Pass extended attributes (excluding system) to tar2sqfs
/bin/ping (from iputils-ping) uses the security capabilities to allow users to use the program: ``` $ getcap /bin/ping /bin/ping cap_net_raw=ep ``` Debian testing/unstable images (variant important) contain security and system attributes: ``` $ mmdebstrap --variant=important bullseye root.tar $ tar --xattrs --xattrs-include='*' -vv -tf root.tar | grep -B 1 '^ ' -rwxr-xr-x* 0/0 77432 2021-02-02 18:49 ./bin/ping x: 20 security.capability -- drwxr-sr-x* 0/102 0 2021-05-07 15:10 ./var/log/journal/ x: 44 system.posix_acl_access x: 44 system.posix_acl_default ``` When generating a squashfs image with mmdebstrap 0.7.5-2, these security capabilities are lost. Example for building a squashfs image in a minimal Debian unstable schroot: ``` $ apt install -y mmdebstrap squashfs-tools-ng $ mmdebstrap --variant=important buster root.squashfs $ rdsquashfs -x /bin/ping root.squashfs $ ``` tar2sqfs from squashfs-tools-ng 1.0.4-1 supports encoding extended attributes from the namespace `user`, `trusted`, and `security` (see `include/sqfs/xattr.h`). GNU tar (version 1.34) supports these three namespaces plus the namespace `system`. Passing extended attributes from the `system` namespace to tar2sqfs will produce an error: ``` ERROR: squashfs does not support xattr prefix of system.posix_acl_default ``` So pass the extended attributes to tar2sqfs, but exclude the `system` namespace. Then ping will keep its security attributes: ``` $ rdsquashfs -x /bin/ping root.squashfs security.capability=0x0100000200200000000000000000000000000000 ``` Closes: #988100 Signed-off-by: Benjamin Drung <benjamin.drung@ionos.com>
This commit is contained in:
parent
88a031477a
commit
0378c101bb
1 changed files with 3 additions and 2 deletions
|
@ -5480,8 +5480,9 @@ sub main() {
|
|||
);
|
||||
# tar2sqfs and genext2fs do not support extended attributes
|
||||
if ($format eq "squashfs") {
|
||||
warning
|
||||
"disabling extended attributes because tar2sqfs only supports some";
|
||||
warning("tar2sqfs does not support extended attributes"
|
||||
. " from the 'system' namespace");
|
||||
push @taropts, '--xattrs', '--xattrs-exclude=system.*';
|
||||
} elsif ($format eq "ext2") {
|
||||
warning "genext2fs does not support extended attributes";
|
||||
} else {
|
||||
|
|
Loading…
Reference in a new issue