Do not error on trying to write IMA xattr as rootless

Rootless users cannot set the `security.ima` xattr on files (presumably for security reasons, they get an EPERM on trying to do so). We will normally try and preserve that xattr, so when trying to add a file with an IMA xattr to a build on a Buildah without this patch, you get an error. With this patch, the error is downgraded to a warning, as it's better to successfully build with a missing xattr than blocking all builds which want to include the offending file. The urgency on this has become somewhat higher as it seems like F41/Rawhide are installing rpm-plugin-ima by default, which is setting IMA xattrs on some files that Podman relies on - for example, the catatonit binary we use for pid pause images. Without this patch, building the pause image as rootless will always fail on a system with rpm-plugin-ima installed. Fixes: https://github.com/containers/podman/issues/18543 <MH: Cherry picked back to release-1.37, conflicts fixed> Signed-off-by: Matt Heon <mheon@redhat.com>
2024-09-17 08:45:27 -04:00 · 2024-09-17 08:45:27 -04:00 · 8165aae9e8
parent b67fa4501c
commit 8165aae9e8
2 changed files with 22 additions and 2 deletions
--- a/copier/xattrs.go
+++ b/copier/xattrs.go
@ -10,15 +10,18 @@ import (
 	"strings"
 	"syscall"

+	"github.com/containers/storage/pkg/unshare"
+	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 )

 const (
 	xattrsSupported = true
+	imaXattr        = "security.ima"
 )

 var (
-	relevantAttributes    = []string{"security.capability", "security.ima", "user.*"} // the attributes that we preserve - we discard others
+	relevantAttributes    = []string{"security.capability", imaXattr, "user.*"} // the attributes that we preserve - we discard others
 	initialXattrListSize  = 64 * 1024
 	initialXattrValueSize = 64 * 1024
 )
@ -93,7 +96,11 @@ func Lsetxattrs(path string, xattrs map[string]string) error {
 	for attribute, value := range xattrs {
 		if isRelevantXattr(attribute) {
 			if err := unix.Lsetxattr(path, attribute, []byte(value), 0); err != nil {
-				return fmt.Errorf("setting value of extended attribute %q on %q: %w", attribute, path, err)
+				if unshare.IsRootless() && attribute == imaXattr {
+					logrus.Warnf("Unable to set %q xattr on %q: %v", attribute, path, err)
+				} else {
+					return fmt.Errorf("setting value of extended attribute %q on %q: %w", attribute, path, err)
+				}
 			}
 		}
 	}
--- a/tests/add.bats
+++ b/tests/add.bats
@ -306,3 +306,16 @@ stuff/mystuff"
  run_buildah 125 add --checksum=sha256:0000000000000000000000000000000000000000000000000000000000000000 $cid ${TEST_SCRATCH_DIR}/randomfile /
  expect_output --substring "checksum flag is not supported for local sources"
 }
+
+@test "add file with IMA xattr" {
+    if ! getfattr -d -n 'security.ima' /usr/libexec/catatonit/catatonit | grep -q ima; then
+	skip "catatonit does not have IMA xattr, cannot perform test"
+    fi
+
+    run_buildah from --quiet scratch
+    cid=$output
+
+    # We do not care if the attribute was actually added, as rootless is allowed to discard it.
+    # Only that the add was actually successful.
+    run_buildah add $cid /usr/libexec/catatonit/catatonit /catatonit
+}