layer: Xattr unpack code is broken on Fedora/RHEL #49
Comments
|
if I add |
|
Yup. I have a comment about "this probably breaks on RedHat" 😉. I'm not super familiar about What I currently do is this:
This is clearly not correct, so what should I be doing? Should I be modifying |
clearly my command fails there right? I would test if setting xattrs directly solves this |
No, it's failing when clearing. You can pass I think the issue is that
It probably does. I will try it out, but is there a nice environment I can use to test SELinux? Will a Fedora VM work out-of-the box with SELinux in enforcing mode?
Not sure. The spec is quite hazy about |
cyphar
changed the title
I usually spin up fedora vms out of qcow2 images (fedora cloud images) and everything works great with Selinux and the rest |
|
Okay, it "works" if I just remove the diff --git a/oci/layer/tar_extract.go b/oci/layer/tar_extract.go
index cb017d86f869..622b550e6d38 100644
--- a/oci/layer/tar_extract.go
+++ b/oci/layer/tar_extract.go
@@ -99,11 +99,7 @@ func (te *tarExtractor) restoreMetadata(path string, hdr *tar.Header) error {
// Apply xattrs. In order to make sure that we *only* have the xattr set we
// want, we first clear the set of xattrs from the file then apply the ones
// set in the tar.Header.
- // XXX: This will almost certainly break horribly on RedHat.
if !te.mapOptions.Rootless {
- if err := system.Lclearxattrs(path); err != nil {
- return errors.Wrapf(err, "clear xattr metadata: %s", path)
- }
for name, value := range hdr.Xattrs {
if err := system.Lsetxattr(path, name, []byte(value), 0); err != nil {
return errors.Wrapf(err, "restore xattr metadata: %s", path) |
|
@rhatdan do you have any idea here? |
Lclearxattr is actually not useful because on SELinux enabled systems, attempting to remove a security context label will always fail. There's probably nicer ways of dealing with this, but for the moment this fixes (on the surface) cyphar/umoci#49. Signed-off-by: Aleksa Sarai <asarai@suse.com>
|
I think it is fine to remove the xattrs or we could add a check for the selinux class and only remove the ones that are not security attributes. |
|
This probably would not happen on devicemapper back end. |
|
@rhatdan Do you think an
This is being done into a plain directory (I'm not using any storage drivers, it's just purely tar unpacking implemented in Go with some of my own tricks to ensure that the output is consistent). |
|
I would not include security attributes, since those can vary from machine to machine, and could be different based on the paths you install. |
|
Are there any other |
|
I think there is very little use of xattrs, other then for security. At least that I am aware of. |
On RHEL/Fedora this fixes issues under SELinux where trying to remove a "security.selinux" label is a capital-B bad idea. It also might be necessary to handle blacklisting "security.*" xattrs when we generate archives. Fixes: cyphar/umoci#49 Signed-off-by: Aleksa Sarai <asarai@suse.com>
|
Can you guys PTAL at #51 to see if that fixes the issue for you (it fixes the issue for me). |
|
I was looking it up, and |
On RHEL/Fedora this fixes issues under SELinux where trying to remove a "security.selinux" label is a capital-B bad idea. It also might be necessary to handle blacklisting "security.*" xattrs when we generate archives. Fixes: cyphar/umoci#49 Signed-off-by: Aleksa Sarai <asarai@suse.com>
On RHEL/Fedora this fixes issues under SELinux where trying to remove a "security.selinux" label is a capital-B bad idea. It also might be necessary to handle blacklisting "security.*" xattrs when we generate archives. Fixes: cyphar/umoci#49 Signed-off-by: Aleksa Sarai <asarai@suse.com>
On RHEL/Fedora this fixes issues under SELinux where trying to remove a "security.selinux" label is a capital-B bad idea. It also might be necessary to handle blacklisting "security.*" xattrs when we generate archives. Fixes: cyphar/umoci#49 Signed-off-by: Aleksa Sarai <asarai@suse.com>
On RHEL/Fedora this fixes issues under SELinux where trying to remove a "security.selinux" label is a capital-B bad idea. It also might be necessary to handle blacklisting "security.*" xattrs when we generate archives. Fixes: cyphar/umoci#49 Signed-off-by: Aleksa Sarai <asarai@suse.com>
|
LGTM |
|
By the way @runcom, the reason that
Just in case you were still wondering why |
|
@cyphar cool. I don't feel strongly about having that in OCI image tools. I do feel umoci is great on unpacking from my experience so I'll stick with it for now. Of course, pushing missing functionalities on image-tools would be great as well. |
|
security is the most standard use xattrs, but there a number of projects that store arbitrary data in the user xattrs. but those are probably more "nice to have" rather than "must have". |
|
Hi @cyphar I still see this issue on a RHEL7-based (CERN has its own flavor CERN Centos 7) distro: on fedora-25 vagrant box it works fine. If that's a too niche use-case I understand, but if you have any ideas on what to look at e.g. in the debug output to try to fix it, I'd be happy to take a look (@traylenator -- perhaps this is interesting to you) |
|
@lukasheinrich Can you give me the list of |
|
Ah -- I think I figured it out. I was trying to unpack within a AFS share, which probably has all kinds of xattrs defined. On the local disk of that machine it works. |
just have a busybox image copied with skopeo to OCI format, then:
The text was updated successfully, but these errors were encountered: