stripper: Handle capabilities

During the build process, we set capabilities to elevate privileges of
certain progrems (e.g. ping). These have been removed during the build
process because of strip.

This patch collects any capabilities from all files that are being
stripped and restores them after calling strip.

Fixes: #12652
Reported-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/stripper b/src/stripper
index ac5f58ca50cb76f858de26c3108d741cb5f87d65..e51463c6910759ba627a486389f0069bc1fa84fb 100755 (executable)
--- a/src/stripper
+++ b/src/stripper
@@ -27,6 +27,10 @@ function _strip() {
                fi
        done
 
+       # Fetch any capabilities
+       local capabilities="$(getfattr --no-dereference --name="security.capability" \
+               --absolute-names --dump "${file}")"
+
        local cmd=( "${strip}" )
 
        case "$(file -bi ${file})" in
@@ -40,6 +44,11 @@ function _strip() {
 
        echo "Stripping ${file}..."
        ${cmd[*]} ${file}
+
+       # Restore capabilities
+       if [ -n "${capabilities}" ]; then
+               setfattr --no-dereference --restore=<(echo "${capabilities}")
+       fi
 }
 
 for dir in ${dirs}; do