From patchwork Fri Jul 9 16:17:43 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 4503 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4GLyyM6rPkz3xGV for ; Fri, 9 Jul 2021 16:18:35 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4GLyyL4rCHz17W; Fri, 9 Jul 2021 16:18:34 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4GLyyL3Zjtz2y38; Fri, 9 Jul 2021 16:18:34 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4GLyyK2ytHz2xLH for ; Fri, 9 Jul 2021 16:18:33 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4GLyyJ60FMzBs; Fri, 9 Jul 2021 16:18:32 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1625847512; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SSeQB//bIGrcsZ/dNF1GPohr64Jlk2wwKEcL47WZOr4=; b=+DQzDCPz9OansYmBbStwVnEEV8zTYrm2LB32boU2H5GRCxP7pa91pf4ofihk5HPZWesbj3 DV3p+12W2LuJKNCg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1625847512; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SSeQB//bIGrcsZ/dNF1GPohr64Jlk2wwKEcL47WZOr4=; b=lJjdK3nDd051Y4O+3up8SWmBy4QMYkOEWh0QCCIjZZfPbRJvpvfJvKU+kuSoCjFqjbAeLj 6U09jOZ6sPcKY4Tr+B8rTeWe1uaxqkga6p+tUqOoBG2ymix8vlUJ6LbxelK4XqU70KrGS/ B3cdh+rqNkS/Cn+hbUoIJPfQpd/2DPxahkly9PbI1wDrpSlyhorKDBFQpuJ0fisIxW5zd/ 77NE9RAJX6dBptUKkuLT0Gavlm2dz1JkMLQXLpZUChmQWKE5/wmKHd4Cz5B+rPlLSvboFW dg2FJnYoXXE5VmT68csuL3JUBVxOFgQOEcdtt29Zzzz6PD5iVBy1eV8U02GtuA== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH] stripper: Handle capabilities Date: Fri, 9 Jul 2021 16:17:43 +0000 Message-Id: <20210709161742.4224-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" During the build process, we set capabilities to elevate privileges of certain progrems (e.g. ping). These have been removed during the build process because of strip. This patch collects any capabilities from all files that are being stripped and restores them after calling strip. Fixes: #12652 Reported-by: Peter Müller Signed-off-by: Michael Tremer Acked-by: Peter Müller --- src/stripper | 9 +++++++++ 1 file changed, 9 insertions(+) Please re-ship ping and etherwake with this patch. diff --git a/src/stripper b/src/stripper index ac5f58ca5..e51463c69 100755 --- a/src/stripper +++ b/src/stripper @@ -27,6 +27,10 @@ function _strip() { fi done + # Fetch any capabilities + local capabilities="$(getfattr --no-dereference --name="security.capability" \ + --absolute-names --dump "${file}")" + local cmd=( "${strip}" ) case "$(file -bi ${file})" in @@ -40,6 +44,11 @@ function _strip() { echo "Stripping ${file}..." ${cmd[*]} ${file} + + # Restore capabilities + if [ -n "${capabilities}" ]; then + setfattr --no-dereference --restore=<(echo "${capabilities}") + fi } for dir in ${dirs}; do