Skip to content

Commit

Permalink
readlinkfs: ignore some security-module specific xattrs
Browse files Browse the repository at this point in the history
Certain security modules (such as Apple SIP and Google
Container Threat Detection) use xattrs to store their
state.  Ignore this state when generating packages.

Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
  • Loading branch information
kaniini committed Aug 30, 2023
1 parent 8d8924e commit a8594c3
Showing 1 changed file with 13 additions and 0 deletions.
13 changes: 13 additions & 0 deletions pkg/build/readlinkfs.go
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,15 @@ func stringsFromByteSlice(buf []byte) []string {
return result
}

// xattrIgnoreList contains a mapping of xattr names used by various
// security features which leak their state into packages. We need to
// ignore these xattrs because they require special permissions to be
// set when the underlying security features are in use.
var xattrIgnoreList = map[string]bool{
"com.apple.provenance": true,
"security.csm": true,
}

func (f *rlfs) ListXattrs(path string) (map[string][]byte, error) {
realPath := filepath.Join(f.base, path)

Expand All @@ -108,6 +117,10 @@ func (f *rlfs) ListXattrs(path string) (map[string][]byte, error) {
xattrMap := map[string][]byte{}
xattrNames := stringsFromByteSlice(buf[:read])
for _, xattrName := range xattrNames {
if _, ok := xattrIgnoreList[xattrName]; ok {
continue
}

result, err := f.GetXattr(path, xattrName)
if err != nil {
return map[string][]byte{}, err
Expand Down

0 comments on commit a8594c3

Please sign in to comment.