From c24f465bab71580dcce1042da8fb97e7951ea993 Mon Sep 17 00:00:00 2001
From: Jed Lejosne <jed@redhat.com>
Date: Mon, 24 Jan 2022 16:10:20 -0500
Subject: [PATCH 1/4] xattr: add cap_sys_ptrace to supported capabilities

Signed-off-by: Jed Lejosne <jed@redhat.com>
---
 pkg/xattr/xattr.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkg/xattr/xattr.go b/pkg/xattr/xattr.go
index 74915e2..e51d004 100644
--- a/pkg/xattr/xattr.go
+++ b/pkg/xattr/xattr.go
@@ -14,6 +14,7 @@ const (
 var cap_empty_bitmask = []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
 var supported_capabilities = map[string][]byte{
 	"cap_net_bind_service": {1, 0, 0, 2, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+	"cap_sys_ptrace":       {1, 0, 0, 2, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
 }
 
 func AddCapabilities(pax map[string]string, capabilities []string) error {

From 00e8cd4e3171bff3ad90b1adb8bc8b1f2905e62b Mon Sep 17 00:00:00 2001
From: Roman Mohr <rmohr@redhat.com>
Date: Wed, 26 Jan 2022 15:51:34 +0100
Subject: [PATCH 2/4] bump bazel version

Signed-off-by: Roman Mohr <rmohr@redhat.com>
---
 .bazelversion | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.bazelversion b/.bazelversion
index fd2a018..fae6e3d 100644
--- a/.bazelversion
+++ b/.bazelversion
@@ -1 +1 @@
-3.1.0
+4.2.1

From 137e8582817ac7288e6ec54389d9735615948e71 Mon Sep 17 00:00:00 2001
From: Roman Mohr <rmohr@redhat.com>
Date: Wed, 26 Jan 2022 15:52:01 +0100
Subject: [PATCH 3/4] Add cap_chown xattr support

Signed-off-by: Roman Mohr <rmohr@redhat.com>
---
 pkg/xattr/xattr.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkg/xattr/xattr.go b/pkg/xattr/xattr.go
index e51d004..bea3adc 100644
--- a/pkg/xattr/xattr.go
+++ b/pkg/xattr/xattr.go
@@ -13,6 +13,7 @@ const (
 
 var cap_empty_bitmask = []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
 var supported_capabilities = map[string][]byte{
+	"cap_chown":            {1, 0, 0, 2, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
 	"cap_net_bind_service": {1, 0, 0, 2, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
 	"cap_sys_ptrace":       {1, 0, 0, 2, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
 }
@@ -38,7 +39,7 @@ func SetSELinuxLabel(pax map[string]string, label string) error {
 	if label == "" {
 		return fmt.Errorf("label must not be empty, but got '%s'", label)
 	}
-	pax[selinux_header] = fmt.Sprintf("%s\x00",label)
+	pax[selinux_header] = fmt.Sprintf("%s\x00", label)
 	return nil
 }
 

From 139e43610ee1319a310c21c07fd040abe7b75dc8 Mon Sep 17 00:00:00 2001
From: Roman Mohr <rmohr@redhat.com>
Date: Wed, 26 Jan 2022 15:52:41 +0100
Subject: [PATCH 4/4] Add xattr unit tests

Signed-off-by: Roman Mohr <rmohr@redhat.com>
---
 cmd/xattr.go                     |   2 +-
 pkg/xattr/testdata/regenerate.sh |  17 ++++++++++++
 pkg/xattr/testdata/xattr.tar     | Bin 10240 -> 10240 bytes
 pkg/xattr/xattr_test.go          |  44 ++++++++++++++++++++++++++++++-
 4 files changed, 61 insertions(+), 2 deletions(-)
 create mode 100644 pkg/xattr/testdata/regenerate.sh

diff --git a/cmd/xattr.go b/cmd/xattr.go
index fe3e224..0255ad7 100644
--- a/cmd/xattr.go
+++ b/cmd/xattr.go
@@ -55,7 +55,7 @@ func NewXATTRCmd() *cobra.Command {
 			}
 			tarWriter := tar.NewWriter(streamOutput)
 			defer tarWriter.Close()
-			return xattr.Apply(tar.NewReader(streamInput), tarWriter , capabilityMap, labelMap)
+			return xattr.Apply(tar.NewReader(streamInput), tarWriter, capabilityMap, labelMap)
 		},
 	}
 
diff --git a/pkg/xattr/testdata/regenerate.sh b/pkg/xattr/testdata/regenerate.sh
new file mode 100644
index 0000000..84bd164
--- /dev/null
+++ b/pkg/xattr/testdata/regenerate.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+TMPDIR=$(mktemp -d)
+trap 'rm -rf "${TMPDIR}"' EXIT
+
+touch ${TMPDIR}/selinux
+touch ${TMPDIR}/cap_net_bind_service
+touch ${TMPDIR}/cap_chown
+touch ${TMPDIR}/cap_sys_ptrace
+touch ${TMPDIR}/cap_all
+sudo chcon -t user_home_t ${TMPDIR}/selinux
+
+sudo setcap 'cap_net_bind_service=+ep' ${TMPDIR}/cap_net_bind_service
+sudo setcap 'cap_chown=+ep' ${TMPDIR}/cap_chown
+sudo setcap 'cap_sys_ptrace=+ep' ${TMPDIR}/cap_sys_ptrace
+sudo setcap 'cap_net_bind_service,cap_chown,cap_sys_ptrace=+ep' ${TMPDIR}/cap_all
+tar -C ${TMPDIR} --xattrs -cvf xattr.tar .
diff --git a/pkg/xattr/testdata/xattr.tar b/pkg/xattr/testdata/xattr.tar
index 019cac52b425269fe5a226357635826d8a0e5c65..5d61fee707c26781fc4c0d18f628df558fd5f56b 100644
GIT binary patch
literal 10240
zcmeI1&5oNe5P-ea9#(mZJOTLMO{AQ9*-AZB>ZvD0h^tTqh`?;KZ(kFF)(}F17B`jF
zzSw4Bdzi_5HXhIa9v+@$xRH6`d%#M8x^PNCRqN8NAtoFkiUh@s5ljF?kZ=m-2P@ii
zCM^pU=31rB<B!tCi+Q5rM6M901Vcf@!ea|gIOb$V;5<ARQY|E$&-BpfTzVQR;QYsz
z=da&>dWTS{+$&^M=COL!ja{6UhgF$IS^6tZ<t8YX+4{GPRFE&rLgs-=_JLX!5X?S`
z7w-3-o^OBcD(FQW_eii~{5N$as!AvR5u*aknSIp&XyQLlvTZ)F;5B*u9&d0PnCgEL
zc_#m(a36%b-PHP3rWxWt!Cn3%j<Mta)PCrjZ;=05*u(!5;Ro^0#0C88zgW1AcX}sS
zJpl0O;qj@Z)y(Z1Eqhq+c)q2eH#9%Szdq3Ey5W9PSE8zP_)j3${QoCsGROb7^MCbM
zC|-+TuktXGh6mr*tQ<U!{{-tT!JYr#XZD*$-<kgaIR4+{CtE+N`EMcU4TX>KKZ^g9
z3gY;0n9y4D?ED{Xvp?yy%Z=whMgltiPwR#L+3w7L{SDA6?)={}hy6~?e+xlxs6L+m
zgc9cXZ<x?p^NjzgRKYq<H-Wy1eTgUe3b@LDf;!)S+Wn6I)_iVGtgrZc?*Ey-;-`zx
z7ZL!5v?l@3NN>FY0*|IX0JtrnZ4bM>n*SDp-cWly{~5=~@!v3^wPuU|r`+7si(TVC
zrd|Fcf!zK7)NbgVub=--ig!2xtff8tZ^jCAAq8+l26&q#(xrfV9X9bp&$krxhMwd3
WPY`$aKZXTe(^<e-z*%5=3;YG>hE>1-

delta 234
zcmZn&Xb2G0(+^0j@JLNeNi8bYPs%AxnkZNzVPeQ&Xkut!Y-na^Vs6M_U}$J)Y|fxi
zF<Fo?Wiz8B7o(q%g^{s|sj0CZP=%qTfvJfJm$89DVo7Fhs;!|JMApnq&j4tOp|P2<
zF-SHUMHX4_=17I*j4WW=7bZ+j;ZhPeLvw(Uk(nWbf&s_@lNnk6vt^{_<m7X0PE?-H
NvbjKc0$$=bBLElLKKuXx

diff --git a/pkg/xattr/xattr_test.go b/pkg/xattr/xattr_test.go
index 779dab3..158c697 100644
--- a/pkg/xattr/xattr_test.go
+++ b/pkg/xattr/xattr_test.go
@@ -14,7 +14,7 @@ var g *GomegaWithT
 
 func TestSettingSELinuxLabel(t *testing.T) {
 	g = NewGomegaWithT(t)
-	referenceEntry, err := getHeader("blub")
+	referenceEntry, err := getHeader("./selinux")
 	g.Expect(err).ToNot(HaveOccurred())
 
 	generatedEntry := &tar.Header{Name: "blub"}
@@ -43,3 +43,45 @@ func getHeader(name string) (*tar.Header, error) {
 	}
 	return nil, fmt.Errorf("entry %v does not exist", name)
 }
+
+func Test_Capabilities(t *testing.T) {
+	tests := []struct {
+		name         string
+		entry        string
+		capabilities []string
+	}{
+		{
+			name:         "should set cap_chown",
+			entry:        "./cap_chown",
+			capabilities: []string{"cap_chown"},
+		},
+		{
+			name:         "should set cap_net_bind_service",
+			entry:        "./cap_net_bind_service",
+			capabilities: []string{"cap_net_bind_service"},
+		},
+		{
+			name:         "should set cap_sys_ptrace",
+			entry:        "./cap_sys_ptrace",
+			capabilities: []string{"cap_sys_ptrace"},
+		},
+		{
+			name:         "should set all implemented capabilities",
+			entry:        "./cap_all",
+			capabilities: []string{"cap_chown", "cap_net_bind_service", "cap_sys_ptrace"},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g = NewGomegaWithT(t)
+			referenceEntry, err := getHeader(tt.entry)
+			g.Expect(err).ToNot(HaveOccurred())
+
+			generatedEntry := &tar.Header{Name: "blub"}
+
+			g.Expect(enrichEntry(generatedEntry, map[string][]string{"blub": tt.capabilities}, nil)).To(Succeed())
+
+			g.Expect(generatedEntry.PAXRecords[capabilities_header]).To(Equal(referenceEntry.PAXRecords[capabilities_header]))
+		})
+	}
+}