readlinkfs: ignore some security-module specific xattrs

Certain security modules (such as Apple SIP and Google Container Threat Detection) use xattrs to store their state. Ignore this state when generating packages. Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
chainguard-dev · Aug 30, 2023 · 068c443 · 068c443
1 parent 8d8924e
commit 068c443
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/pkg/build/readlinkfs.go b/pkg/build/readlinkfs.go
@@ -86,6 +86,15 @@ func stringsFromByteSlice(buf []byte) []string {
 	return result
 }
 
+// xattrIgnoreList contains a mapping of xattr names used by various
+// security features which leak their state into packages.  We need to
+// ignore these xattrs because they require special permissions to be
+// set when the underlying security features are in use.
+var xattrIgnoreList = map[string]bool{
+	"com.apple.provenance": true,
+	"security.csm": true,
+}
+
 func (f *rlfs) ListXattrs(path string) (map[string][]byte, error) {
 	realPath := filepath.Join(f.base, path)
 
@@ -108,6 +117,10 @@ func (f *rlfs) ListXattrs(path string) (map[string][]byte, error) {
 	xattrMap := map[string][]byte{}
 	xattrNames := stringsFromByteSlice(buf[:read])
 	for _, xattrName := range xattrNames {
+		if _, ok := xattrIgnoreList[xattrName]; ok {
+			continue
+		}
+
 		result, err := f.GetXattr(path, xattrName)
 		if err != nil {
 			return map[string][]byte{}, err