stages/oci-archive: include limited set of xattrs

Only include a very specific set of extended attributes: - user.*: user specified extended attributes - security.ima: Integrity Measurement Architecture (IMA) - security.capability: Linux capabilities(7) This follows what containers/storage[1] and containers/buildah[2] are doing. It is important to note that we DO NOT want selinux related extended attributes (`security.selinux`) in there, which seems to be pulled in by some versions of `tar` even if that was seemingly excluded via `--no-selinux`. Therefore we also exclude selinux and xattrs explicitly from the wrapping container to make sure they are never included. [1] 35ebda8ae2/pkg/archive/archive.go (L399) [2] 214e4c9335/copier/xattrs.go (L19)
2021-03-30 12:41:40 +02:00 · 2021-03-30 12:41:40 +02:00 · 8429b08e79
commit 8429b08e79
parent dc6090290b
1 changed files with 11 additions and 0 deletions
--- a/stages/org.osbuild.oci-archive
+++ b/stages/org.osbuild.oci-archive
@ -126,6 +126,14 @@ MEDIA_TYPES = {
 }


+# The extended attributes that should be recorded for the
+# contents of file system layers:
+#  - user.*: user specified extended attributes
+#  - security.ima: Integrity Measurement Architecture (IMA)
+#  - security.capability: Linux capabilities(7)
+XATTRS_WANT = r"^(user.|security\.ima|security\.capability)"
+
+
 def sha256sum(path: str) -> str:
    ret = subprocess.run(["sha256sum", path],
                         stdout=subprocess.PIPE,
@ -168,6 +176,7 @@ def blobs_add_layer(blobs: str, tree: str):
        "--no-selinux",
        "--acls",
        "--xattrs",
+        "--xattrs-include=" + XATTRS_WANT,
        "-cf", layer_file,
        "-C", tree,
    ] + os.listdir(tree)
@ -284,6 +293,8 @@ def main(inputs, output_dir, options):
        command = [
            "tar",
            "--remove-files",
+            "--no-selinux",
+            "--no-xattrs",
            "-cf", os.path.join(output_dir, filename),
            f"--directory={workdir}",
        ] + os.listdir(workdir)