core: Fix fcaps (e.g. ping) in unified core mode

This fixes another thing broken with `compose --ex-unified-core`; for e.g. `/usr/bin/ping` from `iputils`, the classic example of a filecaps binary. As I'm writing this commit message I realize it will actually also take effect for package layering unnecessarily; we'll pointlessly break the hardlink. But eh, it doesn't matter right now, we can optimize that later. Closes: #1151 Approved by: jlebon
2017-12-13 21:42:59 -05:00 · 2017-12-13 21:42:59 -05:00 · 9f2db12329
commit 9f2db12329
parent 8b41718d60
3 changed files with 9 additions and 3 deletions
--- a/src/libpriv/rpmostree-core.c
+++ b/src/libpriv/rpmostree-core.c
@ -2944,12 +2944,14 @@ apply_rpmfi_overrides (RpmOstreeContext *self,
      const char *user = rpmfiFUser (fi) ?: "root";
      const char *group = rpmfiFGroup (fi) ?: "root";
      const char *fcaps = rpmfiFCaps (fi) ?: '\0';
+      const gboolean have_fcaps = fcaps[0] != '\0';
      rpm_mode_t mode = rpmfiFMode (fi);
      rpmfileAttrs fattrs = rpmfiFFlags (fi);
      const gboolean is_ghost = fattrs & RPMFILE_GHOST;

      if (g_str_equal (user, "root") &&
-          g_str_equal (group, "root"))
+          g_str_equal (group, "root") &&
+          !have_fcaps)
        continue;

      /* In theory, RPMs could contain block devices or FIFOs; we would normally
@ -3057,7 +3059,7 @@ apply_rpmfi_overrides (RpmOstreeContext *self,
        return glnx_throw_errno_prefix (error, "fchownat(%s)", fn);

      /* the chown clears away file caps, so reapply it here */
-      if (fcaps[0] != '\0')
+      if (have_fcaps)
        {
          g_autoptr(GVariant) xattrs = rpmostree_fcap_to_xattr_variant (fcaps);
          if (!glnx_dfd_name_set_all_xattrs (tmprootfs_dfd, fn, xattrs,
--- a/tests/compose-tests/libbasic-test.sh
+++ b/tests/compose-tests/libbasic-test.sh
@ -42,6 +42,10 @@ ostree --repo=${repobuild} ls ${treeref} /usr/bin/su > su.txt
 assert_file_has_content su.txt '^-04[71][0-7][0-7]'
 echo "ok setuid"

+ostree --repo=${repobuild} ls -X ${treeref} /usr/bin/ping > ping.txt
+assert_file_has_content_literal ping.txt "b'security.capability', [byte"
+echo "ok fcaps"
+
 # https://github.com/projectatomic/rpm-ostree/issues/669
 ostree --repo=${repobuild} ls  ${treeref} /tmp > ls.txt
 assert_file_has_content ls.txt 'l00777 0 0      0 /tmp -> sysroot/tmp'
--- a/tests/composedata/fedora-base.json
+++ b/tests/composedata/fedora-base.json
@ -4,7 +4,7 @@
    "repos": ["fedora"],

    "packages": ["kernel", "nss-altfiles", "systemd", "ostree", "selinux-policy-targeted", "chrony",
-                 "tuned"],
+                 "tuned", "iputils"],

    "packages-aarch64": ["grub2-efi", "ostree-grub2",
                         "efibootmgr", "shim"],