From owner-freebsd-security@FreeBSD.ORG Mon Jun 10 15:18:01 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id BCAFC500 for ; Mon, 10 Jun 2013 15:18:01 +0000 (UTC) (envelope-from priit.jarv@gmail.com) Received: from mail-ea0-x234.google.com (mail-ea0-x234.google.com [IPv6:2a00:1450:4013:c01::234]) by mx1.freebsd.org (Postfix) with ESMTP id 566961E06 for ; Mon, 10 Jun 2013 15:18:01 +0000 (UTC) Received: by mail-ea0-f180.google.com with SMTP id k10so5609824eaj.11 for ; Mon, 10 Jun 2013 08:18:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:x-x-sender:to:subject:message-id:user-agent :mime-version:content-type; bh=/ONkFQxHt3eoXfXdVFDiXKaTnH0o3NJJaGrBzjT/i8U=; b=mkywPulud2ThutuqLgPJaGrtzKFzJIZbJwNafCGeOr0svy9Q8xukEBH0AcVo0Rd9Xy u7NpgZNHMvUdqG03WyEDAkemL9FPaFGT1XL7AcWmu6E0Prr76UtouXepcIPdpG5xYcEK LYxbKdp77RtfeyNpuh188TtMOFdvpi7MtxblSSATxW37OQgsurMh3NJGPhH1/RUWWQmi XfmP0aF1DpbeEPNxXZnLM7rS0pHYkBR/R/mM2QgnAAE6BnBHAlWzK0C7CkIwCPLM+GIF korqtHv0oyre4ekV65dNCZhOzjvbSl7nfYfOuJCQBmbjcDzJYBw+vqV4hc1ZrUGXij9E TH6g== X-Received: by 10.15.90.139 with SMTP id q11mr11761330eez.137.1370877480408; Mon, 10 Jun 2013 08:18:00 -0700 (PDT) Received: from chu (243.100.196.88.dyn.estpak.ee. [88.196.100.243]) by mx.google.com with ESMTPSA id f9sm5669338eev.9.2013.06.10.08.17.58 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 10 Jun 2013 08:17:59 -0700 (PDT) Sender: =?UTF-8?Q?Priit_J=C3=A4rv?= Date: Mon, 10 Jun 2013 18:10:10 +0300 (EEST) From: priit@cc.ttu.ee X-X-Sender: priit@chu To: freebsd-security@freebsd.org Subject: libarchive and MAC labels Message-ID: User-Agent: Alpine 2.03 (LNX 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jun 2013 15:18:01 -0000 I've created a patch for libarchive that allows storing and restoring MAC labels from/to a multilabel filesystem using bsdtar. Now before going anywhere with this I had a few questions: - how much general interest is there in such a feature? Would this be a welcome addition to libarchive, either "upstream" or as integrated in the system source tree. I would be especially interested in the opinion of people who have already been involved with the MAC development. - right now the labels are stored silently, similar to ACL-s and extended attributes. They are not extracted by default, only when the '-p' option is specified (default as root). This seems consistent, however it would also be possible to add a switch so that the labels wouldn't be archived unless explicitly requested. - the labels are stored in text representation, as converted by mac_to_text(). This could potentially cause some future breakage, if the text representation ever changes. Also, restoring a label partially (let's say a biba+MLS label with only biba enabled) does not work. Any thoughts on that? Thanks, Priit.