From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 9 Jul 2021 16:17:43 +0000 (+0000)
Subject: stripper: Handle capabilities
X-Git-Tag: v2.25-core158~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=37ef9fe4e07a97d3597b9d9e7895652fcfe79150;p=ipfire-2.x.git

stripper: Handle capabilities

During the build process, we set capabilities to elevate privileges of
certain progrems (e.g. ping). These have been removed during the build
process because of strip.

This patch collects any capabilities from all files that are being
stripped and restores them after calling strip.

Fixes: #12652
Reported-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/stripper b/src/stripper
index ac5f58ca50..e51463c691 100755
--- a/src/stripper
+++ b/src/stripper
@@ -27,6 +27,10 @@ function _strip() {
 		fi
 	done
 
+	# Fetch any capabilities
+	local capabilities="$(getfattr --no-dereference --name="security.capability" \
+		--absolute-names --dump "${file}")"
+
 	local cmd=( "${strip}" )
 
 	case "$(file -bi ${file})" in
@@ -40,6 +44,11 @@ function _strip() {
 
 	echo "Stripping ${file}..."
 	${cmd[*]} ${file}
+
+	# Restore capabilities
+	if [ -n "${capabilities}" ]; then
+		setfattr --no-dereference --restore=<(echo "${capabilities}")
+	fi
 }
 
 for dir in ${dirs}; do