stripper: Handle capabilities

Message ID 20210709161742.4224-1-michael.tremer@ipfire.org
State Staged
Commit 37ef9fe4e07a97d3597b9d9e7895652fcfe79150
Headers show
Series stripper: Handle capabilities | expand

Commit Message

Michael Tremer July 9, 2021, 4:17 p.m. UTC
During the build process, we set capabilities to elevate privileges of
certain progrems (e.g. ping). These have been removed during the build
process because of strip.

This patch collects any capabilities from all files that are being
stripped and restores them after calling strip.

Fixes: #12652
Reported-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/stripper | 9 +++++++++
 1 file changed, 9 insertions(+)

Please re-ship ping and etherwake with this patch.

Comments

Peter Müller July 9, 2021, 7:11 p.m. UTC | #1
Thank you very much. :-)

Acked-by: Peter Müller <peter.mueller@ipfire.org>

> During the build process, we set capabilities to elevate privileges of
> certain progrems (e.g. ping). These have been removed during the build
> process because of strip.
> 
> This patch collects any capabilities from all files that are being
> stripped and restores them after calling strip.
> 
> Fixes: #12652
> Reported-by: Peter Müller <peter.mueller@ipfire.org>
> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
> ---
>  src/stripper | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> Please re-ship ping and etherwake with this patch.
> 
> diff --git a/src/stripper b/src/stripper
> index ac5f58ca5..e51463c69 100755
> --- a/src/stripper
> +++ b/src/stripper
> @@ -27,6 +27,10 @@ function _strip() {
>  		fi
>  	done
>  
> +	# Fetch any capabilities
> +	local capabilities="$(getfattr --no-dereference --name="security.capability" \
> +		--absolute-names --dump "${file}")"
> +
>  	local cmd=( "${strip}" )
>  
>  	case "$(file -bi ${file})" in
> @@ -40,6 +44,11 @@ function _strip() {
>  
>  	echo "Stripping ${file}..."
>  	${cmd[*]} ${file}
> +
> +	# Restore capabilities
> +	if [ -n "${capabilities}" ]; then
> +		setfattr --no-dereference --restore=<(echo "${capabilities}")
> +	fi
>  }
>  
>  for dir in ${dirs}; do
>

Patch

diff --git a/src/stripper b/src/stripper
index ac5f58ca5..e51463c69 100755
--- a/src/stripper
+++ b/src/stripper
@@ -27,6 +27,10 @@  function _strip() {
 		fi
 	done
 
+	# Fetch any capabilities
+	local capabilities="$(getfattr --no-dereference --name="security.capability" \
+		--absolute-names --dump "${file}")"
+
 	local cmd=( "${strip}" )
 
 	case "$(file -bi ${file})" in
@@ -40,6 +44,11 @@  function _strip() {
 
 	echo "Stripping ${file}..."
 	${cmd[*]} ${file}
+
+	# Restore capabilities
+	if [ -n "${capabilities}" ]; then
+		setfattr --no-dereference --restore=<(echo "${capabilities}")
+	fi
 }
 
 for dir in ${dirs}; do