core: Fix fcaps (e.g. ping) in unified core mode
This fixes another thing broken with `compose --ex-unified-core`; for e.g. `/usr/bin/ping` from `iputils`, the classic example of a filecaps binary. As I'm writing this commit message I realize it will actually also take effect for package layering unnecessarily; we'll pointlessly break the hardlink. But eh, it doesn't matter right now, we can optimize that later. Closes: #1151 Approved by: jlebon
This commit is contained in:
parent
8b41718d60
commit
9f2db12329
@ -2944,12 +2944,14 @@ apply_rpmfi_overrides (RpmOstreeContext *self,
|
||||
const char *user = rpmfiFUser (fi) ?: "root";
|
||||
const char *group = rpmfiFGroup (fi) ?: "root";
|
||||
const char *fcaps = rpmfiFCaps (fi) ?: '\0';
|
||||
const gboolean have_fcaps = fcaps[0] != '\0';
|
||||
rpm_mode_t mode = rpmfiFMode (fi);
|
||||
rpmfileAttrs fattrs = rpmfiFFlags (fi);
|
||||
const gboolean is_ghost = fattrs & RPMFILE_GHOST;
|
||||
|
||||
if (g_str_equal (user, "root") &&
|
||||
g_str_equal (group, "root"))
|
||||
g_str_equal (group, "root") &&
|
||||
!have_fcaps)
|
||||
continue;
|
||||
|
||||
/* In theory, RPMs could contain block devices or FIFOs; we would normally
|
||||
@ -3057,7 +3059,7 @@ apply_rpmfi_overrides (RpmOstreeContext *self,
|
||||
return glnx_throw_errno_prefix (error, "fchownat(%s)", fn);
|
||||
|
||||
/* the chown clears away file caps, so reapply it here */
|
||||
if (fcaps[0] != '\0')
|
||||
if (have_fcaps)
|
||||
{
|
||||
g_autoptr(GVariant) xattrs = rpmostree_fcap_to_xattr_variant (fcaps);
|
||||
if (!glnx_dfd_name_set_all_xattrs (tmprootfs_dfd, fn, xattrs,
|
||||
|
@ -42,6 +42,10 @@ ostree --repo=${repobuild} ls ${treeref} /usr/bin/su > su.txt
|
||||
assert_file_has_content su.txt '^-04[71][0-7][0-7]'
|
||||
echo "ok setuid"
|
||||
|
||||
ostree --repo=${repobuild} ls -X ${treeref} /usr/bin/ping > ping.txt
|
||||
assert_file_has_content_literal ping.txt "b'security.capability', [byte"
|
||||
echo "ok fcaps"
|
||||
|
||||
# https://github.com/projectatomic/rpm-ostree/issues/669
|
||||
ostree --repo=${repobuild} ls ${treeref} /tmp > ls.txt
|
||||
assert_file_has_content ls.txt 'l00777 0 0 0 /tmp -> sysroot/tmp'
|
||||
|
@ -4,7 +4,7 @@
|
||||
"repos": ["fedora"],
|
||||
|
||||
"packages": ["kernel", "nss-altfiles", "systemd", "ostree", "selinux-policy-targeted", "chrony",
|
||||
"tuned"],
|
||||
"tuned", "iputils"],
|
||||
|
||||
"packages-aarch64": ["grub2-efi", "ostree-grub2",
|
||||
"efibootmgr", "shim"],
|
||||
|
Loading…
Reference in New Issue
Block a user