bpo-38893: Ignore EACCES, ENOSYS in copyxattr by tiran · Pull Request #21430 · python/cpython
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
:func:shutil.copystat now ignores :const:errno.ENOSYS and
:const:errno.EACCES when copying extended file attributes.
:func:os.listxattr can fail with ENOSYS on some file systems (e.g. NFS).
An LSM may block :func:os.setxattr for security attributes like
security.selinux.
Signed-off-by: Christian Heimes christian@python.org
:func:`shutil.copystat` now ignores :const:`errno.ENOSYS` and :const:`errno.EACCES` when copying extended file attributes. :func:`os.listxattr` can fail with ENOSYS on some file systems (e.g. NFS). An LSM may block :func:`os.setxattr` for security attributes like ``security.selinux``. Signed-off-by: Christian Heimes <christian@python.org>
I am not sure I'm fond of silently ignoring errors -- that can have security implications since the result might not be as expected.
I'd rather see an approach where the operation (copying specific extended attributes) is not attempted at all in situations or environments where it is not supported or not expected to work. That way after copystat that passed you'd know that things are in expected shape. If you ignore the errors, in case of SELinux labels you will likely still get AVC denials on the host, so the result will be even more confusing.
This missed the boat for inclusion in Python 3.9 which accepts security fixes only as of today.