Message 373451 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	Leif Middelschulte, christian.heimes, hynek
Date	2020-07-10.08:21:49
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1594369309.3.0.157982300515.issue38893@roundup.psfhosted.org>
In-reply-to

Content
The issue came up at $WORK now. Core utils like copy command ignore "security.selinux" xattr unless the user explicitly asks to preserve the security context, see https://github.com/coreutils/coreutils/blob/6a3d2883fed853ee01079477020091068074e12d/src/copy.c#L867-L891 https://github.com/philips/attr/blob/1cc88bd4c17ef99ace22c8be362d513f155b1387/libattr/attr_copy_fd.c#L109-L111 _copyxattr() ignores most errnos that are listed in the man page of setxattr(2) but not EACCES. The man page of setxattr(2) also points to stat(2) which lists EACCES as possible errno. I see three simple and two more complicated solutions: 1) ignore EACCES completely 2) ignore EACCES for "security.selinux" 3) ignore EACCES for "security.*" 4) provide a callback similar to the check() callback in libattr's attr_copy_fd(). Only copy an xattr when the callback is not set or returns True. 5) provide an extra option to skip security context Related: https://bugs.python.org/issue24564#msg351555 also suggests that copyxattr should ignore ENOSYS in listxattr. Some file systems (NFS?) seem to lack xattr. Hynek, you implemented most of copyxattr in 0beab058dd4 back in 2013. What's your opinion?

The issue came up at $WORK now. Core utils like copy command ignore "security.selinux" xattr unless the user explicitly asks to preserve the security context, see

https://github.com/coreutils/coreutils/blob/6a3d2883fed853ee01079477020091068074e12d/src/copy.c#L867-L891
https://github.com/philips/attr/blob/1cc88bd4c17ef99ace22c8be362d513f155b1387/libattr/attr_copy_fd.c#L109-L111

_copyxattr() ignores most errnos that are listed in the man page of setxattr(2) but not EACCES. The man page of setxattr(2) also points to stat(2) which lists EACCES as possible errno.

I see three simple and two more complicated solutions:

1) ignore EACCES completely
2) ignore EACCES for "security.selinux"
3) ignore EACCES for "security.*"
4) provide a callback similar to the check() callback in libattr's attr_copy_fd(). Only copy an xattr when the callback is not set or returns True.
5) provide an extra option to skip security context

Related: https://bugs.python.org/issue24564#msg351555 also suggests that copyxattr should ignore ENOSYS in listxattr. Some file systems (NFS?) seem to lack xattr.

Hynek, you implemented most of copyxattr in 0beab058dd4 back in 2013. What's your opinion?

History
Date	User	Action	Args
2020-07-10 08:21:49	christian.heimes	set	recipients: + christian.heimes, hynek, Leif Middelschulte
2020-07-10 08:21:49	christian.heimes	set	messageid: <1594369309.3.0.157982300515.issue38893@roundup.psfhosted.org>
2020-07-10 08:21:49	christian.heimes	link	issue38893 messages
2020-07-10 08:21:49	christian.heimes	create