snap/unsquashfs: pass -xattrs-include ^user. #14906
Conversation
Writing security.* attributes as non-root user is not allowed but on Fedora and other SELinux systems, unsquashfs will attempt to write to security.selinux, which fails. Signed-off-by: Zygmunt Krynicki <[email protected]>
| @@ -202,7 +202,7 @@ func (s *Snap) Unpack(src, dstDir string) error { | |||
| usw := newUnsquashfsStderrWriter() | |||
|
|
|||
| var output bytes.Buffer | |||
| cmd := exec.Command("unsquashfs", "-n", "-f", "-d", dstDir, s.path, src) | |||
| cmd := exec.Command("unsquashfs", "-xattrs-include", "^user.", "-n", "-f", "-d", dstDir, s.path, src) | |||
There was a problem hiding this comment.
This is not supported by old versions of unsquashfs. We will need to see if we can drop all xattrs or if we need more elaborate logic.
| @@ -419,7 +419,7 @@ func (s *Snap) Walk(relative string, walkFn filepath.WalkFunc) error { | |||
| // ListDir returns the content of a single directory inside a squashfs snap. | |||
| func (s *Snap) ListDir(dirPath string) ([]string, error) { | |||
| output, stderr, err := osutil.RunSplitOutput( | |||
| "unsquashfs", "-no-progress", "-dest", "_", "-l", s.path, dirPath) | |||
| "unsquashfs", "-xattrs-include", "^user.", "-no-progress", "-dest", "_", "-l", s.path, dirPath) | |||
There was a problem hiding this comment.
Do we really need it with -l
There was a problem hiding this comment.
Ah, probably not, that was overeager.
| @@ -640,7 +640,7 @@ func BuildDate(path string) time.Time { | |||
| N: 1, | |||
| } | |||
|
|
|||
| cmd := exec.Command("unsquashfs", "-n", "-s", path) | |||
| cmd := exec.Command("unsquashfs", "-xattrs-include", "^user.", "-n", "-s", path) | |||
|
Thanks for this, I was hitting this problem when trying to run tests on either a native fedora host or an ubuntu container (via toolbx/toolbox?) on fedora. If our unit tests are really unit tests, they ought to work on any system :) |
|
I'm still confused why this is failing I started a lxd vm with fedora/40/cloud image and the unit tests are passing without any changes when running as a regular user, so what gives? Maybe it has something to do with current user's selinux context, which is likely inherited from the lxd-agent. |
Writing security.* attributes as non-root user is not allowed but on Fedora and other SELinux systems, unsquashfs will attempt to write to security.selinux, which fails.
This fixes running unit tests on Fedora, while running as a regular user.