Received: from mail-lj1-f173.google.com (mail-lj1-f173.google.com [209.85.208.173])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id C03FD781AEB
	for <~alpine/devel@lists.alpinelinux.org>; Wed,  5 May 2021 06:19:23 +0000 (UTC)
Received: by mail-lj1-f173.google.com with SMTP id p12so1017441ljg.1
        for <~alpine/devel@lists.alpinelinux.org>; Tue, 04 May 2021 23:19:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=nJtPNicLyhTYeQnQL0QrQ2fali+BtGzEokksmTKZlfY=;
        b=pMz7dllbVmbFQr0HD4HSuIF34JnGczeEyFOFC5S+QCFqHuYNwPWwA/y+qiKiBOsUX6
         TFNSHRwGC2+/myBNqRTQI4DfUN14hPH7ue1AG84nrv+ZezXU0COE9hNeo36ED1uxOg1p
         UDClUsVEoeG3PaLUCSO+mdP6M/kF7h5gX7Wwc8g/Q1qOS3sncPx+v0A4vbwJQBFXGl9B
         6xuENzr4Oeuv63z3ipjwwvGKvPW1vd0cgEIXwgs9XACdqQbZsIorVcD7mG6z7erhagOn
         edS2rU+CshL2lLJzJZElLnlF3ddu7mpaoddxxGfxbe9D8I3wzDgkNwxaLynzcXAbEKXB
         eMxA==
X-Gm-Message-State: AOAM530RvScUsiUy8xsw+4TOc+rKNicDTOt90e1AQBF4sGEaZV1iyicP
	UC6SQ5noRlH28NpaC9OZ0zM=
X-Google-Smtp-Source: ABdhPJx0G48RPHSuRXt4XuZvXW12aOXtBZn7kuEQsbmDa5Yq3O1537P3oc6S14WRLe5Gbqt/37dD3A==
X-Received: by 2002:a2e:9549:: with SMTP id t9mr20438603ljh.292.1620195562761;
        Tue, 04 May 2021 23:19:22 -0700 (PDT)
Received: from vostro ([2001:999:52:505c:33ea:1526:126a:44e9])
        by smtp.gmail.com with ESMTPSA id n27sm446738lfh.257.2021.05.04.23.19.22
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 04 May 2021 23:19:22 -0700 (PDT)
Date: Wed, 5 May 2021 09:19:19 +0300
From: Timo Teras <timo.teras@iki.fi>
To: Ross Younger <crazyscot@gmail.com>
Cc: ~alpine/devel@lists.alpinelinux.org
Subject: Re: Containerised APK builds and security xattrs
Message-ID: <20210505091919.5257051e@vostro>
In-Reply-To: <CA+gy4ieuXLuQddxmPuiucyZbut=14cR8tgmGrh0qE9qLDBivmg@mail.gmail.com>
References: <CA+gy4ieuXLuQddxmPuiucyZbut=14cR8tgmGrh0qE9qLDBivmg@mail.gmail.com>
X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-alpine-linux-musl)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Hi,

There are multiple reasons why we want the xattrs. Originally it was
introduced to store the grsec kernel pax flags, and some packages also
use it to set capabilities for some executables. APK also internally
uses XATTRs for the file hash, but that happens transparently and never
hits the disk surface.

It might make sense an abuild option to not include the on-disk xattrs,
or be able to filter them. Currently, you could perhaps just strip the
xattrs manually in APKBUILD build() or package() stage?

Timo

On Wed, 5 May 2021 17:05:57 +1200
Ross Younger <crazyscot@gmail.com> wrote:

> I am building my own APKs for local use, targeting alpine 3.13.
> 
> It seems that abuild causes package contents to inherit security
> xattrs from the host OS (if present). This is tripping me up as these
> packages fail to install on a container hosted by an OS that doesn't
> have security contexts enabled.
> 
> I use Bitbucket for source control and am trying to set up
> containerised CI in Bitbucket pipelines.
> When I build my container using Bitbucket Pipelines the APK is
> different from when I build locally!
> 
> When built on-cloud, the files in the APK contain security.selinux
> xattrs. When built locally, they don't. (I have a script that runs the
> Bitbucket pipeline in a local container, so I'm pretty sure the same
> build steps are being followed.)
> 
> Installing an APK built on the cloud to a container on my local
> machine fails:
> 
>     /here # apk add --allow-untrusted date_h-dev-3.0.0-r2.apk
>     (1/1) Installing date_h-dev (3.0.0-r2)
>     ERROR: Failed to set xattrs on
> usr/include/date/.apk.13d8a17d6f42822d457261eae2fa9ea9ba43faf2c673bf68:
> Operation not permitted
>     [...]
>     1 error; 211 MiB in 53 packages
> 
> I have dug far enough to find that abuild explicitly calls `tar
> --xattrs ...' when creating the package, and that `apk add' is simply
> attempting to preserve that.
> 
> Is there any chance that that `tar --xattrs' in abuild might one day
> change to --no-xattrs, or to something more complex that filters out
> selinux xattrs? Perhaps you have a good reason for explicitly
> including xattrs.
> 
> Or am I better off using something other than Bitbucket? Are there any
> CI services you recommend (or disrecommend) for building APKs?
> 
> Thanks for your attention.
> 
> Ross