Closed bdrung closed 4 years ago
Thanks for testing and reporting this!
It should be solved with commit 262fc48eb9e246ddb7315f5a14e7f6f58ca987c1
Basically the tar parser treated SHILY.xattr key/value pairs as ASCII strings. Since the value for the capabilities field is binary, it begins with a null-byte and was treated as an empty string.
I did the following to test that my fix works:
tar cf test.tar --xattrs /bin/ping
tar2sqfs test.sqfs < test.tar
sqfs2tar test.sqfs > test2.tar
I then compared the PAX headers in test.tar
and test2.tar
using a hex editor and saw that the xattrs in the tarballs are identical. I also mounted test.sqfs
and checked the capabilities using getcap
and it reported the same for ping
inside the SquashFS as for the one on my system.
Furthermore, in commit 76e9644ba9e7ce3535eb72ab041ac3be8486c22c I modified rdsquashfs -x
to print a hexdump if the key or value of an xattr is not a printable ASCII or UTF-8 string, which now gives me this on my system:
rdsquashfs -x /bin/ping test.sqfs
security.capability=0x0000000200300000000000000000000000000000
security.selinux=system_u:object_r:ping_exec_t:s0
I have not added test cases for this yet, but will.
I tested the latest git HEAD and it works now. Thanks.
tests/cantrbry.sh
and tests/test_tar_sqfs.sh
failed with sha512sum complaining about mismatched checksums.
When converting a tarball to squashfs, the security capabilities from the tarball are lost. Debian's and Ubuntu's ping uses capabilities to allow users to run ping:
Steps to reproduce:
Tested with latest git HEAD of squashfs-tools-ng.