Hi, Quoting Benjamin Drung (2021-05-05 18:17:23) > /bin/ping (from iputils-ping) uses the security capabilities to allow users > to use the program: > > ``` > $ getcap /bin/ping > /bin/ping cap_net_raw=ep > ``` > > When generating a squashfs images with mmdebstrap, these security > capabilities are lost. Example for a minimal chroot on Debian unstable: > > ``` > $ apt install -y bdebstrap mmdebstrap squashfs-tools-ng > $ mkdir -p ~/.ssh > $ touch ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys > $ bdebstrap -c /usr/share/doc/bdebstrap/examples/Debian-buster-live.yaml > --packages iputils-ping -n example2 > [...] > W: tar2sqfs does not support extended attributes > [...] > $ rdsquashfs -x /bin/ping example2/root.squashfs > $ > ``` > > Adding `push @taropts, '--xattrs';` after the tar2sqfs warning line 5355 > will produce a squashfs image that contains the security capabilities: > > ``` > $ rdsquashfs -x /bin/ping example2/root.squashfs > security.capability=0x0100000200200000000000000000000000000000 > ``` > > This test was done on Debian unstable and Debian bullseye with mmdebstrap > 0.7.5-2 and squashfs-tools-ng 1.0.4-1.
interesting! As you can see from the warning in line 5355, extended attributes used to not work with tar2sqfs and it's awesome if that's working now! Though I'm afraid this is not a change that will make it unto bullseye unless you have special friends in the release team. ;) Thanks! cheers, josch
signature.asc
Description: signature
