On Thu, May 9, 2019 at 4:27 AM Roberto Sassu <roberto.sassu@xxxxxxxxxx> wrote: > > This patch set aims at solving the following use case: appraise files from > the initial ram disk. To do that, IMA checks the signature/hash from the > security.ima xattr. Unfortunately, this use case cannot be implemented > currently, as the CPIO format does not support xattrs. > > This proposal consists in marshaling pathnames and xattrs in a file called > .xattr-list. They are unmarshaled by the CPIO parser after all files have > been extracted. > > The difference from v1 (https://lkml.org/lkml/2018/11/22/1182) is that all > xattrs are stored in a single file and not per file (solves the file name > limitation issue, as it is not necessary to add a suffix to files > containing xattrs). > > The difference with another proposal > (https://lore.kernel.org/patchwork/cover/888071/) is that xattrs can be > included in an image without changing the image format, as opposed to > defining a new one. As seen from the discussion, if a new format has to be > defined, it should fix the issues of the existing format, which requires > more time. I read some of those emails. ISTM that adding TAR support should be seriously considered. Sure, it's baroque, but it's very, very well supported, and it does exactly what we need. --Andy