| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0001-also-run-unshare-with-propagation-unchanged-in-root-.patch | [PATCH] also run unshare with --propagation unchanged in root mode | Johannes Schauer Marin Rodrigues <josch@mister-muffin.de> | no | 2021-02-19 | ||
| Pass-extended-attributes-excluding-system-to-tar2sqf.patch | Pass extended attributes (excluding system) to tar2sqfs /bin/ping (from iputils-ping) uses the security capabilities to allow users to use the program: ``` $ getcap /bin/ping /bin/ping cap_net_raw=ep ``` Debian testing/unstable images (variant important) contain security and system attributes: ``` $ mmdebstrap --variant=important bullseye root.tar $ tar --xattrs --xattrs-include='*' -vv -tf root.tar | grep -B 1 '^ ' -rwxr-xr-x* 0/0 77432 2021-02-02 18:49 ./bin/ping x: 20 security.capability -- drwxr-sr-x* 0/102 0 2021-05-07 15:10 ./var/log/journal/ x: 44 system.posix_acl_access x: 44 system.posix_acl_default ``` When generating a squashfs image with mmdebstrap 0.7.5-2, these security capabilities are lost. Example for building a squashfs image in a minimal Debian unstable schroot: ``` $ apt install -y mmdebstrap squashfs-tools-ng $ mmdebstrap --variant=important buster root.squashfs $ rdsquashfs -x /bin/ping root.squashfs $ ``` tar2sqfs from squashfs-tools-ng 1.0.4-1 supports encoding extended attributes from the namespace `user`, `trusted`, and `security` (see `include/sqfs/xattr.h`). GNU tar (version 1.34) supports these three namespaces plus the namespace `system`. Passing extended attributes from the `system` namespace to tar2sqfs will produce an error: ``` ``` So pass the extended attributes to tar2sqfs, but exclude the `system` namespace. Then ping will keep its security attributes: ``` $ rdsquashfs -x /bin/ping root.squashfs security.capability=0x0100000200200000000000000000000000000000 ``` |
Benjamin Drung <benjamin.drung@ionos.com> | no | 2021-05-07 |