Skip to content

Commit

Permalink
Do not error on trying to write IMA xattr as rootless
Browse files Browse the repository at this point in the history
Rootless users cannot set the `security.ima` xattr on files
(presumably for security reasons, they get an EPERM on trying to
do so). We will normally try and preserve that xattr, so when
trying to add a file with an IMA xattr to a build on a Buildah
without this patch, you get an error. With this patch, the error
is downgraded to a warning, as it's better to successfully build
with a missing xattr than blocking all builds which want to
include the offending file.

The urgency on this has become somewhat higher as it seems like
F41/Rawhide are installing rpm-plugin-ima by default, which is
setting IMA xattrs on some files that Podman relies on - for
example, the catatonit binary we use for pid pause images.
Without this patch, building the pause image as rootless will
always fail on a system with rpm-plugin-ima installed.

Fixes: containers/podman#18543

Signed-off-by: Matt Heon <mheon@redhat.com>
  • Loading branch information
mheon committed Sep 17, 2024
1 parent 64ffb74 commit 412b48f
Showing 1 changed file with 9 additions and 2 deletions.
11 changes: 9 additions & 2 deletions copier/xattrs.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,18 @@ import (
"strings"
"syscall"

"github.com/containers/storage/pkg/unshare"
"github.com/sirupsen/logrus"
"golang.org/x/sys/unix"
)

const (
xattrsSupported = true
imaXattr = "security.ima"
)

var (
relevantAttributes = []string{"security.capability", "security.ima", "user.*"} // the attributes that we preserve - we discard others
relevantAttributes = []string{"security.capability", imaXattr, "user.*"} // the attributes that we preserve - we discard others
initialXattrListSize = 64 * 1024
initialXattrValueSize = 64 * 1024
)
Expand Down Expand Up @@ -92,7 +95,11 @@ func Lsetxattrs(path string, xattrs map[string]string) error {
for attribute, value := range xattrs {
if isRelevantXattr(attribute) {
if err := unix.Lsetxattr(path, attribute, []byte(value), 0); err != nil {
return fmt.Errorf("setting value of extended attribute %q on %q: %w", attribute, path, err)
if unshare.IsRootless() && attribute == imaXattr {
logrus.Warnf("Unable to set %q xattr on %q: %v", attribute, path, err)
} else {
return fmt.Errorf("setting value of extended attribute %q on %q: %w", attribute, path, err)
}
}
}
}
Expand Down

0 comments on commit 412b48f

Please sign in to comment.