From 37ef9fe4e07a97d3597b9d9e7895652fcfe79150 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 9 Jul 2021 16:17:43 +0000
Subject: [PATCH] stripper: Handle capabilities
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

During the build process, we set capabilities to elevate privileges of
certain progrems (e.g. ping). These have been removed during the build
process because of strip.

This patch collects any capabilities from all files that are being
stripped and restores them after calling strip.

Fixes: #12652
Reported-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/stripper | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/stripper b/src/stripper
index ac5f58ca50..e51463c691 100755
--- a/src/stripper
+++ b/src/stripper
@@ -27,6 +27,10 @@ function _strip() {
 		fi
 	done
 
+	# Fetch any capabilities
+	local capabilities="$(getfattr --no-dereference --name="security.capability" \
+		--absolute-names --dump "${file}")"
+
 	local cmd=( "${strip}" )
 
 	case "$(file -bi ${file})" in
@@ -40,6 +44,11 @@ function _strip() {
 
 	echo "Stripping ${file}..."
 	${cmd[*]} ${file}
+
+	# Restore capabilities
+	if [ -n "${capabilities}" ]; then
+		setfattr --no-dereference --restore=<(echo "${capabilities}")
+	fi
 }
 
 for dir in ${dirs}; do
-- 
2.39.2