Control: tags -1 +patch

Here's a patch to fix this, also available in:

You are absolutely deluded, if not stupid, if you think that a
worldwide collection of software engineers who can't write operating
systems or applications without security holes, can then turn around
and suddenly write virtualization layers without security holes.
                        - Theo de Raadt
>From cd34bcc48a2af92f484535b81fba2d46dad1dbb6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <>
Date: Thu, 10 Oct 2019 11:07:51 -0400
Subject: [PATCH] respect Linux capabilities(7) in cache

The default GNU tar configuration does not carry fancy extended
attributes and that is where, among other things, stuff like Linux
capabilities(7) are stored. This is kind of important because that's
how ping(8) works for regular users.

We shove --selinux and --acls in there while we're at it, because why
not. We never know what the future might bring, and it seems
silly *not* to create a complete archive.

Note that --xattrs-include='*' is important because, by default, GNU
tar will not include capabilities /even/ if --xattrs is specified on
the commandline, see this bug report for details:
 create | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/create b/create
index 607bab2..7526e71 100755
--- a/create
+++ b/create
@@ -83,7 +83,7 @@ if [ "$CLEAN_CACHE" -a -d "$CACHE_DIR" ]; then
 if [ -f "$CACHE_FILE" ]; then
-  tar xf "$CACHE_FILE" -C $TMPDIR
+  tar --acls --selinux --xattrs --xattrs-include='*' -x -f "$CACHE_FILE" -C $TMPDIR
   if [ "$PROXY" ]; then
     export http_proxy="$PROXY"
@@ -109,7 +109,7 @@ else
   if [ "$GENERATE_CACHE" = "yes" ]; then
     TMP_CACHE=`mktemp "${CACHE_FILE}.XXXXXX"`
-    tar cf "$TMP_CACHE" -C $TMPDIR .
+    tar --acls --selinux --xattrs --xattrs-include='*' -c -f "$TMP_CACHE" -C $TMPDIR .
     mv -f "$TMP_CACHE" "$CACHE_FILE"

Reply via email to