Re: [Acl-devel] [PATCH 2/2] Suppress error messages when copying security.ima fails

[Stefan Berger]

On 12/09/2016 04:58 PM, Mike Frysinger wrote:
> On 09 Dec 2016 16:14, Stefan Berger wrote:
> > On 12/09/2016 04:02 PM, Mike Frysinger wrote:
> > > On 09 Dec 2016 15:18, Stefan Berger wrote:
> > > > On 12/09/2016 02:40 PM, Mike Frysinger wrote:
> > > > > On 25 Oct 2016 13:36, Stefan Berger wrote:
> > > > > > The security.ima extended attribute may be copied when it contains
> > > > > > a digital signature. In case it is a hash, the copying will fail
> > > > > > and we suppress the error message in that case.
> > > > > i'm not sure hardcoding specific attributes in the C code like this
> > > > > is a good idea.  can't we leverage the existing conf file ?
> > > > Should we add an option to not display an error? Like 'quiet' ?
> > > that's already possible by not passing in an error context.
> > > but that's not what i meant.  we already have xattr.conf that
> > > explicitly lists attributes and whether we should skip them.
> > > can't we leverage that database in these files and have it
> > > (silently) skip attributes when they're listed as "skip" ?
> > The security.ima extended attribute can either be a hash or a signature.
> > In case of a signature, we want it to be copied, in case of a hash we
> > don't want to show the error messages appearing when the copying failed.
> i haven't been following the ima work closely.  but if the xattr is just
> a hash of the content, why would copying it be rejected by the kernel ?

I believe it was a recently extension that prevents userspace from 
writing the hash value. Mimi can probably say more about this.

   Stefan

> -mike