[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Acl-devel] [PATCH 2/2] Suppress error messages when copying securit
|
From: |
Mike Frysinger |
|
Subject: |
Re: [Acl-devel] [PATCH 2/2] Suppress error messages when copying security.ima fails |
|
Date: |
Fri, 9 Dec 2016 16:58:47 -0500 |
On 09 Dec 2016 16:14, Stefan Berger wrote:
> On 12/09/2016 04:02 PM, Mike Frysinger wrote:
> > On 09 Dec 2016 15:18, Stefan Berger wrote:
> >> On 12/09/2016 02:40 PM, Mike Frysinger wrote:
> >>> On 25 Oct 2016 13:36, Stefan Berger wrote:
> >>>> The security.ima extended attribute may be copied when it contains
> >>>> a digital signature. In case it is a hash, the copying will fail
> >>>> and we suppress the error message in that case.
> >>>
> >>> i'm not sure hardcoding specific attributes in the C code like this
> >>> is a good idea. can't we leverage the existing conf file ?
> >>
> >> Should we add an option to not display an error? Like 'quiet' ?
> >
> > that's already possible by not passing in an error context.
> > but that's not what i meant. we already have xattr.conf that
> > explicitly lists attributes and whether we should skip them.
> > can't we leverage that database in these files and have it
> > (silently) skip attributes when they're listed as "skip" ?
>
> The security.ima extended attribute can either be a hash or a signature.
> In case of a signature, we want it to be copied, in case of a hash we
> don't want to show the error messages appearing when the copying failed.
i haven't been following the ima work closely. but if the xattr is just
a hash of the content, why would copying it be rejected by the kernel ?
-mike
signature.asc
Description: Digital signature