Fix xattr copy failures on SELinux systems

kaovilai · claude · kaovilai · commit 321de6008af4 · 2025-07-17T11:26:30.000-05:00
When copying the buildkit-qemu-emulator binary on systems with SELinux enabled, the copy operation fails with "operation not supported" errors when attempting to copy security.selinux xattrs. This change adds an XAttrErrorHandler to the copy.Copy call that ignores ENOTSUP errors, allowing the copy to succeed on SELinux-enabled systems. Fixes #5544 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Tiger Kaovilai <passawit.kaovilai@gmail.com>
diff --git a/solver/llbsolver/ops/exec_binfmt.go b/solver/llbsolver/ops/exec_binfmt.go
@@ -6,6 +6,7 @@ import (
 	"os/exec"
 	"path/filepath"
 	"strings"
+	"syscall"
 
 	"github.com/containerd/containerd/v2/core/mount"
 	"github.com/containerd/platforms"
@@ -64,6 +65,15 @@ func (m *staticEmulatorMount) Mount() ([]mount.Mount, func() error, error) {
 	if err := copy.Copy(context.TODO(), filepath.Dir(m.path), filepath.Base(m.path), tmpdir, qemuMountName, func(ci *copy.CopyInfo) {
 		m := 0555
 		ci.Mode = &m
+		ci.XAttrErrorHandler = func(dst, src, xattrKey string, err error) error {
+			// Ignore ENOTSUP (operation not supported) errors when copying xattrs
+			// This is needed for systems with SELinux enabled where security.selinux
+			// xattrs cannot be modified
+			if errors.Is(err, syscall.ENOTSUP) {
+				return nil
+			}
+			return err
+		}
 	}, copy.WithChown(uid, gid)); err != nil {
 		return nil, nil, err
 	}
diff --git a/solver/llbsolver/ops/exec_binfmt_test.go b/solver/llbsolver/ops/exec_binfmt_test.go
@@ -0,0 +1,71 @@
+package ops
+
+import (
+	"syscall"
+	"testing"
+
+	"github.com/pkg/errors"
+	"github.com/stretchr/testify/require"
+)
+
+// TestXAttrErrorHandler tests the XAttrErrorHandler logic used in exec_binfmt.go
+func TestXAttrErrorHandler(t *testing.T) {
+	tests := []struct {
+		name        string
+		inputErr    error
+		shouldIgnore bool
+		description string
+	}{
+		{
+			name:        "ENOTSUP error should be ignored",
+			inputErr:    syscall.ENOTSUP,
+			shouldIgnore: true,
+			description: "ENOTSUP errors occur on SELinux systems and should be ignored",
+		},
+		{
+			name:        "errors.Is should work with wrapped ENOTSUP",
+			inputErr:    errors.Wrap(syscall.ENOTSUP, "failed to set xattr"),
+			shouldIgnore: true,
+			description: "Wrapped ENOTSUP errors should also be ignored",
+		},
+		{
+			name:        "EPERM error should not be ignored",
+			inputErr:    syscall.EPERM,
+			shouldIgnore: false,
+			description: "Other permission errors should be propagated",
+		},
+		{
+			name:        "EIO error should not be ignored",
+			inputErr:    syscall.EIO,
+			shouldIgnore: false,
+			description: "I/O errors should be propagated",
+		},
+		{
+			name:        "nil error should return nil",
+			inputErr:    nil,
+			shouldIgnore: true,
+			description: "nil errors should return nil",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// This mimics the XAttrErrorHandler in exec_binfmt.go
+			handler := func(dst, src, xattrKey string, err error) error {
+				if errors.Is(err, syscall.ENOTSUP) {
+					return nil
+				}
+				return err
+			}
+
+			result := handler("dst", "src", "security.selinux", tt.inputErr)
+			
+			if tt.shouldIgnore {
+				require.NoError(t, result, tt.description)
+			} else {
+				require.Error(t, result, tt.description)
+				require.True(t, errors.Is(result, tt.inputErr), "error should be preserved")
+			}
+		})
+	}
+}
