libarchive: Set xattrs after setting times

With Integrity Measurement Architecture (IMA) enabled in Linux
kernel the security.ima extended attribute gets overwritten
when setting times on a file with a futimens() call. So it's safer
to set xattrs after times.

Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>

diff --git a/meta/recipes-extended/libarchive/libarchive/0001-Set-xattrs-after-setting-times.patch b/meta/recipes-extended/libarchive/libarchive/0001-Set-xattrs-after-setting-times.patch
new file mode 100644 (file)
index 0000000..6d74e86
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/0001-Set-xattrs-after-setting-times.patch
@@ -0,0 +1,59 @@
+From 545ded56095c570426fe102ff2192889681ea75c Mon Sep 17 00:00:00 2001
+From: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
+Date: Mon, 29 Feb 2016 14:38:25 +0200
+Subject: [PATCH] Set xattrs after setting times
+
+With Integrity Measurement Architecture (IMA) enabled in Linux
+kernel the security.ima extended attribute gets overwritten
+when setting times on a file with a futimens() call. So it's safer
+to set xattrs after times.
+
+Upstream-Status: Submitted [https://github.com/libarchive/libarchive/pull/664]
+
+Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
+
+---
+ libarchive/archive_write_disk_posix.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c
+index 0fc6193..27c9c1e 100644
+--- a/libarchive/archive_write_disk_posix.c
++++ b/libarchive/archive_write_disk_posix.c
+@@ -1620,16 +1620,6 @@ _archive_write_disk_finish_entry(struct archive *_a)
+       }
+
+       /*
+-       * Security-related extended attributes (such as
+-       * security.capability on Linux) have to be restored last,
+-       * since they're implicitly removed by other file changes.
+-       */
+-      if (a->todo & TODO_XATTR) {
+-              int r2 = set_xattrs(a);
+-              if (r2 < ret) ret = r2;
+-      }
+-
+-      /*
+        * Some flags prevent file modification; they must be restored after
+        * file contents are written.
+        */
+@@ -1648,6 +1638,17 @@ _archive_write_disk_finish_entry(struct archive *_a)
+       }
+
+       /*
++       * Security-related extended attributes (such as
++       * security.capability or security.ima on Linux) have to be restored last,
++       * since they're implicitly removed by other file changes like setting
++       * times.
++       */
++      if (a->todo & TODO_XATTR) {
++              int r2 = set_xattrs(a);
++              if (r2 < ret) ret = r2;
++      }
++
++      /*
+        * Mac extended metadata includes ACLs.
+        */
+       if (a->todo & TODO_MAC_METADATA) {
+--
+2.5.0

diff --git a/meta/recipes-extended/libarchive/libarchive_3.1.2.bb b/meta/recipes-extended/libarchive/libarchive_3.1.2.bb
index 89c8faf5ef8a942c3afdc8f031d50ec9d68f2840..ed677ac3186a327cf0499752ee4a51ee70a478c0 100644 (file)
--- a/meta/recipes-extended/libarchive/libarchive_3.1.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.1.2.bb
@@ -35,6 +35,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
            file://pkgconfig.patch \
            file://libarchive-CVE-2015-2304.patch \
            file://mkdir.patch \
+           file://0001-Set-xattrs-after-setting-times.patch \
            "
 
 SRC_URI[md5sum] = "efad5a503f66329bb9d2f4308b5de98a"