On 6/3/19 4:31 AM, Roberto Sassu wrote: >> This patch set aims at solving the following use case: appraise files from >> the initial ram disk. To do that, IMA checks the signature/hash from the >> security.ima xattr. Unfortunately, this use case cannot be implemented >> currently, as the CPIO format does not support xattrs. >> >> This proposal consists in including file metadata as additional files named >> METADATA!!!, for each file added to the ram disk. The CPIO parser in the >> kernel recognizes these special files from the file name, and calls the >> appropriate parser to add metadata to the previously extracted file. It has >> been proposed to use bit 17:16 of the file mode as a way to recognize files >> with metadata, but both the kernel and the cpio tool declare the file mode >> as unsigned short. > > Any opinion on this patch set? > > Thanks > > Roberto Sorry, I've had the window open since you posted it but haven't gotten around to it. I'll try to build it later today. It does look interesting, and I have no objections to the basic approach. I should be able to add support to toybox cpio over a weekend once I've got the kernel doing it to test against. Rob
