Security Extended Attributes are not preserved using buildah

[jeffh-id]

Description

Steps to reproduce the issue:

1. Sign a file using evmctl
2. Include a copy of the file in a buildah image. For example, a Dockerfile with "COPY mycmd.sh /myapp, where mycmd.sh is signed.
3. build the image using buildah. For example, "buildah bud -t myapp ."
4. Find the layer directory where the mycmd.sh file is added to the image and execute "getfattr -n security.ima mycmd.sh"
5. Note that the security.ima extended attribute is not present on the copy of the file.

Describe the results you received:

No such attribute from getfattr on the file

Describe the results you expected:

Should have returned a security.ima=<signature>

Output of rpm -q buildah or apt list buildah:

buildah/bionic,now 1.10.1-1~ubuntu18.04~ppa1 amd64 [installed]

Output of buildah version:

Version:         1.10.1
Go Version:      go1.10.4
Image Spec:      1.0.1
Runtime Spec:    1.0.1-dev
CNI Spec:        0.4.0
libcni Version:  
Git Commit:      
Built:           Thu Aug  8 16:29:48 2019
OS/Arch:         linux/amd64

Output of podman version if reporting a podman build issue:

(paste your output here)

Output of cat /etc/*release:

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.3 LTS"
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.3 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

Output of uname -a:

Linux jhewett-ubuntu-18 4.15.18-jh-ima-v1 #10 SMP Wed Aug 14 17:08:22 EDT 2019 x86_64 x86_64 x86_64 GNU/Linux

Output of cat /etc/containers/storage.conf:

# storage.conf is the configuration file for all tools
# that share the containers/storage libraries
# See man 5 containers-storage.conf for more information

# The "container storage" table contains all of the server options.
[storage]

# Default Storage Driver
driver = "overlay"

# Temporary storage location
runroot = "/var/run/containers/storage"

# Primary read-write location of container storage
graphroot = "/var/lib/containers/storage"

[storage.options]
# AdditionalImageStores is used to pass paths to additional read-only image stores
# Must be comma separated list.
additionalimagestores = [
]

# Size is used to set a maximum size of the container image.  Only supported by
# certain container storage drivers (currently overlay, zfs, vfs, btrfs)
size = ""

# OverrideKernelCheck tells the driver to ignore kernel checks based on kernel version
override_kernel_check = "true"

[TomSweeneyRedHat]

Thanks for the report @jeffh-id, looking into it.

[jeffh-id]

Any progress?

[rhatdan]

Are you seeing this in rootless? Rootful? Both?
@giuseppe Any ideas?

[giuseppe]

we don't copy xattrs except security.capability and user.*: https://github.com/containers/storage/blob/master/pkg/archive/archive.go#L503-L508

[rhatdan]

@jeffh-id is there a reason you would want the IMA stuff recorded?

[jeffh-id]

It isn't so much a matter of having measurements (although those are impacted as well). If one enables IMA appraisal using a typical policy that enforces signatures of executables and shared libraries, then loads a container built with buildah, none of those executables in the container will be allowed to execute. Is there a reason the security attributes aren't preserved?

[rhatdan]

I don't think so, I just don't think many people were using them. As far as SELinux labels, it makes little sense to preserve these.

[jeffh-id]

Sure, understand the SELinux bits. There is an increasing amount of IMA usage. Every application team can post-process their containers to add all the signatures back in, but I think we shouldn't need to do that.

[rhatdan]

@giuseppe Is this something that needs to be fixed in Buildah or container storage?

[jeffh-id]

Is a fix planned or is the issue still being assessed? Would be helpful to know for planning purposes. Thx!

[rhatdan]

The best way to get this fixed would be to open a PR against containers/storage to add the xattr support.

[rhatdan]

Opened containers/storage#657 to save ima content into the container.