aboutsummaryrefslogtreecommitdiffstats
path: root/recipes-core/swupd-client/swupd-client/ignore-xattrs-when-verifying-Manifest-files.patch
blob: b3dd47bd9aeb1ff7ba3f50a23599d078c4c49904 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
From cc44bbfb2eaa90284a67ad6d42706e6433abd7ff Mon Sep 17 00:00:00 2001
From: Patrick Ohly <patrick.ohly@intel.com>
Date: Thu, 3 Nov 2016 11:47:53 +0100
Subject: [PATCH 1/3] verify_file: ignore xattrs when verifying Manifest files

When IMA or Smack are active on the client, the downloaded Manifest
files will be assigned certain xattrs (security.ima
resp. security.SMACK64). Those xattrs did not exist on the server side
(because it is most likely not having those kernel features enabled)
and besides, the swupd-server code wouldn't include them in the
Manifest hashes even if they existed (see write_manifest_plain() in
src/manifest.c).

Therefore the client must ignore xattrs when verifying Manifest files.

Upstream-Status: Backported [https://github.com/clearlinux/swupd-client/commit/09c26658d346cdd80ea54188d991db3493983176]

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 src/hash.c   | 9 ++++++++-

diff --git a/src/hash.c b/src/hash.c
index 1e61454..9553644 100644
--- a/src/hash.c
+++ b/src/hash.c
@@ -236,7 +236,14 @@ bool verify_file(struct file *file, char *filename)
 	}
 
 	local->filename = file->filename;
-	local->use_xattrs = true;
+	/*
+	 * xattrs are currently not supported for manifest files.
+	 * They are data files produced by the swupd-server and
+	 * therefore do not have any of the xattrs normally
+	 * set for the actual system files (like security.ima
+	 * when using IMA or security.SMACK64 when using Smack).
+	 */
+	local->use_xattrs = !file->is_manifest;
 
 	populate_file_struct(local, filename);
 	if (compute_hash(local, filename) != 0) {
-- 
2.1.4