[Buildroot] [PATCH 1/3] fs: apply permissions late

Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed

From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 1/3] fs: apply permissions late
Date: Thu, 08 Nov 2018 23:58:10 +0100	[thread overview]
Message-ID: <87bm6z89dp.fsf@dell.be.48ers.dk> (raw)
In-Reply-To: <4f9a31b0fb8f87ded9c788cb92d727b6763859ac.1540626349.git.yann.morin.1998@free.fr> (Yann E. MORIN's message of "Sat, 27 Oct 2018 09:45:58 +0200")

>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:

 > The combination of fakeroot, tar, and capabilities is broken, because
 > fakeroot currently badly handles capabilities, which are currently
 > simply ignored.

 > As described in #11216, asking tar to explicitly store and restore
 > capabilities ends up with a failling build, when tar actually tries to
 > restore the capabilities. Adding support for capabilities to fakeroot
 > (by adding host-libcap as dependency) does not fix the problem.

 > Capabilities are stored in the extended attribute security.capabilty.
 > It turns out that tar does have special handling when extracting and
 > restoring that extended attribute, and that fails miserably when running
 > under fakeroot...

Hmm, playing a bit around with tar here (1.29, Debian) it looks like it
doesn't actually extract the security.capability xattrs when --xattrs is
used unless --xattrs-include='*.*' is used:

getcap /usr/bin/i3status
/usr/bin/i3status = cap_net_admin+ep

sudo tar -cvvvf foo.tar /usr/bin/i3status
tar: Removing leading `/' from member names
-rwxr-xr-x root/root     84888 2017-01-21 15:42 /usr/bin/i3status
hexdump -C foo.tar | grep -A2 ecu

No security.capability in the .tar

sudo tar --xattrs -cvvvf foo.tar /usr/bin/i3status
tar: Removing leading `/' from member names
-rwxr-xr-x  root/root     84888 2017-01-21 15:42 /usr/bin/i3status
hexdump -C foo.tar | grep -A2 ecu
00000240  43 48 49 4c 59 2e 78 61  74 74 72 2e 73 65 63 75  |CHILY.xattr.secu|
00000250  72 69 74 79 2e 63 61 70  61 62 69 6c 69 74 79 3d  |rity.capability=|
00000260  01 00 00 02 00 10 00 00  00 00 00 00 00 00 00 00  |................|

With --xattrs they are included but not listed in the verbose output:

sudo tar --xattrs --xattrs-include='*.*' -cvvvf foo.tar /usr/bin/i3status
tar: Removing leading `/' from member names
-rwxr-xr-x* root/root     84888 2017-01-21 15:42 /usr/bin/i3status
  x: 20 security.capability
hexdump -C foo.tar | grep -A2 ecu
00000240  43 48 49 4c 59 2e 78 61  74 74 72 2e 73 65 63 75  |CHILY.xattr.secu|
00000250  72 69 74 79 2e 63 61 70  61 62 69 6c 69 74 79 3d  |rity.capability=|
00000260  01 00 00 02 00 10 00 00  00 00 00 00 00 00 00 00  |................|

Same .tar content but now also listed in the verbose output.


For extraction:

tar -xvvvf ../foo.tar && getcap usr/bin/i3status
-rwxr-xr-x root/root     84888 2017-01-21 15:42 usr/bin/i3status

No capability.

tar --xattrs -xvvvf ../foo.tar && getcap usr/bin/i3status
-rwxr-xr-x  root/root     84888 2017-01-21 15:42 usr/bin/i3status

Still no capability.

tar --xattrs --xattrs-include='*.*' -xvvvf ../foo.tar && getcap usr/bin/i3status
-rwxr-xr-x* root/root     84888 2017-01-21 15:42 usr/bin/i3status
  x: 20 security.capability
usr/bin/i3status = cap_net_admin+ep

Now it works.

I don't see where we are passing --xattrs-include. Are we sure this is a
fakeroot issue after all?

-- 
Bye, Peter Korsgaard

next prev parent reply	other threads:[~2018-11-08 22:58 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-27  7:45 [Buildroot] [PATCH 0/3] fs: fix and better handle capabilities Yann E. MORIN
2018-10-27  7:45 ` [Buildroot] [PATCH 1/3] fs: apply permissions late Yann E. MORIN
2018-10-27 13:14   ` Matthew Weber
2018-10-30 20:23     ` Yann E. MORIN
2018-10-31  1:18       ` Matthew Weber
2018-10-31 21:49         ` Yann E. MORIN
2018-11-02 20:29           ` Matthew Weber
2018-11-03 13:38   ` Thomas Petazzoni
2018-11-10 17:17     ` Yann E. MORIN
2018-11-07 23:43   ` Arnout Vandecappelle
2018-11-09 20:13     ` Arnout Vandecappelle
2018-11-10 17:08       ` Yann E. MORIN
2018-11-10 17:57     ` Yann E. MORIN
2018-11-11 16:02       ` Arnout Vandecappelle
2018-11-11 16:44         ` Yann E. MORIN
2018-11-11 20:03         ` Peter Korsgaard
2018-11-11 20:02       ` Peter Korsgaard
2018-11-12  8:17         ` Yann E. MORIN
2018-11-08 22:58   ` Peter Korsgaard [this message]
2018-11-09  8:55     ` Peter Korsgaard
2018-11-10 17:07     ` Yann E. MORIN
2018-10-27  7:45 ` [Buildroot] [PATCH 2/3] fs: be oblivious of pre-existing xattrs Yann E. MORIN
2018-11-02 20:31   ` Matthew Weber
2018-10-27  7:46 ` [Buildroot] [PATCH 3/3] fs: fix condition to create static devices Yann E. MORIN
2018-11-02 20:34   ` Matthew Weber

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87bm6z89dp.fsf@dell.be.48ers.dk \
    --to=peter@korsgaard.com \
    --cc=buildroot@busybox.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox