swupd-server: include xattrs in hash of Manifest files

pohly · pohly · commit 4257abc3d657 · 2016-10-24T16:09:12.000+02:00
The swupd-client currently checks the xattrs, so the server has to do
the same. Ensuring that the server already has the same xattrs set is
complicated and depends on the SWUPD_MANIFEST_CMDS mechanism, so
perhaps it would be easier to just exclude xattrs checking on the
client side.

Signed-off-by: Patrick Ohly &lt;patrick.ohly@intel.com&gt;
diff --git a/meta-swupd/recipes-core/swupd-server/swupd-server/swupd-server-include-xattrs-in-manifest-hash.patch b/meta-swupd/recipes-core/swupd-server/swupd-server/swupd-server-include-xattrs-in-manifest-hash.patch
@@ -0,0 +1,40 @@
+From 1fc56df3b1cc5cf3c5f8405e20c5bc465e1c71e4 Mon Sep 17 00:00:00 2001
+From: Patrick Ohly <patrick.ohly@intel.com>
+Date: Wed, 12 Oct 2016 14:00:16 +0200
+Subject: [PATCH] swupd-server: include xattrs in manifest hash
+
+Client and server must agree on whether xattrs are included. Right
+now, the client includes them while the server doesn't, leading to
+hash mismatches in Ostro OS.
+
+Alternatively, we could also disable xattr checking on the client
+side, which might be easier overall: ensuring that IMA and Smack
+xattrs are set already on the server side is fairly complicated in
+Ostro, and it is not obvious whether including the xattrs in the hash
+has some real benefits.
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+
+---
+ src/manifest.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/manifest.c b/src/manifest.c
+index 83c9bab..bf4e3b8 100644
+--- a/src/manifest.c
++++ b/src/manifest.c
+@@ -812,6 +812,11 @@ static int write_manifest_plain(struct manifest *manifest)
+ 		}
+ 
+ 		string_or_die(&tempmanifest, "%s/Manifest.%s", manifest_tempdir, file->filename);
++		/*
++		 * use_xattr Has to match swupd-client:
++		 * there it is enabled unconditionally in verify_file().
++		 */
++		file->use_xattrs = true;
+ 		populate_file_struct(file, tempmanifest);
+ 		ret = compute_hash(file, tempmanifest);
+ 		if (ret != 0) {
+-- 
+2.1.4
+
diff --git a/meta-swupd/recipes-core/swupd-server/swupd-server_git.bb b/meta-swupd/recipes-core/swupd-server/swupd-server_git.bb
@@ -16,6 +16,7 @@ SRC_URI = "git://github.com/clearlinux/swupd-server.git;protocol=https \
            file://0001-swupd-create-update-alternative-input-layout.patch \
            file://0002-add-logging-to-stdout.patch \
            file://swupd_create_update-call-external-command-for-each-m.patch \
+           file://swupd-server-include-xattrs-in-manifest-hash.patch \
            "
 SRCREV = "ddca171dad32229ceeff8b8527a179610b88ce55"
 

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@ SRC_URI = "git://github.com/clearlinux/swupd-server.git;protocol=https \`
`16`	`16`	`file://0001-swupd-create-update-alternative-input-layout.patch \`
`17`	`17`	`file://0002-add-logging-to-stdout.patch \`
`18`	`18`	`file://swupd_create_update-call-external-command-for-each-m.patch \`
	`19`	`+ file://swupd-server-include-xattrs-in-manifest-hash.patch \`
`19`	`20`	`"`
`20`	`21`	`SRCREV = "ddca171dad32229ceeff8b8527a179610b88ce55"`
`21`	`22`