Update declarative capabilities; add functionality to set within QEMU (#1944)

Author: egibs

pkg/build/build.go

@@ -18,6 +18,7 @@ import (
 	"archive/tar"
 	"compress/gzip"
 	"context"
+	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -313,6 +314,7 @@ func (b *Build) buildGuest(ctx context.Context, imgConfig apko_types.ImageConfig
 		b.ExtraPackages = append(b.ExtraPackages, []string{
 			"melange-microvm-init",
 			"gnutar",
+			"attr",
 		}...)
 	}
 
@@ -990,8 +992,18 @@ func (b *Build) BuildPackage(ctx context.Context) error {
 
 	for path, cap := range caps {
 		enc := config.EncodeCapability(cap.Effective, cap.Permitted, cap.Inheritable)
-		if err := b.WorkspaceDirFS.SetXattr(path, "security.capability", enc); err != nil {
-			log.Warnf("failed to set capabilities on %s: %v\n", path, err)
+		fullPath := filepath.Join(melangeOutputDirName, pkg.Name, path)
+		if b.Runner.Name() == container.QemuName {
+			fullPath := filepath.Join(WorkDir, melangeOutputDirName, pkg.Name, path)
+			hex := fmt.Sprintf("0x%s", hex.EncodeToString(enc))
+			cmd := []string{"/bin/sh", "-c", fmt.Sprintf("setfattr -n security.capability -v %s %s", hex, fullPath)}
+			if err := b.Runner.Run(ctx, pr.config, map[string]string{}, cmd...); err != nil {
+				return fmt.Errorf("failed to set capabilities within VM on %s: %v\n", path, err)
+			}
+		} else {
+			if err := b.WorkspaceDirFS.SetXattr(fullPath, "security.capability", enc); err != nil {
+				log.Warnf("failed to set capabilities on %s: %v\n", path, err)
+			}
 		}
 	}
 

pkg/config/config.go

@@ -1291,6 +1291,7 @@ func replacePackage(r *strings.Replacer, commit string, in Package) Package {
 		CPE:                in.CPE,
 		Timeout:            in.Timeout,
 		Resources:          in.Resources,
+		SetCap:             in.SetCap,
 	}
 }
 
@@ -1869,30 +1870,32 @@ func ParseCapabilities(caps []Capability) (map[string]capabilityData, error) {
 	pathCapabilities := map[string]capabilityData{}
 
 	for _, c := range caps {
-		for attr, data := range c.Add {
-			capValues := getCapabilityValue(attr)
-			effective, permitted, inheritable := parseCapability(data)
-
-			caps, ok := pathCapabilities[c.Path]
-			if !ok {
-				caps = struct {
-					Effective   uint32
-					Permitted   uint32
-					Inheritable uint32
-				}{}
-			}
+		for attrs, data := range c.Add {
+			for attr := range strings.SplitSeq(attrs, ",") {
+				capValues := getCapabilityValue(attr)
+				effective, permitted, inheritable := parseCapability(data)
+
+				caps, ok := pathCapabilities[c.Path]
+				if !ok {
+					caps = struct {
+						Effective   uint32
+						Permitted   uint32
+						Inheritable uint32
+					}{}
+				}
 
-			if effective {
-				caps.Effective |= capValues
-			}
-			if permitted {
-				caps.Permitted |= capValues
-			}
-			if inheritable {
-				caps.Inheritable |= capValues
-			}
+				if effective {
+					caps.Effective |= capValues
+				}
+				if permitted {
+					caps.Permitted |= capValues
+				}
+				if inheritable {
+					caps.Inheritable |= capValues
+				}
 
-			pathCapabilities[c.Path] = caps
+				pathCapabilities[c.Path] = caps
+			}
 		}
 	}
 
@@ -1916,22 +1919,23 @@ func parseCapability(capFlag string) (effective, permitted, inheritable bool) {
 
 // EncodeCapability returns the byte slice necessary to set the final capability xattr.
 func EncodeCapability(effectiveBits, permittedBits, inheritableBits uint32) []byte {
-	// https://github.com/torvalds/linux/blob/a33b5a08cbbdd7aadff95f40cbb45ab86841679e/include/uapi/linux/capability.h#L36
-	magic := uint32(0x20080522)
-	// Version 3; Version 2 is deprecated
-	version := uint32(0x3)
-
-	data := make([]byte, 20)
-	binary.LittleEndian.PutUint32(data[0:], magic)
-	binary.LittleEndian.PutUint32(data[4:], version)
-	binary.LittleEndian.PutUint32(data[8:], effectiveBits)
-	binary.LittleEndian.PutUint32(data[12:], permittedBits)
-	binary.LittleEndian.PutUint32(data[16:], inheritableBits)
-
-	rootid := uint32(0)
-	rootidBytes := make([]byte, 4)
-	binary.LittleEndian.PutUint32(rootidBytes, rootid)
-	data = append(data, rootidBytes...)
+	revision := uint32(0x03000000)
+
+	var flags uint32 = 0
+	if effectiveBits != 0 {
+		flags = 0x01
+	}
+	magic := revision | flags
+
+	data := make([]byte, 24)
+
+	binary.LittleEndian.PutUint32(data[0:4], magic)
+	binary.LittleEndian.PutUint32(data[4:8], permittedBits)
+	binary.LittleEndian.PutUint32(data[8:12], inheritableBits)
+
+	binary.LittleEndian.PutUint32(data[12:16], 0)
+	binary.LittleEndian.PutUint32(data[16:20], 0)
+	binary.LittleEndian.PutUint32(data[20:24], 0)
 
 	return data
 }

pkg/config/config_test.go

@@ -1,9 +1,11 @@
 package config
 
 import (
+	"bytes"
 	"encoding/binary"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 
 	"github.com/chainguard-dev/clog/slogtest"
@@ -852,56 +854,67 @@ func TestSetCapability(t *testing.T) {
 				t.Fatalf("Failed to collect capabilities: %v", err)
 			}
 
-			for path, caps := range caps {
-				enc := EncodeCapability(caps.Effective, caps.Permitted, caps.Inheritable)
-				if err := b.WorkspaceDirFS.SetXattr(path, "security.capability", enc); err != nil {
-					t.Fatalf("Failed to set capability: %v", err)
+			expectedAttrs := make(map[string][]byte)
+			for path, c := range caps {
+				encoded := EncodeCapability(c.Effective, c.Permitted, c.Inheritable)
+				expectedAttrs[path] = encoded
+
+				if err := b.WorkspaceDirFS.SetXattr(path, "security.capability", encoded); err != nil {
+					t.Fatalf("failed to set xattr for %s: %v", path, err)
 				}
 			}
 
-			for path, attrs := range tc.expectedAttrs {
-				for attr := range attrs {
-					data, err := b.WorkspaceDirFS.GetXattr(path, attr)
-					if err != nil {
-						t.Errorf("Failed to get xattr %s for path %s: %v", attr, path, err)
-						continue
-					}
+			for path, expected := range expectedAttrs {
+				data, err := b.WorkspaceDirFS.GetXattr(path, "security.capability")
+				if err != nil {
+					t.Errorf("Failed to get xattr %s: %v", path, err)
+					continue
+				}
 
-					if len(data) < 24 {
-						t.Errorf("Capability data for %s is too short: %d bytes", path, len(data))
-						continue
-					}
+				if !bytes.Equal(data, expected) {
+					t.Errorf("Mismatched xattr for %s:\ngot:  %x\nwant: %x", path, data, expected)
+				}
 
-					magic := binary.LittleEndian.Uint32(data[0:4])
-					if magic != 0x20080522 {
-						t.Errorf("Invalid magic number: %x", magic)
-					}
+				if len(data) < 24 {
+					t.Errorf("Capability data too short for %s: got %d bytes", path, len(data))
+					continue
+				}
+
+				magic := binary.LittleEndian.Uint32(data[0:4])
+				revision := magic & 0xFF000000
+				flags := magic & 0x000000FF
 
-					version := binary.LittleEndian.Uint32(data[4:8])
-					if version != 0x3 {
-						t.Errorf("Invalid version: %d, expected 3", version)
+				if revision != 0x03000000 {
+					t.Errorf("Invalid revision: %x", revision)
+				}
+
+				permitted := binary.LittleEndian.Uint32(data[4:8])
+				inheritable := binary.LittleEndian.Uint32(data[8:12])
+				rootid := binary.LittleEndian.Uint32(data[20:24])
+
+				if rootid != 0 {
+					t.Errorf("Unexpected rootid: %d", rootid)
+				}
+
+				effective := flags & 0x01
+
+				for _, capEntry := range tc.caps {
+					if capEntry.Path != path {
+						continue
 					}
+					for attr, flag := range capEntry.Add {
+						for _, a := range strings.Split(attr, ",") {
+							val := getCapabilityValue(a)
+							e, p, i := parseCapability(flag)
 
-					effective := binary.LittleEndian.Uint32(data[8:12])
-					permitted := binary.LittleEndian.Uint32(data[12:16])
-					inheritable := binary.LittleEndian.Uint32(data[16:20])
-
-					caps := b.Configuration.Package.SetCap
-					for _, c := range caps {
-						if c.Path == path {
-							for attr, flag := range c.Add {
-								capValues := getCapabilityValue(attr)
-								e, p, i := parseCapability(flag)
-
-								if e && (effective&capValues != capValues) {
-									t.Errorf("Expected capabilities %s to be in effective set for %s", attr, path)
-								}
-								if p && (permitted&capValues != capValues) {
-									t.Errorf("Expected capabilities %s to be in permitted set for %s", attr, path)
-								}
-								if i && (inheritable&capValues != capValues) {
-									t.Errorf("Expected capabilities %s to be in inheritable set for %s", attr, path)
-								}
+							if e && effective != 1 {
+								t.Errorf("Expected effective bit set for %s", path)
+							}
+							if p && (permitted&val != val) {
+								t.Errorf("Expected permitted cap %s in %s", a, path)
+							}
+							if i && (inheritable&val != val) {
+								t.Errorf("Expected inheritable cap %s in %s", a, path)
 							}
 						}
 					}