-
Notifications
You must be signed in to change notification settings - Fork 594
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
snap/unsquashfs: pass -xattrs-include ^user. #14906
base: master
Are you sure you want to change the base?
Conversation
Writing security.* attributes as non-root user is not allowed but on Fedora and other SELinux systems, unsquashfs will attempt to write to security.selinux, which fails. Signed-off-by: Zygmunt Krynicki <[email protected]>
@@ -202,7 +202,7 @@ func (s *Snap) Unpack(src, dstDir string) error { | |||
usw := newUnsquashfsStderrWriter() | |||
|
|||
var output bytes.Buffer | |||
cmd := exec.Command("unsquashfs", "-n", "-f", "-d", dstDir, s.path, src) | |||
cmd := exec.Command("unsquashfs", "-xattrs-include", "^user.", "-n", "-f", "-d", dstDir, s.path, src) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not supported by old versions of unsquashfs. We will need to see if we can drop all xattrs or if we need more elaborate logic.
@@ -419,7 +419,7 @@ func (s *Snap) Walk(relative string, walkFn filepath.WalkFunc) error { | |||
// ListDir returns the content of a single directory inside a squashfs snap. | |||
func (s *Snap) ListDir(dirPath string) ([]string, error) { | |||
output, stderr, err := osutil.RunSplitOutput( | |||
"unsquashfs", "-no-progress", "-dest", "_", "-l", s.path, dirPath) | |||
"unsquashfs", "-xattrs-include", "^user.", "-no-progress", "-dest", "_", "-l", s.path, dirPath) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we really need it with -l
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, probably not, that was overeager.
@@ -640,7 +640,7 @@ func BuildDate(path string) time.Time { | |||
N: 1, | |||
} | |||
|
|||
cmd := exec.Command("unsquashfs", "-n", "-s", path) | |||
cmd := exec.Command("unsquashfs", "-xattrs-include", "^user.", "-n", "-s", path) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also here with -s
?
Thanks for this, I was hitting this problem when trying to run tests on either a native fedora host or an ubuntu container (via toolbx/toolbox?) on fedora. If our unit tests are really unit tests, they ought to work on any system :) |
I'm still confused why this is failing I started a lxd vm with fedora/40/cloud image and the unit tests are passing without any changes when running as a regular user, so what gives?
Maybe it has something to do with current user's selinux context, which is likely inherited from the lxd-agent. |
Writing security.* attributes as non-root user is not allowed but on Fedora and other SELinux systems, unsquashfs will attempt to write to security.selinux, which fails.
This fixes running unit tests on Fedora, while running as a regular user.