 100644
21--- a/libarchive/archive_write_disk_posix.c
22+++ b/libarchive/archive_write_disk_posix.c
23@@ -1620,16 +1620,6 @@ _archive_write_disk_finish_entry(struct archive *_a)
24 }
25
26 /*
27- * Security-related extended attributes (such as
28- * security.capability on Linux) have to be restored last,
29- * since they're implicitly removed by other file changes.
30- */
31- if (a->todo & TODO_XATTR) {
32- int r2 = set_xattrs(a);
33- if (r2 < ret) ret = r2;
34- }
35-
36- /*
37 * Some flags prevent file modification; they must be restored after
38 * file contents are written.
39 */
40@@ -1648,6 +1638,17 @@ _archive_write_disk_finish_entry(struct archive *_a)
41 }
42
43 /*
44+ * Security-related extended attributes (such as
45+ * security.capability or security.ima on Linux) have to be restored last,
46+ * since they're implicitly removed by other file changes like setting
47+ * times.
48+ */
49+ if (a->todo & TODO_XATTR) {
50+ int r2 = set_xattrs(a);
51+ if (r2 < ret) ret = r2;
52+ }
53+
54+ /*
55 * Mac extended metadata includes ACLs.
56 */
57 if (a->todo & TODO_MAC_METADATA) {
58--
592.5.0
diff --git a/meta/recipes-extended/libarchive/libarchive_3.1.2.bb b/meta/recipes-extended/libarchive/libarchive_3.1.2.bb
index 89c8faf5ef..ed677ac318 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.1.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.1.2.bb
@@ -35,6 +35,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
35 file://pkgconfig.patch \ 35 file://pkgconfig.patch \
36 file://libarchive-CVE-2015-2304.patch \ 36 file://libarchive-CVE-2015-2304.patch \
37 file://mkdir.patch \ 37 file://mkdir.patch \
38 file://0001-Set-xattrs-after-setting-times.patch \
38 " 39 "
39 40
40SRC_URI[md5sum] = "efad5a503f66329bb9d2f4308b5de98a" 41SRC_URI[md5sum] = "efad5a503f66329bb9d2f4308b5de98a"