Received: from mx1.mailbun.net (unknown [170.39.20.100])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id D4193782B99
	for <~alpine/devel@lists.alpinelinux.org>; Wed,  5 May 2021 14:26:45 +0000 (UTC)
Received: from nanabozho.lan (unknown [107.125.25.50])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: ariadne@dereferenced.org)
	by mx1.mailbun.net (Postfix) with ESMTPSA id BBB59145F76;
	Wed,  5 May 2021 14:26:41 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dereferenced.org;
	s=mailbun; t=1620224802;
	bh=1owumtmg8N9fiwCy8QxRX0twmJz0vvGkvg2q+4ZcqcA=;
	h=Date:From:To:cc:Subject:In-Reply-To:References;
	b=RtX4XQ/F9Xj/AjzlfBx0z5S3Jid+WqqxSWXNiMyJFkOxPDsQO9NFC/sph6C6u9fPN
	 HkGhScT7pdep2/fMlA2t7gP/SQRmarkAplLFA3upF/Pe6ViV312NnglcQgikRGq5wZ
	 0vCSlBS1oy9G4ezdyHZ/44se3dYGV/LbT0oaTJEsLiYBLYxs/RsWC5Jx85H44+BR8R
	 y0pED7ePstBLycR6CKKtEpMETj0g0U37YADvirXFUKiIu7xOIirdfb2DExjnh6L1F9
	 KSXwUryDWgwQAaV60aEYzHJIN2EUzGKu3gfII4Jh6T21ZhodC3qXQHLrJqUwzlIe9q
	 RGVCUhXo209nQ==
Date: Wed, 5 May 2021 08:26:41 -0600 (MDT)
From: Ariadne Conill <ariadne@dereferenced.org>
To: Ross Younger <crazyscot@gmail.com>
cc: Timo Teras <timo.teras@iki.fi>, ~alpine/devel@lists.alpinelinux.org
Subject: Re: Containerised APK builds and security xattrs
In-Reply-To: <CA+gy4ifNQ0L2ji-tOoqYv0LQgJ0QwPc6_m5rTyr=UMGeAakfUA@mail.gmail.com>
Message-ID: <1f35d58e-12df-4e2a-61ae-4b75be6164ca@dereferenced.org>
References: <CA+gy4ieuXLuQddxmPuiucyZbut=14cR8tgmGrh0qE9qLDBivmg@mail.gmail.com> <20210505091919.5257051e@vostro> <CA+gy4ifNQ0L2ji-tOoqYv0LQgJ0QwPc6_m5rTyr=UMGeAakfUA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed

Hi,

On Wed, 5 May 2021, Ross Younger wrote:

> Hi Timo,
>
>> It might make sense an abuild option to not include the on-disk xattrs,
>> or be able to filter them.
>
> I think either of these would work for me. Filtering sounds like the
> safer option in case other xattrs are needed. Meanwhile, I am going to
> try hacking on abuild locally.
>
>> Currently, you could perhaps just strip the
>> xattrs manually in APKBUILD build() or package() stage?
>
> Do you mean something like `setfattr -x security.selinux ...file...' ?
> I have tried that within package() but this fails with EPERM. Commands
> are executed as root within the container but I presume the container
> itself is in unprivileged mode.

Alpine itself does not use SELinux, so there should not be anything in 
abuild adding selinux label attributes to anything.  It might be worth it 
to see why SELinux labels from the host environment are leaking into the 
container FS?  If you can stop that somehow, it would save you a lot of 
time.

Ariadne