From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: initramfs <initramfs@vger.kernel.org>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
Al Viro <viro@ZenIV.linux.org.uk>,
linux-ima-devel@lists.sourceforge.net,
linux-security-module <linux-security-module@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: [RFC][PATCH 0/9] extend initramfs archive format to support xattrs
Date: Wed, 7 Jan 2015 15:52:51 -0500 [thread overview]
Message-ID: <1420663980-20842-1-git-send-email-zohar@linux.vnet.ibm.com> (raw)
Many of the Linux security/integrity features are dependent on file
metadata, stored as extended attributes (xattrs), for making decisions.
These features need to be initialized during initcall and enabled as
early as possible for complete security coverage.
The linux kernel creates the rootfs file system and extracts the contents
of the initramfs, a compressed CPIO archive, onto it. If CONFIG_TMPFS is
enabled (and "root=" is not specified on the boot command line), rootfs
will use tmpfs instead of ramfs by default. Although the tmpfs filesystem
supports xattrs, the CPIO archive specification does not define a method
for including them in the archive. Other archive formats have added xattr
support (eg. tar).
There are a couple of ways to include and label the rootfs filesystem:
- include a file manifest containing the xattrs in the initramfs
- extend CPIO to support xattrs
- add tar support
This patch set extends the existing newc CPIO archive format to include
xattrs in the initramfs. The changes are limited to gen_init_cpio, the
kernel build tree tool used to generate an initramfs, and init/initramfs.c,
the parser, with minor changes to IMA and EVM.
Mimi
Mimi Zohar (9):
initramfs: separate reading cpio method from header
initramfs: add extended attribute support
gen_init_cpio: replace inline format string with common variable
gen_init_cpio: define new CPIO format to support xattrs
gen_init_cpio: include the file extended attributes
gen_initramfs_list.sh: include xattrs
evm: make rootfs a special case
ima: include tmpfs in ima_appraise_tcb policy
init: remove "root=" command line option test for tmpfs decision
init/do_mounts.c | 2 +-
init/initramfs.c | 95 +++++++++++++++++++++---
scripts/gen_initramfs_list.sh | 2 +-
security/integrity/evm/evm_main.c | 12 ++-
security/integrity/ima/ima_policy.c | 2 +
usr/gen_init_cpio.c | 142 ++++++++++++++++++++++++++++++------
6 files changed, 218 insertions(+), 37 deletions(-)
--
1.8.1.4
next reply other threads:[~2015-01-07 20:53 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-07 20:52 Mimi Zohar [this message]
2015-01-07 20:52 ` [RFC][PATCH 1/9] initramfs: separate reading cpio method from header Mimi Zohar
2015-01-07 20:52 ` [RFC][PATCH 2/9] initramfs: add extended attribute support Mimi Zohar
2015-01-07 20:52 ` [RFC][PATCH 3/9] gen_init_cpio: replace inline format string with common variable Mimi Zohar
2015-01-07 20:52 ` [RFC][PATCH 4/9] gen_init_cpio: define new CPIO format to support xattrs Mimi Zohar
2015-01-07 20:52 ` [RFC][PATCH 5/9] gen_init_cpio: include the file extended attributes Mimi Zohar
2015-01-07 20:52 ` [RFC][PATCH 6/9] gen_initramfs_list.sh: include xattrs Mimi Zohar
2015-01-08 14:01 ` Josh Boyer
2015-01-08 15:13 ` Mimi Zohar
2015-01-08 18:19 ` Rob Landley
2015-01-08 22:08 ` Mimi Zohar
2015-01-13 18:48 ` Rob Landley
2015-01-13 20:20 ` Mimi Zohar
2015-01-13 21:42 ` Rob Landley
2015-01-14 3:23 ` Mimi Zohar
2015-01-14 4:34 ` Rob Landley
2015-01-14 13:23 ` Mimi Zohar
2015-01-14 19:36 ` Paul Moore
2015-01-07 20:52 ` [RFC][PATCH 7/9] evm: make rootfs a special case Mimi Zohar
2015-01-07 20:52 ` [RFC][PATCH 8/9] ima: include tmpfs in ima_appraise_tcb policy Mimi Zohar
2015-01-08 13:53 ` Josh Boyer
2015-01-08 15:13 ` Mimi Zohar
2015-01-07 20:53 ` [RFC][PATCH 9/9] init: remove "root=" command line option test for tmpfs decision Mimi Zohar
-- strict thread matches above, loose matches on Subject: below --
2015-01-07 20:36 [RFC][PATCH 0/9] extend initramfs archive format to support xattrs Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1420663980-20842-1-git-send-email-zohar@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=initramfs@vger.kernel.org \
--cc=linux-ima-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).