Skip to content

Commit

Permalink
Do not error on trying to write IMA xattr as rootless
Browse files Browse the repository at this point in the history
Rootless users cannot set the `security.ima` xattr on files
(presumably for security reasons, they get an EPERM on trying to
do so). We will normally try and preserve that xattr, so when
trying to add a file with an IMA xattr to a build on a Buildah
without this patch, you get an error. With this patch, the error
is downgraded to a warning, as it's better to successfully build
with a missing xattr than blocking all builds which want to
include the offending file.

The urgency on this has become somewhat higher as it seems like
F41/Rawhide are installing rpm-plugin-ima by default, which is
setting IMA xattrs on some files that Podman relies on - for
example, the catatonit binary we use for pid pause images.
Without this patch, building the pause image as rootless will
always fail on a system with rpm-plugin-ima installed.

Fixes: containers/podman#18543

Signed-off-by: Matt Heon <mheon@redhat.com>
  • Loading branch information
mheon committed Sep 18, 2024
1 parent 64ffb74 commit 5d73b93
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 3 deletions.
2 changes: 1 addition & 1 deletion .cirrus.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ env:
DEBIAN_NAME: "debian-13"

# Image identifiers
IMAGE_SUFFIX: "c20240821t171500z-f40f39d13"
IMAGE_SUFFIX: "c20240826t190000z-f40f39d13"
FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
DEBIAN_CACHE_IMAGE_NAME: "debian-${IMAGE_SUFFIX}"
Expand Down
11 changes: 9 additions & 2 deletions copier/xattrs.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,18 @@ import (
"strings"
"syscall"

"github.com/containers/storage/pkg/unshare"
"github.com/sirupsen/logrus"
"golang.org/x/sys/unix"
)

const (
xattrsSupported = true
imaXattr = "security.ima"
)

var (
relevantAttributes = []string{"security.capability", "security.ima", "user.*"} // the attributes that we preserve - we discard others
relevantAttributes = []string{"security.capability", imaXattr, "user.*"} // the attributes that we preserve - we discard others
initialXattrListSize = 64 * 1024
initialXattrValueSize = 64 * 1024
)
Expand Down Expand Up @@ -92,7 +95,11 @@ func Lsetxattrs(path string, xattrs map[string]string) error {
for attribute, value := range xattrs {
if isRelevantXattr(attribute) {
if err := unix.Lsetxattr(path, attribute, []byte(value), 0); err != nil {
return fmt.Errorf("setting value of extended attribute %q on %q: %w", attribute, path, err)
if unshare.IsRootless() && attribute == imaXattr {
logrus.Warnf("Unable to set %q xattr on %q: %v", attribute, path, err)
} else {
return fmt.Errorf("setting value of extended attribute %q on %q: %w", attribute, path, err)
}
}
}
}
Expand Down
20 changes: 20 additions & 0 deletions tests/bud.bats
Original file line number Diff line number Diff line change
Expand Up @@ -6946,3 +6946,23 @@ _EOF
run_buildah run testctr -- sh -c 'cd podman-tag && git ls-remote --tags origin v5.0.0^{} | cut -f1'
assert "$output" = "$local_head_hash"
}

@test "bud with ADD with file with IMA xattr" {
_prefetch alpine

local contextdir=${TEST_SCRATCH_DIR}/add-ima
mkdir -p $contextdir
cat > $contextdir/Dockerfile <<EOF
FROM alpine
ADD /usr/libexec/catatonit/catatonit /bin/catatonit
EOF

# Verify that /usr/libexec/catatonit/catatonit both exists and has an IMA xattr
if getfattr -d -m 'security.ima' /usr/libexec/catatonit/catatonit | grep -q ima; then
skip "catatonit does not exist or does not have an appropriate xattr"
fi

# We do not care if the attribute was actually added, as rootless is allowed to discard it.
# Only that the file builds successfully.
run_buildah build -f $contextdir/Dockerfile $contextdir
}

0 comments on commit 5d73b93

Please sign in to comment.