Steps to reproduce: 1) create a config for squashfs with xattrs added by either a device_table or _PERMISSIONS in a package. An example can be seen on the test case of this series: http://patchwork.ozlabs.org/project/buildroot/list/?series=59394 2) Build 3) Run test, checking with getcap Actual results: The build succeeds without any warning. But in runtime the xattrs are not in the filesystem. Expected results: In runtime, calling getcap shows the xattrs. Additional info: This bug occurs on master and 2018.05.x. It does not occur on 2018.02.x, before the use of a per-fs target dir. makedevs does apply the file capabilities to the $(FS_DIR)/target copy, but the extended attributes are not propagated to the target filesystem. Hacks (cumulative) to understand the problem: 1) removing "rm -f $(ROOTFS_COMMON_TAR)" from the main Makefile and inspecting the tarball > tvvf rootfs.common.tar --xattrs --xattrs-include='*' the xattr are not shown. 2) adding "--xattrs --xattrs-include='*'" to ROOTFS_COMMON_TAR_CMD the build succeeds without any warning. Inspecting the tarball the xattrs show up > x: 20 security.capability But when run testing the xattrs are not there. 3) adding "--xattrs --xattrs-include='*'" to ROOTFS_COMMON_UNTAR_CMD the build succeeds with a warning > File my_file_with_xattr has unrecognised filetype 0, ignoring Inspecting the tarball the xattr shows up. But when run testing the file that should have the xattrs is not in the image. Additional notes (speculation): - In its source code, tar has some suspicious workarounds for security.capability, but it works fine outside of fakeroot. - fakeroot 1.23 is out but I didn't tried it. - It looks like the problem occurs when extracting a tarfile with xattrs inside fakeroot. See below the commands I used to test. Outside of buildroot I tried using those versions from Ubuntu 18.04: tar (GNU tar) 1.29 fakeroot version 1.22 > $ mkdir dir > $ touch dir/file > $ fakeroot > # setcap cap_kill+eip dir/file > # getcap dir/file > dir/file = cap_kill+eip > # tar cf archive.tar dir --xattrs > # exit > $ tar tvvf archive.tar --xattrs --xattrs-include='*' > drwxr-xr-x root/root 0 2018-08-05 23:21 dir/ > -rw-r--r--* ricardo/ricardo 0 2018-08-05 23:21 dir/file > x: 20 security.capability > $ fakeroot > # tar xf archive.tar --xattrs --xattrs-include='*' > # ls -l dir/file > ?rw-r--r-- 1 root root 0 ago 5 23:21 dir/file > # file dir/file > dir/file: ERROR: invalid mode 0644 > # getcap dir/file > # exit > $ file dir/file > dir/file: empty > $ getcap dir/file > $ sudo tar xf archive.tar --xattrs --xattrs-include='*' > $ getcap dir/file > dir/file = cap_kill+eip
Yann is proposing this patch series to address this issue: https://patchwork.ozlabs.org/project/buildroot/list/?series=72842
Ricardo, All, I've sent a second iteration of the series to fix capabilities: https://patchwork.ozlabs.org/project/buildroot/list/?series=75490 Regards, Yann E. MORIN.
Ricardo, All, Also, I've edited the title of this BZ, because it really relates to capabilities. Our makedevs syntax only allows for specifying capabilities, not arbitrary extended attributes. Regards, Yann E. MORIN.
Ricardo, All, Fixed by: https://git.buildroot.org/buildroot/commit?id=409d4c3fe9949f01b009712a1a731baf597e0f8d Thanks for the very detailed report! :-) Regards, Yann E. MORIN.