Record security.ima in container images

We have been asked to also record the security.ima attributes into the container images. Signed-off-by: Daniel J Walsh <[email protected]>
containers · Jul 4, 2020 · 5ea5e76 · 5ea5e76
1 parent 1745ea4
commit 5ea5e76
Showing 1 changed file with 11 additions and 9 deletions.
diff --git a/pkg/archive/archive.go b/pkg/archive/archive.go
@@ -390,16 +390,18 @@ func fillGo18FileTypeBits(mode int64, fi os.FileInfo) int64 {
 	return mode
 }
 
-// ReadSecurityXattrToTarHeader reads security.capability xattr from filesystem
-// to a tar header
+// ReadSecurityXattrToTarHeader reads security.capability, security,image
+// xattrs from filesystem to a tar header
 func ReadSecurityXattrToTarHeader(path string, hdr *tar.Header) error {
-	capability, err := system.Lgetxattr(path, "security.capability")
-	if err != nil && err != system.EOPNOTSUPP && err != system.ErrNotSupportedPlatform {
-		return err
-	}
-	if capability != nil {
-		hdr.Xattrs = make(map[string]string)
-		hdr.Xattrs["security.capability"] = string(capability)
+	for _, xattr := range []string{"security.capability", "security.ima"} {
+		capability, err := system.Lgetxattr(path, xattr)
+		if err != nil && err != system.EOPNOTSUPP && err != system.ErrNotSupportedPlatform {
+			return errors.Wrapf(err, "failed to read %q attribute from %q", xattr, path)
+		}
+		if capability != nil {
+			hdr.Xattrs = make(map[string]string)
+			hdr.Xattrs[xattr] = string(capability)
+		}
 	}
 	return nil
 }