[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [PATCH v2] Support for PAX extended header and Linux extended attributes



On 07/01/2016 02:35 PM, Stefan Berger wrote:
On 05/23/2016 02:27 PM, Stefan Berger wrote:
On 05/23/2016 05:50 AM, Guillem Jover wrote:
Hi!

On Thu, 2016-05-19 at 11:33:27 -0400, Stefan Berger wrote:
The following patch adds support for the tar pax extended header to the tar parser so that tar files with pax extended headers containing Linux extended attributes can be processed by dpkg. Essentially the pax extended header contains key value pairs that describe file attributes. More information
about the format can be found here:

http://pubs.opengroup.org/onlinepubs/009695299/utilities/pax.html#tag_04_100_13_03

We are particularly interested in the security.ima extended attribute,
which, if available, contains a signature for the following file in the tar and which we then write as a Linux extended attribute into the filesystem.
First of all, thanks for the patch! I've been looking into this the
past several days, and unfortunately I see some problems with the
proposed implementation and probably with this approach in general.

You're welcome.

mtree(5) support, which I hope to get ready soon, but I'm still uncertain
if that would be ideal as that manifest.


I guess this all depends a bit on how this all is intended to be used.

In the future, ideally distros would provide repositories with packages where the contents are signed. Whether the installed system is actually using them would be up to the user, though having them in the packages enables one to setup a rather locked-down secure system.

How can we move this forward?


Any comments?

We also recently presented our work on file signatures at Linux Plumbers 2016:

https://www.linuxplumbersconf.org/2016/ocw//system/presentations/3933/original/FileSignaturesNeeded.pdf

I have been using the patches for PAX header support in dpkg & apt-get for a while now and installing and updating a system that uses file signatures embedded in the PAX header works quite well.

     Stefan



Regards,
   Stefan



Reply to: