Do not error on trying to write IMA xattr as rootless
Rootless users cannot set the `security.ima` xattr on files (presumably for security reasons, they get an EPERM on trying to do so). We will normally try and preserve that xattr, so when trying to add a file with an IMA xattr to a build on a Buildah without this patch, you get an error. With this patch, the error is downgraded to a warning, as it's better to successfully build with a missing xattr than blocking all builds which want to include the offending file. The urgency on this has become somewhat higher as it seems like F41/Rawhide are installing rpm-plugin-ima by default, which is setting IMA xattrs on some files that Podman relies on - for example, the catatonit binary we use for pid pause images. Without this patch, building the pause image as rootless will always fail on a system with rpm-plugin-ima installed. Fixes: https://github.com/containers/podman/issues/18543 <MH: Cherry picked back to release-1.37, conflicts fixed> Signed-off-by: Matt Heon <mheon@redhat.com>
This commit is contained in:
Matt Heon
parent
b67fa4501c
commit
8165aae9e8
|
|
@ -10,15 +10,18 @@ import (
|
|||
"strings"
|
||||
"syscall"
|
||||
|
||||
"github.com/containers/storage/pkg/unshare"
|
||||
"github.com/sirupsen/logrus"
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
const (
|
||||
xattrsSupported = true
|
||||
imaXattr = "security.ima"
|
||||
)
|
||||
|
||||
var (
|
||||
relevantAttributes = []string{"security.capability", "security.ima", "user.*"} // the attributes that we preserve - we discard others
|
||||
relevantAttributes = []string{"security.capability", imaXattr, "user.*"} // the attributes that we preserve - we discard others
|
||||
initialXattrListSize = 64 * 1024
|
||||
initialXattrValueSize = 64 * 1024
|
||||
)
|
||||
|
|
@ -93,9 +96,13 @@ func Lsetxattrs(path string, xattrs map[string]string) error {
|
|||
for attribute, value := range xattrs {
|
||||
if isRelevantXattr(attribute) {
|
||||
if err := unix.Lsetxattr(path, attribute, []byte(value), 0); err != nil {
|
||||
if unshare.IsRootless() && attribute == imaXattr {
|
||||
logrus.Warnf("Unable to set %q xattr on %q: %v", attribute, path, err)
|
||||
} else {
|
||||
return fmt.Errorf("setting value of extended attribute %q on %q: %w", attribute, path, err)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -306,3 +306,16 @@ stuff/mystuff"
|
|||
run_buildah 125 add --checksum=sha256:0000000000000000000000000000000000000000000000000000000000000000 $cid ${TEST_SCRATCH_DIR}/randomfile /
|
||||
expect_output --substring "checksum flag is not supported for local sources"
|
||||
}
|
||||
|
||||
@test "add file with IMA xattr" {
|
||||
if ! getfattr -d -n 'security.ima' /usr/libexec/catatonit/catatonit | grep -q ima; then
|
||||
skip "catatonit does not have IMA xattr, cannot perform test"
|
||||
fi
|
||||
|
||||
run_buildah from --quiet scratch
|
||||
cid=$output
|
||||
|
||||
# We do not care if the attribute was actually added, as rootless is allowed to discard it.
|
||||
# Only that the add was actually successful.
|
||||
run_buildah add $cid /usr/libexec/catatonit/catatonit /catatonit
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue