archive: Handle capabilities in tar files

If a file has a security.capability set, we push this to the tar file. This is important to handle in e.g. layer files or when copying files to containers, as some distros (e.g. Fedora) use capability bits as a more finegrained version of setuid bits, and thus if the capabilites are stripped (and setuid is not set) the binaries will fail to work. Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson) Upstream-commit: 3b9953903b12eaca76655311bd44533768f6f3da Component: engine
2014-01-20 12:26:08 +01:00
parent 8cd94e7ac6
commit 7d5d3a982f
1 changed files with 7 additions and 0 deletions
--- a/components/engine/archive/archive.go
+++ b/components/engine/archive/archive.go
@ -165,6 +165,13 @@ func addTarFile(path, name string, tw *tar.Writer) error {
 			hdr.Devmajor = int64(major(uint64(stat.Rdev)))
 			hdr.Devminor = int64(minor(uint64(stat.Rdev)))
 		}
+
+	}
+
+	capability, _ := Lgetxattr(path, "security.capability")
+	if capability != nil {
+		hdr.Xattrs = make(map[string]string)
+		hdr.Xattrs["security.capability"] = string(capability)
 	}

 	if err := tw.WriteHeader(hdr); err != nil {