PORTAGE_XATTR_EXCLUDE: preserve security.capability (bug 548516)

Also, fix BinpkgExtractorAsync tar options to preserve
security.capability attributes.

X-Gentoo-Bug: 548516
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=548516
Acked-by: Brian Dolbec <dolsen@gentoo.org>

2 files changed, 8 insertions, 3 deletions

diff --git a/cnf/make.globals b/cnf/make.globals
index dd99618d0..82d8cc170 100644
--- a/cnf/make.globals
+++ b/cnf/make.globals
@@ -123,9 +123,11 @@ PORTAGE_ELOG_MAILFROM="portage@localhost"
 PORTAGE_GPG_SIGNING_COMMAND="gpg --sign --digest-algo SHA256 --clearsign --yes --default-key \"\${PORTAGE_GPG_KEY}\" --homedir \"\${PORTAGE_GPG_DIR}\" \"\${FILE}\""
 
 # btrfs.* attributes are irrelevant, see bug #527636.
-# Security labels are special, see bug #461868.
+# security.* attributes may be special (see bug 461868), but
+# security.capability is specifically not excluded (bug 548516).
 # system.nfs4_acl attributes are irrelevant, see bug #475496.
-PORTAGE_XATTR_EXCLUDE="btrfs.* security.* system.nfs4_acl"
+PORTAGE_XATTR_EXCLUDE="btrfs.* security.evm security.ima
+	security.selinux system.nfs4_acl"
 
 #            *****************************
 #            **  DO NOT EDIT THIS FILE  **
diff --git a/pym/_emerge/BinpkgExtractorAsync.py b/pym/_emerge/BinpkgExtractorAsync.py
index 6aaa44852..0bf3c74c9 100644
--- a/pym/_emerge/BinpkgExtractorAsync.py
+++ b/pym/_emerge/BinpkgExtractorAsync.py
@@ -23,7 +23,10 @@ class BinpkgExtractorAsync(SpawnProcess):
 			process = subprocess.Popen(["tar", "--help"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
 			output = process.communicate()[0]
 			if b"--xattrs" in output:
-				tar_options = "--xattrs"
+				tar_options = ["--xattrs", "--xattrs-include='*'"]
+				for x in portage.util.shlex_split(self.env.get("PORTAGE_XATTR_EXCLUDE", "")):
+					tar_options.append(portage._shell_quote("--xattrs-exclude=%s" % x))
+				tar_options = " ".join(tar_options)
 
 		decomp_cmd = _decompressors.get(
 			compression_probe(self.pkg_path))