[PATCH] - Adds TAR_SEC_CAPABILITY feature to tar
Cole Dishington
Cole.Dishington at alliedtelesis.co.nz
Wed Jan 15 23:53:51 UTC 2020
Hello,
I have some additional changes on top of my last patch, which added the ability to extract security.capability xattr. The new changes include adding the --xattr/--no-xattr and --xattr-include/--xattr-exclude commandline arguments (seen on GNU tar) to busybox tar.
I have attached my patch along with a new bloat-o-meter reading.
Thanks
________________________________________
From: busybox <busybox-bounces at busybox.net> on behalf of Cole Dishington <Cole.Dishington at alliedtelesis.co.nz>
Sent: Thursday, January 9, 2020 9:21 AM
To: busybox at busybox.net
Subject: Re: [PATCH] - Adds TAR_SEC_CAPABILITY feature to tar
Thanks for the comments, I have attached a patch with the malloc replaced with xmalloc (and a comment). The reason I didn't use xstrdup instead of xmalloc is because the security capability bytes can contain null bytes, for this reason I am also unsure of how I would go about completing a sanity check on the length (past the length given in the pax header).
The result of the bloat-o-meter is given below:
function old new delta
.rodata 159429 159563 +134
get_header_tar 1772 1903 +131
data_extract_all 1036 1154 +118
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 3/0 up/down: 383/0) Total: 383 bytes
text data bss dec hex filename
1031002 17003 1880 1049885 10051d busybox_old
1031401 17003 1880 1050284 1006ac busybox_unstripped
This was generated with busybox config created with 'make defconfig', and then also enabling the suggested feature 'FEATURE_TAR_SEC_CAPABILITY' in the 'make bloatcheck'.
Thanks
________________________________________
From: Bernhard Reutner-Fischer <rep.dot.nop at gmail.com>
Sent: Wednesday, January 8, 2020 11:34 PM
To: busybox at busybox.net; Cole Dishington; busybox at busybox.net
Subject: Re: [PATCH] - Adds TAR_SEC_CAPABILITY feature to tar
On 7 January 2020 01:25:17 CET, Cole Dishington <Cole.Dishington at alliedtelesis.co.nz> wrote:
>Package: busybox
>
>Version: v131.1
>Severity: wishlist
>
>
>This patch adds the ability for tar to extract security capabilities,
>stored in pax headers. I have tested this on Linux Ubuntu x86_64 and it
>works. I have tested it against GNU tar and the outputs are the same
>(except for the use of setxattrat vs setxattr in a warning message). I
>have ran the tests in the testsuite directory, and nothing breaks.
>
>
>File capabilities divide the permissions of superuser into distinct
>units, these finer grained permissions aid in securing systems. For
>this reason it would be good to get these added to busybox tar.
Please send patches with signed-off-by line.
Also, please use xmalloc instead of malloc (or xstrdup for that matter).
Furthermore, wouldn't you want to sanity check the length?
Bonus points if you add bloat-o-meter output to your patch submission; make baseline; apply the patch and make bloatcheck.
TIA,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: busybox_tar_xattr_capability.patch
Type: text/x-patch
Size: 12996 bytes
Desc: busybox_tar_xattr_capability.patch
URL: <http://lists.busybox.net/pipermail/busybox/attachments/20200115/836400d4/attachment-0001.bin>
More information about the busybox
mailing list