Received: from mail-ua1-f48.google.com (mail-ua1-f48.google.com [209.85.222.48])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 76CE2782B31
	for <~alpine/devel@lists.alpinelinux.org>; Wed,  5 May 2021 07:54:25 +0000 (UTC)
Received: by mail-ua1-f48.google.com with SMTP id v8so281793uau.12
        for <~alpine/devel@lists.alpinelinux.org>; Wed, 05 May 2021 00:54:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=CoXPMWZz45c6aP1XBDCOYZMUK8dWKulCMAoyxMJPqIQ=;
        b=NrYKcXzQh22Q7gMvvnDzJXe0t7B7nit9WXmYz2ObjkRZh6bGkKTXDV4h6pisvrajtQ
         k/LM5Ui10eaD5K3DsFRjhCJKEFjZIQZnASAbJnU8t+uQVX4jxOqFCv7JXVbspQi2aWf4
         OnAVS/HOm1i7CVoq5mbe7WzwOuluGQB88wvSFhRg0XfPeXRxa865f3iTPxQRD+xcbIHC
         pP1W/qKdiykfZdTMakHiIMSa3k0tddr1ZYgK4/SoALKC4JYYNeJr776M5qZtGWDh713L
         QIuws5DOvYxzTjk2Si9Vkid04aeYBrqtenR3WZ4B5nFbxlT3hU5AjbmIQUKrvgcCjFWf
         va9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=CoXPMWZz45c6aP1XBDCOYZMUK8dWKulCMAoyxMJPqIQ=;
        b=mpveDn+9x62ElDWvkc5aL5xrJ9S6/rw6mHluRCh2fb0nbmp5F6EqwGFVTQVjpOxOeI
         w/L20KkUAodvSt4OOhOeAxUbEBCOlweZqYDpWFXCmDyTGHtBDCu0ADepMuZCSttd3FxB
         MKGEaWSuLqkdGOTfxAObj9gFsbRvIBGKbFFiwFF1Zxw1M1Ye9A9ghLkMEwaU1vbG1RGI
         RgpWyF5hwiVumeZAXAkqYizjyQIUVy/ugjmP82H2msxDo3sDzTRTSBQqmHnsA5cj9C6E
         dHZ56NGUwSmyt+xbyfKX6DOci2qI57WvZ62+EP9/VGt3TM1wmX84Y9BCUfqelJPKIKB6
         uNjw==
X-Gm-Message-State: AOAM5331q4m9/weFFukOfoLBIEHcczMNZyhYIvSxvp+c01c3fcD2bamH
	63DnRvVtS9/dH3UyodSWrPPsTAtfc3ZhXHYUGNQ=
X-Google-Smtp-Source: ABdhPJx0C9QC/yGwREx5bWzpe7EyD9/3fpRZDUaryPY9XW9VPof3E37M5CvaAvpDnzXx45NfVNPBn20NWNmoNVdHlCU=
X-Received: by 2002:ab0:2b01:: with SMTP id e1mr24292324uar.85.1620201264713;
 Wed, 05 May 2021 00:54:24 -0700 (PDT)
MIME-Version: 1.0
References: <CA+gy4ieuXLuQddxmPuiucyZbut=14cR8tgmGrh0qE9qLDBivmg@mail.gmail.com>
 <20210505091919.5257051e@vostro>
In-Reply-To: <20210505091919.5257051e@vostro>
From: Ross Younger <crazyscot@gmail.com>
Date: Wed, 5 May 2021 19:54:13 +1200
Message-ID: <CA+gy4ifNQ0L2ji-tOoqYv0LQgJ0QwPc6_m5rTyr=UMGeAakfUA@mail.gmail.com>
Subject: Re: Containerised APK builds and security xattrs
To: Timo Teras <timo.teras@iki.fi>
Cc: ~alpine/devel@lists.alpinelinux.org
Content-Type: text/plain; charset="UTF-8"

Hi Timo,

> It might make sense an abuild option to not include the on-disk xattrs,
> or be able to filter them.

I think either of these would work for me. Filtering sounds like the
safer option in case other xattrs are needed. Meanwhile, I am going to
try hacking on abuild locally.

> Currently, you could perhaps just strip the
> xattrs manually in APKBUILD build() or package() stage?

Do you mean something like `setfattr -x security.selinux ...file...' ?
I have tried that within package() but this fails with EPERM. Commands
are executed as root within the container but I presume the container
itself is in unprivileged mode.

Ross