Bug 11216

Summary: Capabilities not applied to filesystem
Product: buildroot Reporter: Ricardo Martincoski <ricardo.martincoski>
Component: OtherAssignee: Yann E. MORIN <yann.morin.1998>
Status: RESOLVED FIXED    
Severity: normal CC: buildroot, yann.morin.1998
Priority: P5    
Version: 2018.05   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Host: Target:
Build:

Description Ricardo Martincoski 2018-08-10 02:08:57 UTC 
Steps to reproduce:
1) create a config for squashfs with xattrs added by either a device_table or _PERMISSIONS in a package.
An example can be seen on the test case of this series:
http://patchwork.ozlabs.org/project/buildroot/list/?series=59394
2) Build
3) Run test, checking with getcap

Actual results:
The build succeeds without any warning.
But in runtime the xattrs are not in the filesystem.

Expected results:
In runtime, calling getcap shows the xattrs.

Additional info:
This bug occurs on master and 2018.05.x. It does not occur on 2018.02.x, before the use of a per-fs target dir.
makedevs does apply the file capabilities to the $(FS_DIR)/target copy, but the extended attributes are not propagated to the target filesystem.

Hacks (cumulative) to understand the problem:
1) removing "rm -f $(ROOTFS_COMMON_TAR)" from the main Makefile and inspecting the tarball
> tvvf rootfs.common.tar --xattrs --xattrs-include='*'
the xattr are not shown.
2) adding "--xattrs --xattrs-include='*'" to ROOTFS_COMMON_TAR_CMD the build succeeds without any warning. Inspecting the tarball the xattrs show up
> x: 20 security.capability
But when run testing the xattrs are not there.
3) adding "--xattrs --xattrs-include='*'" to ROOTFS_COMMON_UNTAR_CMD the build succeeds with a warning
> File my_file_with_xattr has unrecognised filetype 0, ignoring
Inspecting the tarball the xattr shows up.
But when run testing the file that should have the xattrs is not in the image.

Additional notes (speculation):
- In its source code, tar has some suspicious workarounds for security.capability, but it works fine outside of fakeroot.
- fakeroot 1.23 is out but I didn't tried it.
- It looks like the problem occurs when extracting a tarfile with xattrs inside fakeroot. See below the commands I used to test.
Outside of buildroot I tried using those versions from Ubuntu 18.04:
tar (GNU tar) 1.29
fakeroot version 1.22
> $ mkdir dir
> $ touch dir/file
> $ fakeroot
> # setcap cap_kill+eip dir/file
> # getcap dir/file
> dir/file = cap_kill+eip
> # tar cf archive.tar dir --xattrs
> # exit
> $ tar tvvf archive.tar --xattrs --xattrs-include='*'
> drwxr-xr-x  root/root         0 2018-08-05 23:21 dir/
> -rw-r--r--* ricardo/ricardo   0 2018-08-05 23:21 dir/file
>   x: 20 security.capability
> $ fakeroot
> # tar xf archive.tar --xattrs --xattrs-include='*'
> # ls -l dir/file
> ?rw-r--r-- 1 root root 0 ago  5 23:21 dir/file
> # file dir/file
> dir/file: ERROR: invalid mode 0644
> # getcap dir/file
> # exit
> $ file dir/file
> dir/file: empty
> $ getcap dir/file
> $ sudo tar xf archive.tar --xattrs --xattrs-include='*'
> $ getcap dir/file
> dir/file = cap_kill+eip
Comment 1 Thomas Petazzoni 2018-11-02 10:58:03 UTC 
Yann is proposing this patch series to address this issue: https://patchwork.ozlabs.org/project/buildroot/list/?series=72842
Comment 2 Yann E. MORIN 2018-11-12 17:37:45 UTC 
Ricardo, All,

I've sent a second iteration of the series to fix capabilities:
    https://patchwork.ozlabs.org/project/buildroot/list/?series=75490

Regards,
Yann E. MORIN.
Comment 3 Yann E. MORIN 2018-11-12 17:39:32 UTC 
Ricardo, All,

Also, I've edited the title of this BZ, because it really relates
to capabilities. Our makedevs syntax only allows for specifying
capabilities, not arbitrary extended attributes.

Regards,
Yann E. MORIN.
Comment 4 Yann E. MORIN 2018-11-13 07:18:58 UTC 
Ricardo, All,

Fixed by:
    https://git.buildroot.org/buildroot/commit?id=409d4c3fe9949f01b009712a1a731baf597e0f8d

Thanks for the very detailed report! :-)

Regards,
Yann E. MORIN.