pub const CONTAINER_XATTR_ALLOWLIST: &[&str];Expand description
Default xattr allowlist for container filesystems.
When reading from a mounted container filesystem, host xattrs can leak into
the image (e.g., SELinux labels like container_t from overlayfs). This
allowlist specifies which xattrs are safe to preserve.
Currently only security.capability is allowed, as it represents actual
file capabilities that should be preserved. SELinux labels (security.selinux)
are excluded because they come from the build host and will be regenerated
by transform_for_boot() based on the target system’s policy.
See: https://github.com/containers/storage/pull/1608#issuecomment-1600915185