From 8cf071127e670671065d041f2cb678cdc303b9c1 Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jlebon@redhat.com>
Date: Mon, 13 Feb 2017 11:32:19 -0500
Subject: [PATCH 1/2] unpacker: support root-owned /var & /run files

I'm not sure why we weren't doing this before, but we need to also
support files in /var and /run that are owned by root.

Related: RHBZ#1421781

Closes: #622
Approved by: cgwalters
---
 src/libpriv/rpmostree-unpacker.c             | 9 +++++----
 tests/common/compose/yum/nonrootcap.spec     | 4 ++++
 tests/vmcheck/test-layering-non-root-caps.sh | 6 +++++-
 3 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/libpriv/rpmostree-unpacker.c b/src/libpriv/rpmostree-unpacker.c
index 34e133a..98586d9 100644
--- a/src/libpriv/rpmostree-unpacker.c
+++ b/src/libpriv/rpmostree-unpacker.c
@@ -594,11 +594,12 @@ compose_filter_cb (OstreeRepo         *repo,
 
   get_rpmfi_override (self, path, &user, &group, NULL);
 
-  /* First, look for non-root paths in /run and /var */
-  if ((user != NULL || group != NULL) &&
-      (g_str_has_prefix (path, "/run/") || g_str_has_prefix (path, "/var/")))
+  /* convert /run and /var entries to tmpfiles.d */
+  if (g_str_has_prefix (path, "/run/") ||
+      g_str_has_prefix (path, "/var/"))
     {
-      append_tmpfiles_d (self, path, file_info, user, group);
+      append_tmpfiles_d (self, path, file_info,
+                         user ?: "root", group ?: "root");
       return OSTREE_REPO_COMMIT_FILTER_SKIP;
     }
   else if (!error_was_set)
diff --git a/tests/common/compose/yum/nonrootcap.spec b/tests/common/compose/yum/nonrootcap.spec
index 8f9dead..be5959d 100644
--- a/tests/common/compose/yum/nonrootcap.spec
+++ b/tests/common/compose/yum/nonrootcap.spec
@@ -38,6 +38,8 @@ mkdir -p %{buildroot}/usr/bin
 install *.sh %{buildroot}/usr/bin
 mkdir -p %{buildroot}/var/lib/nonrootcap
 mkdir -p %{buildroot}/run/nonrootcap
+mkdir -p %{buildroot}/var/lib/nonrootcap-rootowned
+mkdir -p %{buildroot}/run/nonrootcap-rootowned
 
 %clean
 rm -rf %{buildroot}
@@ -53,6 +55,8 @@ rm -rf %{buildroot}
 %attr(4775, nrcuser, nrcgroup) %caps(cap_net_bind_service=ep) /usr/bin/nrc-usergroupcaps-setuid.sh
 %attr(-, nrcuser, nrcgroup) /var/lib/nonrootcap
 %attr(-, nrcuser, nrcgroup) /run/nonrootcap
+/var/lib/nonrootcap-rootowned
+/run/nonrootcap-rootowned
 
 %changelog
 * Wed Jan 05 2017 Jonathan Lebon <jlebon@redhat.com> 1.0-1
diff --git a/tests/vmcheck/test-layering-non-root-caps.sh b/tests/vmcheck/test-layering-non-root-caps.sh
index aa9991c..6cba6e2 100755
--- a/tests/vmcheck/test-layering-non-root-caps.sh
+++ b/tests/vmcheck/test-layering-non-root-caps.sh
@@ -51,7 +51,9 @@ if ! vm_has_files /usr/bin/nrc-none.sh \
                   /usr/bin/nrc-usergroup.sh \
                   /usr/bin/nrc-usergroupcaps.sh \
                   /var/lib/nonrootcap \
-                  /run/nonrootcap; then
+                  /run/nonrootcap \
+                  /var/lib/nonrootcap-rootowned \
+                  /run/nonrootcap-rootowned; then
   assert_not_reached "not all files were layered"
 fi
 echo "ok all files layered"
@@ -96,4 +98,6 @@ check_file /usr/bin/nrc-usergroupcaps-setuid.sh nrcuser nrcgroup "cap_net_bind_s
 vm_cmd test -u /usr/bin/nrc-usergroupcaps-setuid.sh
 check_file /var/lib/nonrootcap nrcuser nrcgroup
 check_file /run/nonrootcap nrcuser nrcgroup
+check_file /var/lib/nonrootcap-rootowned root root
+check_file /run/nonrootcap-rootowned root root
 echo "ok correct user/group and fcaps"
-- 
2.10.2