From 3b9953903b12eaca76655311bd44533768f6f3da Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Mon, 20 Jan 2014 12:26:08 +0100
Subject: [PATCH] archive: Handle capabilities in tar files

If a file has a security.capability set, we push this to the tar file.
This is important to handle in e.g. layer files or when copying files
to containers, as some distros (e.g. Fedora) use capability bits as
a more finegrained version of setuid bits, and thus if the capabilites
are stripped (and setuid is not set) the binaries will fail to work.

Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
---
 archive/archive.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/archive/archive.go b/archive/archive.go
index 206580fa08..8bb0a8ed1c 100644
--- a/archive/archive.go
+++ b/archive/archive.go
@@ -165,6 +165,13 @@ func addTarFile(path, name string, tw *tar.Writer) error {
 			hdr.Devmajor = int64(major(uint64(stat.Rdev)))
 			hdr.Devminor = int64(minor(uint64(stat.Rdev)))
 		}
+
+	}
+
+	capability, _ := Lgetxattr(path, "security.capability")
+	if capability != nil {
+		hdr.Xattrs = make(map[string]string)
+		hdr.Xattrs["security.capability"] = string(capability)
 	}
 
 	if err := tw.WriteHeader(hdr); err != nil {