b57376d160
Drop `CAP_MAC_ADMIN` from the default capabilities which is needed to write and read(!) unknown SELinux labels. Adjust the stages that need to read or write SELinux labels accordingly.
116 lines
2.9 KiB
Python
Executable file
116 lines
2.9 KiB
Python
Executable file
#!/usr/bin/python3
|
|
"""
|
|
Assembles the tree into a tar archive named `filename`.
|
|
|
|
Uses the buildhost's `tar` command, like: `tar -cf $FILENAME -C $TREE`
|
|
|
|
If the `compression` option is given, the archive will be compressed by passing
|
|
the `--{compression}` option to `tar`. (This option is non-standard and might
|
|
not work for anything other than GNU tar.)
|
|
|
|
Known options for `compression`: "bzip2", "xz", "lzip", "lzma", "lzop", "gzip".
|
|
|
|
Note that using `compression` does not add an extension to `filename`, so the
|
|
caller is responsible for making sure that `compression` and `filename` match.
|
|
|
|
By default POSIX ACLs, SELinux contexts and extended attributes are included,
|
|
in order to preserve the tree as closely as possible. It is possible to opt
|
|
out of any of those by supplying the corresponding option.
|
|
|
|
Buildhost commands used: `tar` and any named `compression` program.
|
|
"""
|
|
|
|
|
|
import subprocess
|
|
import sys
|
|
|
|
import osbuild.api
|
|
|
|
|
|
CAPABILITIES = ["CAP_MAC_ADMIN"]
|
|
|
|
|
|
SCHEMA = """
|
|
"additionalProperties": false,
|
|
"required": ["filename"],
|
|
"properties": {
|
|
"filename": {
|
|
"description": "Filename for tar archive",
|
|
"type": "string"
|
|
},
|
|
"compression": {
|
|
"description": "Name of compression program",
|
|
"type": "string",
|
|
"enum": ["bzip2", "xz", "lzip", "lzma", "lzop", "gzip"]
|
|
},
|
|
"acls": {
|
|
"description": "Enable support for POSIX ACLs",
|
|
"type": "boolean",
|
|
"default": true
|
|
},
|
|
"selinux": {
|
|
"description": "Enable support for SELinux contexts",
|
|
"type": "boolean",
|
|
"default": true
|
|
},
|
|
"xattrs": {
|
|
"description": "Enable support for extended attributes",
|
|
"type": "boolean",
|
|
"default": true
|
|
}
|
|
}
|
|
"""
|
|
|
|
|
|
def main(tree, output_dir, options):
|
|
filename = options["filename"]
|
|
compression = options.get("compression")
|
|
|
|
extra_args = []
|
|
if compression is not None:
|
|
if compression not in {"bzip2", "xz", "lzip", "lzma", "lzop", "gzip"}:
|
|
return 1
|
|
extra_args.append(f"--{compression}")
|
|
|
|
# Set environment variables for the tar operation.
|
|
tar_env = {
|
|
# Speed up xz by allowing it to use all CPU cores for compression.
|
|
"XZ_OPT": "--threads 0"
|
|
}
|
|
|
|
# SELinux context, ACLs and extended attributes
|
|
if options.get("acls", True):
|
|
extra_args += ["--acls"]
|
|
|
|
if options.get("selinux", True):
|
|
extra_args += ["--selinux"]
|
|
|
|
if options.get("xattrs", True):
|
|
extra_args += ["--xattrs", "--xattrs-include", "*"]
|
|
|
|
# Set up the tar command.
|
|
tar_cmd = [
|
|
"tar",
|
|
*extra_args,
|
|
"-cf", f"{output_dir}/{filename}",
|
|
"-C", tree,
|
|
"."
|
|
]
|
|
|
|
# Make a tarball of the tree.
|
|
subprocess.run(
|
|
tar_cmd,
|
|
stdout=subprocess.DEVNULL,
|
|
check=True,
|
|
env=tar_env
|
|
)
|
|
|
|
return 0
|
|
|
|
|
|
if __name__ == '__main__':
|
|
args = osbuild.api.arguments()
|
|
args_input = args["inputs"]["tree"]["path"]
|
|
args_output = args["tree"]
|
|
r = main(args_input, args_output, args["options"])
|
|
sys.exit(r)
|