From 7d5d3a982f55254efd748ba036046f092e0ceea8 Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Mon, 20 Jan 2014 12:26:08 +0100
Subject: [PATCH] archive: Handle capabilities in tar files

If a file has a security.capability set, we push this to the tar file.
This is important to handle in e.g. layer files or when copying files
to containers, as some distros (e.g. Fedora) use capability bits as
a more finegrained version of setuid bits, and thus if the capabilites
are stripped (and setuid is not set) the binaries will fail to work.

Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Upstream-commit: 3b9953903b12eaca76655311bd44533768f6f3da
Component: engine
---
 components/engine/archive/archive.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/components/engine/archive/archive.go b/components/engine/archive/archive.go
index 206580fa08..8bb0a8ed1c 100644
--- a/components/engine/archive/archive.go
+++ b/components/engine/archive/archive.go
@@ -165,6 +165,13 @@ func addTarFile(path, name string, tw *tar.Writer) error {
 			hdr.Devmajor = int64(major(uint64(stat.Rdev)))
 			hdr.Devminor = int64(minor(uint64(stat.Rdev)))
 		}
+
+	}
+
+	capability, _ := Lgetxattr(path, "security.capability")
+	if capability != nil {
+		hdr.Xattrs = make(map[string]string)
+		hdr.Xattrs["security.capability"] = string(capability)
 	}
 
 	if err := tw.WriteHeader(hdr); err != nil {