keremet/rpm-ostree
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

core: Fix fcaps (e.g. ping) in unified core mode

Browse Source 
This fixes another thing broken with `compose --ex-unified-core`;
for e.g. `/usr/bin/ping` from `iputils`, the classic example of a filecaps
binary.

As I'm writing this commit message I realize it will actually also
take effect for package layering unnecessarily; we'll pointlessly
break the hardlink.  But eh, it doesn't matter right now, we can
optimize that later.

Closes: #1151
Approved by: jlebon
This commit is contained in:
Colin Walters 2017-12-13 21:42:59 -05:00 committed by Atomic Bot
parent 8b41718d60
commit 9f2db12329
3 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/libpriv/rpmostree-core.c
View File

@ -2944,12 +2944,14 @@ apply_rpmfi_overrides (RpmOstreeContext *self,
const char *user = rpmfiFUser (fi) ?: "root"; const char *user = rpmfiFUser (fi) ?: "root";
const char *group = rpmfiFGroup (fi) ?: "root"; const char *group = rpmfiFGroup (fi) ?: "root";
const char *fcaps = rpmfiFCaps (fi) ?: '\0'; const char *fcaps = rpmfiFCaps (fi) ?: '\0';
const gboolean have_fcaps = fcaps[0] != '\0';
rpm_mode_t mode = rpmfiFMode (fi); rpm_mode_t mode = rpmfiFMode (fi);
rpmfileAttrs fattrs = rpmfiFFlags (fi); rpmfileAttrs fattrs = rpmfiFFlags (fi);
const gboolean is_ghost = fattrs & RPMFILE_GHOST; const gboolean is_ghost = fattrs & RPMFILE_GHOST;
if (g_str_equal (user, "root") && if (g_str_equal (user, "root") &&
g_str_equal (group, "root")) g_str_equal (group, "root") &&
!have_fcaps)
continue; continue;
/* In theory, RPMs could contain block devices or FIFOs; we would normally /* In theory, RPMs could contain block devices or FIFOs; we would normally
@ -3057,7 +3059,7 @@ apply_rpmfi_overrides (RpmOstreeContext *self,
return glnx_throw_errno_prefix (error, "fchownat(%s)", fn); return glnx_throw_errno_prefix (error, "fchownat(%s)", fn);
/* the chown clears away file caps, so reapply it here */ /* the chown clears away file caps, so reapply it here */
if (fcaps[0] != '\0') if (have_fcaps)
{ {
g_autoptr(GVariant) xattrs = rpmostree_fcap_to_xattr_variant (fcaps); g_autoptr(GVariant) xattrs = rpmostree_fcap_to_xattr_variant (fcaps);
if (!glnx_dfd_name_set_all_xattrs (tmprootfs_dfd, fn, xattrs, if (!glnx_dfd_name_set_all_xattrs (tmprootfs_dfd, fn, xattrs,

4
tests/compose-tests/libbasic-test.sh
View File

@ -42,6 +42,10 @@ ostree --repo=${repobuild} ls ${treeref} /usr/bin/su > su.txt
assert_file_has_content su.txt '^-04[71][0-7][0-7]' assert_file_has_content su.txt '^-04[71][0-7][0-7]'
echo "ok setuid" echo "ok setuid"
ostree --repo=${repobuild} ls -X ${treeref} /usr/bin/ping > ping.txt
assert_file_has_content_literal ping.txt "b'security.capability', [byte"
echo "ok fcaps"
# https://github.com/projectatomic/rpm-ostree/issues/669 # https://github.com/projectatomic/rpm-ostree/issues/669
ostree --repo=${repobuild} ls ${treeref} /tmp > ls.txt ostree --repo=${repobuild} ls ${treeref} /tmp > ls.txt
assert_file_has_content ls.txt 'l00777 0 0 0 /tmp -> sysroot/tmp' assert_file_has_content ls.txt 'l00777 0 0 0 /tmp -> sysroot/tmp'

2
tests/composedata/fedora-base.json
View File

@ -4,7 +4,7 @@
"repos": ["fedora"], "repos": ["fedora"],
"packages": ["kernel", "nss-altfiles", "systemd", "ostree", "selinux-policy-targeted", "chrony", "packages": ["kernel", "nss-altfiles", "systemd", "ostree", "selinux-policy-targeted", "chrony",
"tuned"], "tuned", "iputils"],
"packages-aarch64": ["grub2-efi", "ostree-grub2", "packages-aarch64": ["grub2-efi", "ostree-grub2",
"efibootmgr", "shim"], "efibootmgr", "shim"],