RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1384241 - The tar-in command does not allow restoring file capabilities
Summary: The tar-in command does not allow restoring file capabilities
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: libguestfs
Version: 8.2
Hardware: All
OS: Linux
unspecified
high
Target Milestone: rc
: 8.4
Assignee: Richard W.M. Jones
QA Contact: YongkuiGuo
URL:
Whiteboard:
Depends On: 771927
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-12 22:32 UTC by Pierre Neyron
Modified: 2024-03-25 14:57 UTC (History)
9 users (show)

Fixed In Version: libguestfs-1.40.2-27.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-18 15:21:14 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Pierre Neyron 2016-10-12 22:32:37 UTC 
Description of problem:
The tar-in command does not provide tar's --xattrs-include option which is needed to restore capabilities.

As explained in https://bugzilla.redhat.com/show_bug.cgi?id=771927, it is possible to archive/restore capabilities with tar >= 1.27, e.g.

$ getcap /bin/ping
/bin/ping = cap_net_raw+ep
$ tar c --xattrs /bin/ping | sudo tar x --xattrs --xattrs-include='*' -C /tmp
tar: Removing leading `/' from member names
$ getcap /tmp/bin/ping
/tmp/bin/ping = cap_net_raw+ep

Version-Release number of selected component (if applicable):
1.32

How reproducible:
100%

Steps to Reproduce:
1. create a tarball containing ping with its capability: 
$ tar cf /tmp/ping.tar --xattrs /bin/ping
(just need --xattrs here, not --xattrs-include='*')

2. tar-in the archive with the xattr:true option:
$ guestfish -i -a OS.qcow2 tar-in /tmp/ping.tar / selinux:true acls:true xattrs:true 

3. test the capability with guestfish cap-get-file command:
$ guestfish -i -a jessie-x64-min-2016091917.qcow2 <<EOF
cap-get-file /bin/ping
EOF


Actual results:
""

Expected results:
= cap_net_raw+ep

Additional info:
Comment 1 Pierre Neyron 2016-10-12 22:34:58 UTC 
sorry for the typo ;-)

3. test the capability with guestfish cap-get-file command:
$ guestfish -i -a OS.qcow2 <<EOF
cap-get-file /bin/ping
EOF
Comment 2 Richard W.M. Jones 2016-10-13 11:49:02 UTC 
I think this is really a bug in GNU tar.  However I have proposed
a patch upstream:

https://www.redhat.com/archives/libguestfs/2016-October/msg00089.html
Comment 3 Pavel Raiskup 2016-10-13 12:31:03 UTC 
Thanks for the patch.  You shouldn't need --xattrs once you use
--xatrrs-include (though this implication came about year later after
--xattrs-include was added).

I have just a warning for you:  In case you use --xattrs-include='*', you
should really know what are the implications -- kernel might refuse direct
writes to some security attributes, or some binary representation of
security attributes might change, and if you restore binary capabilities
you might easily restore some garbage from the kernel point of view.
AFAIK, this has not happened yet, but you should take this into account.
Comment 4 Pierre Neyron 2016-10-14 16:22:31 UTC 
What about adding a new option to the guestfish tar-in command to expose the --xattrs-include=XXX option ? -> xattrs-include:XXX
That way, it is up to the user to decide if he want to take the risk...
Comment 5 Richard W.M. Jones 2016-10-14 17:01:26 UTC 
Yes this is possible, but we'd have to support it in (our) API forever.
We'll see if someone reviews the patch on the mailing list.
Comment 6 Richard W.M. Jones 2020-12-11 10:25:40 UTC 
I have pushed the patch upstream:

https://github.com/libguestfs/libguestfs/commit/6d0ab14b56743679638ead0829ff3131749ac59b
Comment 9 Richard W.M. Jones 2021-01-05 09:09:46 UTC 
Upstream commit 6d0ab14b56743679638ead0829ff3131749ac59b.
Comment 13 John Ferlan 2021-01-05 13:53:49 UTC 
Altering the assignee to Rich rather than virt-maint since he fixed the issue.
Comment 14 YongkuiGuo 2021-01-06 11:32:05 UTC 
Verified with package:
libguestfs-1.40.2-27.module+el8.4.0+9282+0bdec052.x86_64

Steps:

1. On rhel8.4 host
$ getcap /bin/ping
/bin/ping = cap_net_admin,cap_net_raw+p

2.
$ tar cf /tmp/ping.tar --xattrs /bin/ping

3. tar-in the archive with the xattr:true option:
$ guestfish -i -a rhel8.3.raw tar-in /tmp/ping.tar / selinux:true acls:true xattrs:true

4.
$ guestfish -i -a rhel8.3.raw
...
Operating system: Red Hat Enterprise Linux 8.3 (Ootpa)
/dev/rhel/root mounted on /
/dev/sda1 mounted on /boot

><fs> cap-get-file /bin/ping
= cap_net_admin,cap_net_raw+p

The tar-in command can restore file capabilities correctly. So verified this bug.
Comment 16 errata-xmlrpc 2021-05-18 15:21:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1762
Note You need to log in before you can comment on or make changes to this bug.