Bug 1384241 - The tar-in command does not allow restoring file capabilities
Summary: The tar-in command does not allow restoring file capabilities
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: libguestfs
Version: 8.2
Hardware: All
OS: Linux
Target Milestone: rc
: 8.4
Assignee: Richard W.M. Jones
QA Contact: YongkuiGuo
Depends On: 771927
TreeView+ depends on / blocked
Reported: 2016-10-12 22:32 UTC by Pierre Neyron
Modified: 2021-05-18 15:21 UTC (History)
9 users (show)

Fixed In Version: libguestfs-1.40.2-27.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-05-18 15:21:14 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

Description Pierre Neyron 2016-10-12 22:32:37 UTC
Description of problem:
The tar-in command does not provide tar's --xattrs-include option which is needed to restore capabilities.

As explained in https://bugzilla.redhat.com/show_bug.cgi?id=771927, it is possible to archive/restore capabilities with tar >= 1.27, e.g.

$ getcap /bin/ping
/bin/ping = cap_net_raw+ep
$ tar c --xattrs /bin/ping | sudo tar x --xattrs --xattrs-include='*' -C /tmp
tar: Removing leading `/' from member names
$ getcap /tmp/bin/ping
/tmp/bin/ping = cap_net_raw+ep

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. create a tarball containing ping with its capability: 
$ tar cf /tmp/ping.tar --xattrs /bin/ping
(just need --xattrs here, not --xattrs-include='*')

2. tar-in the archive with the xattr:true option:
$ guestfish -i -a OS.qcow2 tar-in /tmp/ping.tar / selinux:true acls:true xattrs:true 

3. test the capability with guestfish cap-get-file command:
$ guestfish -i -a jessie-x64-min-2016091917.qcow2 <<EOF
cap-get-file /bin/ping

Actual results:

Expected results:
= cap_net_raw+ep

Additional info:

Comment 1 Pierre Neyron 2016-10-12 22:34:58 UTC
sorry for the typo ;-)

3. test the capability with guestfish cap-get-file command:
$ guestfish -i -a OS.qcow2 <<EOF
cap-get-file /bin/ping

Comment 2 Richard W.M. Jones 2016-10-13 11:49:02 UTC
I think this is really a bug in GNU tar.  However I have proposed
a patch upstream:


Comment 3 Pavel Raiskup 2016-10-13 12:31:03 UTC
Thanks for the patch.  You shouldn't need --xattrs once you use
--xatrrs-include (though this implication came about year later after
--xattrs-include was added).

I have just a warning for you:  In case you use --xattrs-include='*', you
should really know what are the implications -- kernel might refuse direct
writes to some security attributes, or some binary representation of
security attributes might change, and if you restore binary capabilities
you might easily restore some garbage from the kernel point of view.
AFAIK, this has not happened yet, but you should take this into account.

Comment 4 Pierre Neyron 2016-10-14 16:22:31 UTC
What about adding a new option to the guestfish tar-in command to expose the --xattrs-include=XXX option ? -> xattrs-include:XXX
That way, it is up to the user to decide if he want to take the risk...

Comment 5 Richard W.M. Jones 2016-10-14 17:01:26 UTC
Yes this is possible, but we'd have to support it in (our) API forever.
We'll see if someone reviews the patch on the mailing list.

Comment 6 Richard W.M. Jones 2020-12-11 10:25:40 UTC
I have pushed the patch upstream:


Comment 9 Richard W.M. Jones 2021-01-05 09:09:46 UTC
Upstream commit 6d0ab14b56743679638ead0829ff3131749ac59b.

Comment 13 John Ferlan 2021-01-05 13:53:49 UTC
Altering the assignee to Rich rather than virt-maint since he fixed the issue.

Comment 14 YongkuiGuo 2021-01-06 11:32:05 UTC
Verified with package:


1. On rhel8.4 host
$ getcap /bin/ping
/bin/ping = cap_net_admin,cap_net_raw+p

$ tar cf /tmp/ping.tar --xattrs /bin/ping

3. tar-in the archive with the xattr:true option:
$ guestfish -i -a rhel8.3.raw tar-in /tmp/ping.tar / selinux:true acls:true xattrs:true

$ guestfish -i -a rhel8.3.raw
Operating system: Red Hat Enterprise Linux 8.3 (Ootpa)
/dev/rhel/root mounted on /
/dev/sda1 mounted on /boot

><fs> cap-get-file /bin/ping
= cap_net_admin,cap_net_raw+p

The tar-in command can restore file capabilities correctly. So verified this bug.

Comment 16 errata-xmlrpc 2021-05-18 15:21:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.