[PATCH] - Adds TAR_SEC_CAPABILITY feature to tar

Cole Dishington Cole.Dishington at alliedtelesis.co.nz
Wed Jan 15 23:53:51 UTC 2020 

Hello,

I have some additional changes on top of my last patch, which added the ability to extract security.capability xattr. The new changes include adding the --xattr/--no-xattr and --xattr-include/--xattr-exclude commandline arguments (seen on GNU tar) to busybox tar. 

I have attached my patch along with a new bloat-o-meter reading.

Thanks
________________________________________
From: busybox <busybox-bounces at busybox.net> on behalf of Cole Dishington <Cole.Dishington at alliedtelesis.co.nz>
Sent: Thursday, January 9, 2020 9:21 AM
To: busybox at busybox.net
Subject: Re: [PATCH] - Adds TAR_SEC_CAPABILITY feature to tar

Thanks for the comments, I have attached a patch with the malloc replaced with xmalloc (and a comment). The reason I didn't use xstrdup instead of xmalloc is because the security capability bytes can contain null bytes, for this reason I am also unsure of how I would go about completing a sanity check on the length (past the length given in the pax header).

The result of the bloat-o-meter is given below:
function                                              old        new    delta
.rodata                                         159429  159563    +134
get_header_tar                                1772      1903    +131
data_extract_all                               1036      1154    +118
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 3/0 up/down: 383/0)             Total: 383 bytes
   text           data       bss     dec         hex filename
1031002   17003    1880 1049885  10051d busybox_old
1031401   17003    1880 1050284  1006ac busybox_unstripped

This was generated with busybox config created with 'make defconfig', and then also enabling the suggested feature 'FEATURE_TAR_SEC_CAPABILITY' in the 'make bloatcheck'.

Thanks
________________________________________
From: Bernhard Reutner-Fischer <rep.dot.nop at gmail.com>
Sent: Wednesday, January 8, 2020 11:34 PM
To: busybox at busybox.net; Cole Dishington; busybox at busybox.net
Subject: Re: [PATCH] - Adds TAR_SEC_CAPABILITY feature to tar

On 7 January 2020 01:25:17 CET, Cole Dishington <Cole.Dishington at alliedtelesis.co.nz> wrote:
>Package: busybox
>
>Version: v131.1
>Severity: wishlist
>
>
>This patch adds the ability for tar to extract security capabilities,
>stored in pax headers. I have tested this on Linux Ubuntu x86_64 and it
>works. I have tested it against GNU tar and the outputs are the same
>(except for the use of setxattrat vs setxattr in a warning message). I
>have ran the tests in the testsuite directory, and nothing breaks.
>
>
>File capabilities divide the permissions of superuser into distinct
>units, these finer grained permissions aid in securing systems. For
>this reason it would be good to get these added to busybox tar.

Please send patches with signed-off-by line.
Also, please use xmalloc instead of malloc (or xstrdup for that matter).
Furthermore, wouldn't you want to sanity check the length?
Bonus points if you add bloat-o-meter output to your patch submission; make baseline; apply the patch and make bloatcheck.

TIA,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: busybox_tar_xattr_capability.patch
Type: text/x-patch
Size: 12996 bytes
Desc: busybox_tar_xattr_capability.patch
URL: <http://lists.busybox.net/pipermail/busybox/attachments/20200115/836400d4/attachment-0001.bin>

More information about the busybox mailing list