From 7d1d11968e3088bdb8a07402e0055559839b3666 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 6 Feb 2025 14:40:36 +0100
Subject: [PATCH] tree: Don't copy xattrs to overlayfs if security.selinux is
 one

Trying to copy the selinux xattrs to a directory in an overlayfs
filesystem will fail with "Operation not supported". There's no way
to instruct cp to not copy or ignore failures to copy selinux xattrs
so let's instead not try to copy xattrs at all when copying to directories
in overlayfs filesystems and security.selinux is in the list of xattrs.
---
 mkosi/sandbox.py |  1 +
 mkosi/tree.py    | 15 +++++++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/mkosi/sandbox.py b/mkosi/sandbox.py
index 9949e0ee5..2fd914358 100755
--- a/mkosi/sandbox.py
+++ b/mkosi/sandbox.py
@@ -53,6 +53,7 @@ NR_move_mount = 429
 NR_open_tree = 428
 OPEN_TREE_CLOEXEC = os.O_CLOEXEC
 OPEN_TREE_CLONE = 1
+OVERLAYFS_SUPER_MAGIC = 0x794C7630
 PR_CAP_AMBIENT = 47
 PR_CAP_AMBIENT_RAISE = 2
 # These definitions are taken from the libseccomp headers
diff --git a/mkosi/tree.py b/mkosi/tree.py
index 03a277ecd..89c0d4477 100644
--- a/mkosi/tree.py
+++ b/mkosi/tree.py
@@ -3,6 +3,7 @@
 import contextlib
 import errno
 import logging
+import os
 import shutil
 import subprocess
 import tempfile
@@ -12,7 +13,7 @@ from pathlib import Path
 from mkosi.config import ConfigFeature
 from mkosi.log import ARG_DEBUG, die
 from mkosi.run import SandboxProtocol, nosandbox, run, workdir
-from mkosi.sandbox import BTRFS_SUPER_MAGIC, statfs
+from mkosi.sandbox import BTRFS_SUPER_MAGIC, OVERLAYFS_SUPER_MAGIC, statfs
 from mkosi.util import PathString, flatten
 from mkosi.versioncomp import GenericVersion
 
@@ -95,12 +96,22 @@ def copy_tree(
         "--bind", dst.parent, workdir(dst.parent, sandbox),
     ]  # fmt: skip
 
+    attrs = "mode,links"
+    if preserve:
+        attrs += ",timestamps,ownership"
+
+        # Trying to copy selinux xattrs to overlayfs fails with "Operation not supported" in containers.
+        if statfs(os.fspath(dst.parent)) != OVERLAYFS_SUPER_MAGIC or "security.selinux" not in os.listxattr(
+            src
+        ):
+            attrs += ",xattr"
+
     def copy() -> None:
         cmdline: list[PathString] = [
             "cp",
             "--recursive",
             "--dereference" if dereference else "--no-dereference",
-            f"--preserve=mode,links{',timestamps,ownership,xattr' if preserve else ''}",
+            f"--preserve={attrs}",
             "--reflink=auto",
             "--copy-contents",
             workdir(src, sandbox),
-- 
2.47.2