From bbef218344b27d1b06a89cbf3fa6eabcb66a2fab Mon Sep 17 00:00:00 2001 From: "Brad P. Crochet" Date: Fri, 28 Apr 2023 09:26:43 -0400 Subject: [PATCH] Ignore layer files that have security capability attrs If a file in a layer has had setcap used on it, it will show up in the layer, but be unchanged. However, there will be a PAX record that shows the extended attrs. For now, preflight will ignore these files, unless/until we find a situation where we should be more robust in this check and possibly fail it. Fixes #969 Signed-off-by: Brad P. Crochet --- internal/policy/container/has_modified_files.go | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/internal/policy/container/has_modified_files.go b/internal/policy/container/has_modified_files.go index 3716de4b..bc5083e3 100644 --- a/internal/policy/container/has_modified_files.go +++ b/internal/policy/container/has_modified_files.go @@ -113,7 +113,7 @@ func (p *HasModifiedFilesCheck) gatherDataToValidate(ctx context.Context, imgRef layerIDs = append(layerIDs, layerID) - files, err := generateChangesFor(layer) + files, err := generateChangesFor(ctx, layer) if err != nil { return nil, nil, "", err } @@ -375,7 +375,8 @@ func installedFileMapWithExclusions(ctx context.Context, pkglist []*rpmdb.Packag } // generateChangesFor will check layer for file changes, and will return a list of those. -func generateChangesFor(layer v1.Layer) ([]string, error) { +func generateChangesFor(ctx context.Context, layer v1.Layer) ([]string, error) { + logger := logr.FromContextOrDiscard(ctx) layerReader, err := layer.Uncompressed() if err != nil { return nil, fmt.Errorf("reading layer contents: %w", err) @@ -408,6 +409,13 @@ func generateChangesFor(layer v1.Layer) ([]string, error) { if tombstone { basename = basename[len(whiteoutPrefix):] } + + // If there is a capability entry, ignore the file + if _, found := header.PAXRecords["SCHILY.xattr.security.capability"]; found { + logger.V(log.TRC).Info("security capabilities found in layer tar, ignoring file", "file", header.Name) + continue + } + switch { case (header.Typeflag == tar.TypeDir && tombstone) || header.Typeflag == tar.TypeReg: filelist[strings.TrimPrefix(filepath.Join(dirname, basename), "/")] = struct{}{}