getfattr(1) man page says: -m pattern, --match=pattern Only include attributes with names matching the regular expression pattern. The default value for pattern is "^user\\.", which includes all the attributes in the user namespace. Specify "-" for including all attributes. Refer to attr(5) for a more detailed discussion of namespaces. getfattr without '-m -' (or '-m ".*"') is called here: https://gitweb.gentoo.org/proj/portage.git/tree/bin/ebuild-helpers/prepstrip?id=891926ba231380c4aa0768be0aa0ae1ed2bc6ae7#n36 This results in not preserving extended attributes outside of user namespace (e.g. security.capability attribute).
Created attachment 522250 [details, diff] Patch
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/portage.git/commit/?id=aff97baa3625cabdf71fea9a0256381282040860 commit aff97baa3625cabdf71fea9a0256381282040860 Author: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org> AuthorDate: 2018-03-04 02:33:44 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2018-03-04 02:40:47 +0000 prepstrip: Preserve xattr outside of user namespace. Pass '-m -' to getfattr for including all extended attributes, because getfattr defaults to including only user.* extended attributes. Bug: https://bugs.gentoo.org/649524 bin/ebuild-helpers/prepstrip | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
Thanks!
Fixed in portage-2.3.40-r1.