stripper: Handle capabilities master
authorMichael Tremer <michael.tremer@ipfire.org>
Fri, 9 Jul 2021 16:17:43 +0000 (16:17 +0000)
committerMichael Tremer <michael.tremer@ipfire.org>
Sat, 10 Jul 2021 15:21:55 +0000 (15:21 +0000)
During the build process, we set capabilities to elevate privileges of
certain progrems (e.g. ping). These have been removed during the build
process because of strip.

This patch collects any capabilities from all files that are being
stripped and restores them after calling strip.

Fixes: #12652
Reported-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
src/stripper

index ac5f58c..e51463c 100755 (executable)
@@ -27,6 +27,10 @@ function _strip() {
                fi
        done
 
+       # Fetch any capabilities
+       local capabilities="$(getfattr --no-dereference --name="security.capability" \
+               --absolute-names --dump "${file}")"
+
        local cmd=( "${strip}" )
 
        case "$(file -bi ${file})" in
@@ -40,6 +44,11 @@ function _strip() {
 
        echo "Stripping ${file}..."
        ${cmd[*]} ${file}
+
+       # Restore capabilities
+       if [ -n "${capabilities}" ]; then
+               setfattr --no-dereference --restore=<(echo "${capabilities}")
+       fi
 }
 
 for dir in ${dirs}; do