RFC: baseline requirements for Ubuntu rootfs: xattrs and fscaps
Kees Cook
kees at ubuntu.com
Thu Aug 2 20:29:26 UTC 2018
On Thu, Aug 02, 2018 at 11:21:28AM -0700, Steve Langasek wrote:
> On Thu, Aug 02, 2018 at 09:41:11AM -0700, Kees Cook wrote:
> > On Wed, Aug 01, 2018 at 05:58:56PM -0700, Steve Langasek wrote:
> > > - Where root filesystems are distributed as tarballs, they are not
> > > currently created with --xattrs; this will need to be changed.
>
> > What about initramfs? CPIO doesn't support xattr:
> > https://lkml.kernel.org/r/1516850875-25066-1-git-send-email-takondra@cisco.com
>
> This seems like it would only be relevant for IMA, not for fscaps (since
> everything in the initramfs runs as uid 0). Is that fair to say?
Okay, that's true -- I can't think of anything that expects to run without
privileges during initramfs.
> Since lack of xattrs in cpio is a known limitation, and files don't end up
> in an initrd without specific action by a package (which would be the same
> in Debian and Ubuntu), I think this is severable from the question of
> requiring xattr-preserving handling of an Ubuntu root filesystem.
Agreed.
> > > - Users who are unpacking root tarballs need to take care to pass
> > > --xattrs-include=* to tar.
> > > - Users who are backing up or streaming Ubuntu root filesystems with tar or
> > > rsync will need to take care to pass non-default xattr-preserving options
> > > (tar --xattrs; rsync -X).
>
> > How about making these default-enabled? Hoping people will remember seems
> > fragile.
>
> I think that's appropriate to pursue with the upstream, but that we should
> still socialize the recommendation to use the options explicitly for
> portability.
While I agree about pursuing it with upstreams, I don't agree about just
leaving this to documentation/luck. The problem is distro-specific (i.e.
the packages built and the root filesystem being used), so I think it's
fair to make the tools involved in that distro DTRT by default when it
comes to xattrs. (Everything else is expected to work together correctly,
why not the tools too?)
-Kees
--
Kees Cook
More information about the ubuntu-devel
mailing list