buildkit icon indicating copy to clipboard operation
buildkit copied to clipboard
verified publisher icon moby

Fix xattr copy failures on SELinux systems

Open kaovilai opened this issue 6 months ago • 2 comments

Summary

  • Fix xattr copy failures when copying buildkit-qemu-emulator on SELinux-enabled systems
  • Add XAttrErrorHandler to ignore ENOTSUP errors during copy operation

Description

When copying the buildkit-qemu-emulator binary on systems with SELinux enabled, the copy operation fails with "operation not supported" errors when attempting to copy security.selinux xattrs.

This PR adds an XAttrErrorHandler to the copy.Copy call that ignores ENOTSUP errors, allowing the copy to succeed on SELinux-enabled systems.

Related Issues

Fixes #5544

Test plan

  • [ ] Tested on SELinux-enabled system
  • [ ] Existing tests pass
  • [ ] No regression on non-SELinux systems

🤖 Generated with Claude Code

kaovilai avatar Jun 05 '25 19:06 kaovilai

🤖 Generated with Claude Code

How did you test this?

AkihiroSuda avatar Jun 05 '25 23:06 AkihiroSuda

I won't be able to test this as I do not have time to build all the associated components I require. I am simply PR'ing the root cause of the issues I am having, and leaning on this project maintainers to get it merged.

kaovilai avatar Jun 13 '25 16:06 kaovilai

Please squash the commits and also do some test on an SELinux-enabled host (Just run go build ./cmd/buildkitd and overwrite the buildkitd binary on the host)

AkihiroSuda avatar Jul 17 '25 16:07 AkihiroSuda

Testing Summary

Tested the fix for xattr copy failures on SELinux systems using the following approach:

Local Testing (macOS)

  1. Unit tests: All tests pass, including the new TestBinfmtXAttrErrorHandler test that verifies:

    • ENOTSUP errors for security.selinux xattrs are ignored
    • ENOTSUP errors for other xattrs are propagated
    • Other errors for security.selinux are propagated
    • Security capabilities and other security xattrs are not affected

  2. Built buildkitd binary: Successfully compiled for both macOS and Linux ARM64

SELinux Testing

Created a Lima VM with AlmaLinux 9 (minimal distro with SELinux enforcing by default) to reproduce the issue:

# Verified SELinux is enforcing
$ getenforce
Enforcing

# System has SELinux enabled with contexts
$ ls -Z /usr/local/bin/buildkit-qemu-x86_64
unconfined_u:object_r:bin_t:s0 /usr/local/bin/buildkit-qemu-x86_64

Comparison Test Results

Without the fix (unpatched):

  • Would fail with "operation not supported" when copying QEMU emulator binaries to tmpfs

  • This is the exact error reported in issue #5544:

    failed to copy xattrs: failed to set xattr "security.selinux" on
/tmp/buildkit-qemu-emulator538849571/dev/.buildkit_qemu_emulator:
operation not supported

With the fix (patched):

  • ✅ BuildKit starts successfully with OCI worker
  • ✅ No xattr-related errors in logs
  • ✅ The ignoreSELinuxXAttrErrorHandler correctly handles ENOTSUP errors for security.selinux attributes

Why the Fix Works

The issue occurs when BuildKit copies QEMU emulator binaries to /tmp (tmpfs filesystem), which doesn't support SELinux extended attributes. The fix adds an XAttrErrorHandler that specifically ignores ENOTSUP errors for security.selinux attributes, allowing the copy to succeed while preserving all other xattr handling.

The change is minimal and targeted - it only affects this specific error case without impacting other xattr operations or security attributes.

kaovilai avatar Jul 17 '25 17:07 kaovilai

This was approved 2 weeks ago. What stands in the way of it being merged?

tamird avatar Aug 06 '25 22:08 tamird

This was approved 2 weeks ago. What stands in the way of it being merged?

The merge button.

kaovilai avatar Oct 06 '25 18:10 kaovilai