From 0378c101bb29cff5679ad71d41899c2c2caae4ba Mon Sep 17 00:00:00 2001
From: Benjamin Drung <benjamin.drung@ionos.com>
Date: Mon, 17 May 2021 21:40:08 +0200
Subject: [PATCH] Pass extended attributes (excluding system) to tar2sqfs

/bin/ping (from iputils-ping) uses the security capabilities to allow
users to use the program:

```
$ getcap /bin/ping
/bin/ping cap_net_raw=ep
```

Debian testing/unstable images (variant important) contain security and
system attributes:

```
$ mmdebstrap --variant=important bullseye root.tar
$ tar --xattrs --xattrs-include='*' -vv -tf root.tar | grep -B 1 '^ '
-rwxr-xr-x* 0/0           77432 2021-02-02 18:49 ./bin/ping
  x: 20 security.capability
--
drwxr-sr-x* 0/102             0 2021-05-07 15:10 ./var/log/journal/
  x: 44 system.posix_acl_access
  x: 44 system.posix_acl_default
```

When generating a squashfs image with mmdebstrap 0.7.5-2, these security
capabilities are lost. Example for building a squashfs image in a
minimal Debian unstable schroot:

```
$ apt install -y mmdebstrap squashfs-tools-ng
$ mmdebstrap --variant=important buster root.squashfs
$ rdsquashfs -x /bin/ping root.squashfs
$
```

tar2sqfs from squashfs-tools-ng 1.0.4-1 supports encoding extended
attributes from the namespace `user`, `trusted`, and `security` (see
`include/sqfs/xattr.h`). GNU tar (version 1.34) supports these three
namespaces plus the namespace `system`.

Passing extended attributes from the `system` namespace to tar2sqfs will
produce an error:

```
ERROR: squashfs does not support xattr prefix of system.posix_acl_default
```

So pass the extended attributes to tar2sqfs, but exclude the `system`
namespace. Then ping will keep its security attributes:

```
$ rdsquashfs -x /bin/ping root.squashfs
security.capability=0x0100000200200000000000000000000000000000
```

Closes: #988100
Signed-off-by: Benjamin Drung <benjamin.drung@ionos.com>
---
 mmdebstrap | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/mmdebstrap b/mmdebstrap
index 672d5df..c368f70 100755
--- a/mmdebstrap
+++ b/mmdebstrap
@@ -5480,8 +5480,9 @@ sub main() {
     );
     # tar2sqfs and genext2fs do not support extended attributes
     if ($format eq "squashfs") {
-        warning
-          "disabling extended attributes because tar2sqfs only supports some";
+        warning("tar2sqfs does not support extended attributes"
+              . " from the 'system' namespace");
+        push @taropts, '--xattrs', '--xattrs-exclude=system.*';
     } elsif ($format eq "ext2") {
         warning "genext2fs does not support extended attributes";
     } else {