From b57376d1607587d3739eb2c754ba6b27e272198a Mon Sep 17 00:00:00 2001
From: Christian Kellner <christian@kellner.me>
Date: Fri, 22 Apr 2022 20:25:33 +0200
Subject: [PATCH] pipeline: drop CAP_MAC_ADMIN by default

Drop `CAP_MAC_ADMIN` from the default capabilities which is needed
to write and read(!) unknown SELinux labels. Adjust the stages
that need to read or write SELinux labels accordingly.
---
 assemblers/org.osbuild.ostree.commit | 2 +-
 assemblers/org.osbuild.tar           | 3 +++
 osbuild/pipeline.py                  | 1 -
 stages/org.osbuild.copy              | 3 +++
 stages/org.osbuild.ostree.commit     | 2 +-
 stages/org.osbuild.ostree.deploy     | 1 +
 stages/org.osbuild.ostree.preptree   | 2 +-
 stages/org.osbuild.ostree.pull       | 3 +++
 stages/org.osbuild.ostree.selinux    | 3 +++
 stages/org.osbuild.rpm-ostree        | 2 +-
 stages/org.osbuild.selinux           | 3 +++
 stages/org.osbuild.tar               | 3 +++
 stages/org.osbuild.untar             | 3 +++
 13 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/assemblers/org.osbuild.ostree.commit b/assemblers/org.osbuild.ostree.commit
index f918a540..e37800ab 100755
--- a/assemblers/org.osbuild.ostree.commit
+++ b/assemblers/org.osbuild.ostree.commit
@@ -29,7 +29,7 @@ from osbuild import api
 from osbuild.util import ostree
 
 
-CAPABILITIES = ["CAP_NET_ADMIN", "CAP_SYS_PTRACE"]
+CAPABILITIES = ["CAP_MAC_ADMIN", "CAP_NET_ADMIN", "CAP_SYS_PTRACE"]
 
 
 SCHEMA = """
diff --git a/assemblers/org.osbuild.tar b/assemblers/org.osbuild.tar
index 214697d8..b2704cef 100755
--- a/assemblers/org.osbuild.tar
+++ b/assemblers/org.osbuild.tar
@@ -27,6 +27,9 @@ import sys
 import osbuild.api
 
 
+CAPABILITIES = ["CAP_MAC_ADMIN"]
+
+
 SCHEMA = """
 "additionalProperties": false,
 "required": ["filename"],
diff --git a/osbuild/pipeline.py b/osbuild/pipeline.py
index 29b341ad..e3b340a2 100644
--- a/osbuild/pipeline.py
+++ b/osbuild/pipeline.py
@@ -26,7 +26,6 @@ DEFAULT_CAPABILITIES = {
     "CAP_FSETID",
     "CAP_IPC_LOCK",
     "CAP_LINUX_IMMUTABLE",
-    "CAP_MAC_ADMIN",
     "CAP_MAC_OVERRIDE",
     "CAP_MKNOD",
     "CAP_NET_BIND_SERVICE",
diff --git a/stages/org.osbuild.copy b/stages/org.osbuild.copy
index 19330968..deaa187e 100755
--- a/stages/org.osbuild.copy
+++ b/stages/org.osbuild.copy
@@ -21,6 +21,9 @@ from urllib.parse import urlparse, ParseResult
 import osbuild.api
 
 
+CAPABILITIES = ["CAP_MAC_ADMIN"]
+
+
 SCHEMA_2 = r"""
 "options": {
   "additionalProperties": false,
diff --git a/stages/org.osbuild.ostree.commit b/stages/org.osbuild.ostree.commit
index 58ab2b3f..722f1edc 100755
--- a/stages/org.osbuild.ostree.commit
+++ b/stages/org.osbuild.ostree.commit
@@ -24,7 +24,7 @@ from osbuild import api
 from osbuild.util import ostree
 
 
-CAPABILITIES = ["CAP_NET_ADMIN", "CAP_SYS_PTRACE"]
+CAPABILITIES = ["CAP_MAC_ADMIN", "CAP_NET_ADMIN", "CAP_SYS_PTRACE"]
 
 
 SCHEMA_2 = """
diff --git a/stages/org.osbuild.ostree.deploy b/stages/org.osbuild.ostree.deploy
index 2fac0c1f..8e4ea7c9 100755
--- a/stages/org.osbuild.ostree.deploy
+++ b/stages/org.osbuild.ostree.deploy
@@ -26,6 +26,7 @@ import subprocess
 
 import osbuild.api
 
+CAPABILITIES = ["CAP_MAC_ADMIN"]
 
 SCHEMA = """
 "required": ["osname", "rootfs", "ref"],
diff --git a/stages/org.osbuild.ostree.preptree b/stages/org.osbuild.ostree.preptree
index 00d79a90..ed162c61 100755
--- a/stages/org.osbuild.ostree.preptree
+++ b/stages/org.osbuild.ostree.preptree
@@ -43,7 +43,7 @@ from osbuild import api
 from osbuild.util import ostree
 
 
-CAPABILITIES = ["CAP_NET_ADMIN", "CAP_SYS_PTRACE"]
+CAPABILITIES = ["CAP_MAC_ADMIN", "CAP_NET_ADMIN", "CAP_SYS_PTRACE"]
 
 
 SCHEMA = """
diff --git a/stages/org.osbuild.ostree.pull b/stages/org.osbuild.ostree.pull
index 3329abca..3b910997 100755
--- a/stages/org.osbuild.ostree.pull
+++ b/stages/org.osbuild.ostree.pull
@@ -18,6 +18,9 @@ import subprocess
 import osbuild.api
 
 
+CAPABILITIES = ["CAP_MAC_ADMIN"]
+
+
 SCHEMA_2 = """
 "options": {
   "additionalProperties": false,
diff --git a/stages/org.osbuild.ostree.selinux b/stages/org.osbuild.ostree.selinux
index 666ab1f2..e3427068 100755
--- a/stages/org.osbuild.ostree.selinux
+++ b/stages/org.osbuild.ostree.selinux
@@ -14,6 +14,9 @@ from osbuild.util import ostree
 from osbuild.util import selinux
 
 
+CAPABILITIES = ["CAP_MAC_ADMIN"]
+
+
 SCHEMA = """
 "additionalProperties": false,
 "required": ["deployment"],
diff --git a/stages/org.osbuild.rpm-ostree b/stages/org.osbuild.rpm-ostree
index 38f0a648..d2a0a519 100755
--- a/stages/org.osbuild.rpm-ostree
+++ b/stages/org.osbuild.rpm-ostree
@@ -39,7 +39,7 @@ import osbuild.api
 from osbuild.util import ostree
 
 
-CAPABILITIES = ["CAP_NET_ADMIN", "CAP_SYS_PTRACE"]
+CAPABILITIES = ["CAP_MAC_ADMIN", "CAP_NET_ADMIN", "CAP_SYS_PTRACE"]
 
 
 SCHEMA = """
diff --git a/stages/org.osbuild.selinux b/stages/org.osbuild.selinux
index b7e0ffea..f0ab7cd8 100755
--- a/stages/org.osbuild.selinux
+++ b/stages/org.osbuild.selinux
@@ -29,6 +29,9 @@ import osbuild.api
 from osbuild.util import selinux
 
 
+CAPABILITIES = ["CAP_MAC_ADMIN"]
+
+
 SCHEMA = """
 "additionalProperties": false,
 "required": ["file_contexts"],
diff --git a/stages/org.osbuild.tar b/stages/org.osbuild.tar
index 48d32f17..90b171fa 100755
--- a/stages/org.osbuild.tar
+++ b/stages/org.osbuild.tar
@@ -21,6 +21,9 @@ import sys
 import osbuild.api
 
 
+CAPABILITIES = ["CAP_MAC_ADMIN"]
+
+
 SCHEMA_2 = """
 "options": {
   "additionalProperties": false,
diff --git a/stages/org.osbuild.untar b/stages/org.osbuild.untar
index 6c96c2b5..f542372d 100755
--- a/stages/org.osbuild.untar
+++ b/stages/org.osbuild.untar
@@ -12,6 +12,9 @@ import sys
 import osbuild.api
 
 
+CAPABILITIES = ["CAP_MAC_ADMIN"]
+
+
 SCHEMA_2 = r"""
 "inputs": {
   "type": "object",