public inbox for gentoo-portage-dev@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-portage-dev] [PATCH] PORTAGE_XATTR_EXCLUDE: preserve security.capability (bug 548516)
@ 2015-05-03 19:18 Zac Medico
  2015-05-03 23:10 ` [gentoo-portage-dev] [PATCH v2] " Zac Medico
  0 siblings, 1 reply; 3+ messages in thread
From: Zac Medico @ 2015-05-03 19:18 UTC (permalink / raw
  To: gentoo-portage-dev; +Cc: Zac Medico

Also, fix BinpkgExtractorAsync tar options to preserve
security.capability attributes.

X-Gentoo-Bug: 548516
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=548516
---
 cnf/make.globals                    | 6 ++++--
 pym/_emerge/BinpkgExtractorAsync.py | 3 ++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/cnf/make.globals b/cnf/make.globals
index dd99618..5698636 100644
--- a/cnf/make.globals
+++ b/cnf/make.globals
@@ -123,9 +123,11 @@ PORTAGE_ELOG_MAILFROM="portage@localhost"
 PORTAGE_GPG_SIGNING_COMMAND="gpg --sign --digest-algo SHA256 --clearsign --yes --default-key \"\${PORTAGE_GPG_KEY}\" --homedir \"\${PORTAGE_GPG_DIR}\" \"\${FILE}\""
 
 # btrfs.* attributes are irrelevant, see bug #527636.
-# Security labels are special, see bug #461868.
+# security.* attributes may be special (see bug 461868), but
+# security.capabilities is specifically not excluded (bug 548516).
 # system.nfs4_acl attributes are irrelevant, see bug #475496.
-PORTAGE_XATTR_EXCLUDE="btrfs.* security.* system.nfs4_acl"
+PORTAGE_XATTR_EXCLUDE="btrfs.* security.evm security.ima
+	security.selinux system.nfs4_acl"
 
 #            *****************************
 #            **  DO NOT EDIT THIS FILE  **
diff --git a/pym/_emerge/BinpkgExtractorAsync.py b/pym/_emerge/BinpkgExtractorAsync.py
index 6aaa448..6b5539a 100644
--- a/pym/_emerge/BinpkgExtractorAsync.py
+++ b/pym/_emerge/BinpkgExtractorAsync.py
@@ -23,7 +23,8 @@ class BinpkgExtractorAsync(SpawnProcess):
 			process = subprocess.Popen(["tar", "--help"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
 			output = process.communicate()[0]
 			if b"--xattrs" in output:
-				tar_options = "--xattrs"
+				tar_options = ("--xattrs --xattrs-include='*' --xattrs-exclude="
+					"'%s'" % self.env.get("PORTAGE_XATTR_EXCLUDE", ""))
 
 		decomp_cmd = _decompressors.get(
 			compression_probe(self.pkg_path))
-- 
2.3.5



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [gentoo-portage-dev] [PATCH v2] PORTAGE_XATTR_EXCLUDE: preserve security.capability (bug 548516)
  2015-05-03 19:18 [gentoo-portage-dev] [PATCH] PORTAGE_XATTR_EXCLUDE: preserve security.capability (bug 548516) Zac Medico
@ 2015-05-03 23:10 ` Zac Medico
  2015-05-04  3:03   ` Brian Dolbec
  0 siblings, 1 reply; 3+ messages in thread
From: Zac Medico @ 2015-05-03 23:10 UTC (permalink / raw
  To: gentoo-portage-dev; +Cc: Zac Medico

Also, fix BinpkgExtractorAsync tar options to preserve
security.capability attributes.

X-Gentoo-Bug: 548516
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=548516
---
[PATCH v2] fixes BinpkgExtractorAsync tar --xattrs-exclude arguments to work
           correcty (each token must be passed as a separate argument)

 cnf/make.globals                    | 6 ++++--
 pym/_emerge/BinpkgExtractorAsync.py | 5 ++++-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/cnf/make.globals b/cnf/make.globals
index dd99618..5698636 100644
--- a/cnf/make.globals
+++ b/cnf/make.globals
@@ -123,9 +123,11 @@ PORTAGE_ELOG_MAILFROM="portage@localhost"
 PORTAGE_GPG_SIGNING_COMMAND="gpg --sign --digest-algo SHA256 --clearsign --yes --default-key \"\${PORTAGE_GPG_KEY}\" --homedir \"\${PORTAGE_GPG_DIR}\" \"\${FILE}\""
 
 # btrfs.* attributes are irrelevant, see bug #527636.
-# Security labels are special, see bug #461868.
+# security.* attributes may be special (see bug 461868), but
+# security.capabilities is specifically not excluded (bug 548516).
 # system.nfs4_acl attributes are irrelevant, see bug #475496.
-PORTAGE_XATTR_EXCLUDE="btrfs.* security.* system.nfs4_acl"
+PORTAGE_XATTR_EXCLUDE="btrfs.* security.evm security.ima
+	security.selinux system.nfs4_acl"
 
 #            *****************************
 #            **  DO NOT EDIT THIS FILE  **
diff --git a/pym/_emerge/BinpkgExtractorAsync.py b/pym/_emerge/BinpkgExtractorAsync.py
index 6aaa448..0bf3c74 100644
--- a/pym/_emerge/BinpkgExtractorAsync.py
+++ b/pym/_emerge/BinpkgExtractorAsync.py
@@ -23,7 +23,10 @@ class BinpkgExtractorAsync(SpawnProcess):
 			process = subprocess.Popen(["tar", "--help"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
 			output = process.communicate()[0]
 			if b"--xattrs" in output:
-				tar_options = "--xattrs"
+				tar_options = ["--xattrs", "--xattrs-include='*'"]
+				for x in portage.util.shlex_split(self.env.get("PORTAGE_XATTR_EXCLUDE", "")):
+					tar_options.append(portage._shell_quote("--xattrs-exclude=%s" % x))
+				tar_options = " ".join(tar_options)
 
 		decomp_cmd = _decompressors.get(
 			compression_probe(self.pkg_path))
-- 
2.3.5



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [gentoo-portage-dev] [PATCH v2] PORTAGE_XATTR_EXCLUDE: preserve security.capability (bug 548516)
  2015-05-03 23:10 ` [gentoo-portage-dev] [PATCH v2] " Zac Medico
@ 2015-05-04  3:03   ` Brian Dolbec
  0 siblings, 0 replies; 3+ messages in thread
From: Brian Dolbec @ 2015-05-04  3:03 UTC (permalink / raw
  To: gentoo-portage-dev

On Sun,  3 May 2015 16:10:58 -0700
Zac Medico <zmedico@gentoo.org> wrote:

> Also, fix BinpkgExtractorAsync tar options to preserve
> security.capability attributes.
> 
> X-Gentoo-Bug: 548516
> X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=548516
> ---
> [PATCH v2] fixes BinpkgExtractorAsync tar --xattrs-exclude arguments
> to work correcty (each token must be passed as a separate argument)
> 
>  cnf/make.globals                    | 6 ++++--
>  pym/_emerge/BinpkgExtractorAsync.py | 5 ++++-
>  2 files changed, 8 insertions(+), 3 deletions(-)
> 
> diff --git a/cnf/make.globals b/cnf/make.globals
> index dd99618..5698636 100644
> --- a/cnf/make.globals
> +++ b/cnf/make.globals
> @@ -123,9 +123,11 @@ PORTAGE_ELOG_MAILFROM="portage@localhost"
>  PORTAGE_GPG_SIGNING_COMMAND="gpg --sign --digest-algo SHA256
> --clearsign --yes --default-key \"\${PORTAGE_GPG_KEY}\" --homedir
> \"\${PORTAGE_GPG_DIR}\" \"\${FILE}\"" # btrfs.* attributes are
> irrelevant, see bug #527636. -# Security labels are special, see bug
> #461868. +# security.* attributes may be special (see bug 461868), but
> +# security.capabilities is specifically not excluded (bug 548516).
>  # system.nfs4_acl attributes are irrelevant, see bug #475496.
> -PORTAGE_XATTR_EXCLUDE="btrfs.* security.* system.nfs4_acl"
> +PORTAGE_XATTR_EXCLUDE="btrfs.* security.evm security.ima
> +	security.selinux system.nfs4_acl"
>  
>  #            *****************************
>  #            **  DO NOT EDIT THIS FILE  **
> diff --git a/pym/_emerge/BinpkgExtractorAsync.py
> b/pym/_emerge/BinpkgExtractorAsync.py index 6aaa448..0bf3c74 100644
> --- a/pym/_emerge/BinpkgExtractorAsync.py
> +++ b/pym/_emerge/BinpkgExtractorAsync.py
> @@ -23,7 +23,10 @@ class BinpkgExtractorAsync(SpawnProcess):
>  			process = subprocess.Popen(["tar",
> "--help"], stdout=subprocess.PIPE, stderr=subprocess.PIPE) output =
> process.communicate()[0] if b"--xattrs" in output:
> -				tar_options = "--xattrs"
> +				tar_options = ["--xattrs",
> "--xattrs-include='*'"]
> +				for x in
> portage.util.shlex_split(self.env.get("PORTAGE_XATTR_EXCLUDE", "")):
> +
> tar_options.append(portage._shell_quote("--xattrs-exclude=%s" % x))
> +				tar_options = " ".join(tar_options)
>  
>  		decomp_cmd = _decompressors.get(
>  			compression_probe(self.pkg_path))

Merge please :)

-- 
Brian Dolbec <dolsen>



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2015-05-04  3:04 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-05-03 19:18 [gentoo-portage-dev] [PATCH] PORTAGE_XATTR_EXCLUDE: preserve security.capability (bug 548516) Zac Medico
2015-05-03 23:10 ` [gentoo-portage-dev] [PATCH v2] " Zac Medico
2015-05-04  3:03   ` Brian Dolbec

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox