packaging
/
ostree
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

lib/checkout: Add bareuseronly_dirs option 

This is a continuation of https://github.com/ostreedev/ostree/pull/926
for directories instead of files.

See: https://github.com/flatpak/flatpak/issues/845

This option suppresses mode bits outside of `0775` for directory
checkouts.  I think most people should start doing this by default,
and use explicit overrides for e.g. `/tmp` if doing a recommit based
on a checkout.

Closes: #927
Approved by: alexlarsson
This commit is contained in:
Colin Walters 2017-06-13 13:26:33 -04:00 committed by Atomic Bot
parent 6ed824bf00
commit 0635fcbfd9
4 changed files with 27 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/libostree/ostree-repo-checkout.c
View File

@ -751,11 +751,11 @@ checkout_tree_at_recurse (OstreeRepo *self,
{ {
guint32 canonical_mode; guint32 canonical_mode;
/* Silently ignore world-writable directories (plus sticky, suid bits, /* Silently ignore world-writable directories (plus sticky, suid bits,
* etc.) when doing a checkout for bare-user-only repos. This is related * etc.) when doing a checkout for bare-user-only repos, or if requested explicitly.
* to the logic in ostree-repo-commit.c for files. * This is related to the logic in ostree-repo-commit.c for files.
* See also: https://github.com/ostreedev/ostree/pull/909 i.e. 0c4b3a2b6da950fd78e63f9afec602f6188f1ab0 * See also: https://github.com/ostreedev/ostree/pull/909 i.e. 0c4b3a2b6da950fd78e63f9afec602f6188f1ab0
*/ */
if (self->mode == OSTREE_REPO_MODE_BARE_USER_ONLY) if (self->mode == OSTREE_REPO_MODE_BARE_USER_ONLY || options->bareuseronly_dirs)
canonical_mode = (mode & 0775) | S_IFDIR; canonical_mode = (mode & 0775) | S_IFDIR;
else else
canonical_mode = mode; canonical_mode = mode;

3
src/libostree/ostree-repo.h
View File

@ -768,7 +768,8 @@ typedef struct {
gboolean process_whiteouts; gboolean process_whiteouts;
gboolean no_copy_fallback; gboolean no_copy_fallback;
gboolean force_copy; /* Since: 2017.6 */ gboolean force_copy; /* Since: 2017.6 */
gboolean unused_bools[6]; gboolean bareuseronly_dirs; /* Since: 2017.7 */
gboolean unused_bools[5];
const char *subpath; const char *subpath;

6
src/ostree/ot-builtin-checkout.c
View File

@ -43,6 +43,7 @@ static char *opt_from_file;
static gboolean opt_disable_fsync; static gboolean opt_disable_fsync;
static gboolean opt_require_hardlinks; static gboolean opt_require_hardlinks;
static gboolean opt_force_copy; static gboolean opt_force_copy;
static gboolean opt_bareuseronly_dirs;
static gboolean static gboolean
parse_fsync_cb (const char *option_name, parse_fsync_cb (const char *option_name,
@ -73,6 +74,7 @@ static GOptionEntry options[] = {
{ "fsync", 0, 0, G_OPTION_ARG_CALLBACK, parse_fsync_cb, "Specify how to invoke fsync()", "POLICY" }, { "fsync", 0, 0, G_OPTION_ARG_CALLBACK, parse_fsync_cb, "Specify how to invoke fsync()", "POLICY" },
{ "require-hardlinks", 'H', 0, G_OPTION_ARG_NONE, &opt_require_hardlinks, "Do not fall back to full copies if hardlinking fails", NULL }, { "require-hardlinks", 'H', 0, G_OPTION_ARG_NONE, &opt_require_hardlinks, "Do not fall back to full copies if hardlinking fails", NULL },
{ "force-copy", 'C', 0, G_OPTION_ARG_NONE, &opt_force_copy, "Never hardlink (but may reflink if available)", NULL }, { "force-copy", 'C', 0, G_OPTION_ARG_NONE, &opt_force_copy, "Never hardlink (but may reflink if available)", NULL },
{ "bareuseronly-dirs", 'M', 0, G_OPTION_ARG_NONE, &opt_bareuseronly_dirs, "Suppress mode bits outside of 0775 for directories (suid, world writable, etc.)", NULL },
{ NULL } { NULL }
}; };
@ -91,7 +93,8 @@ process_one_checkout (OstreeRepo *repo,
* `ostree_repo_checkout_at` until such time as we have a more * `ostree_repo_checkout_at` until such time as we have a more
* convenient infrastructure for testing C APIs with data. * convenient infrastructure for testing C APIs with data.
*/ */
if (opt_disable_cache || opt_whiteouts || opt_require_hardlinks || opt_union_add || opt_force_copy) if (opt_disable_cache || opt_whiteouts || opt_require_hardlinks ||
opt_union_add || opt_force_copy || opt_bareuseronly_dirs)
{ {
OstreeRepoCheckoutAtOptions options = { 0, }; OstreeRepoCheckoutAtOptions options = { 0, };
@ -119,6 +122,7 @@ process_one_checkout (OstreeRepo *repo,
options.subpath = subpath; options.subpath = subpath;
options.no_copy_fallback = opt_require_hardlinks; options.no_copy_fallback = opt_require_hardlinks;
options.force_copy = opt_force_copy; options.force_copy = opt_force_copy;
options.bareuseronly_dirs = opt_bareuseronly_dirs;
if (!ostree_repo_checkout_at (repo, &options, if (!ostree_repo_checkout_at (repo, &options,
AT_FDCWD, destination, AT_FDCWD, destination,

18
tests/basic-test.sh
View File

@ -19,7 +19,7 @@
set -euo pipefail set -euo pipefail
echo "1..$((68 + ${extra_basic_tests:-0}))" echo "1..$((69 + ${extra_basic_tests:-0}))"
$CMD_PREFIX ostree --version > version.yaml $CMD_PREFIX ostree --version > version.yaml
python -c 'import yaml; yaml.safe_load(open("version.yaml"))' python -c 'import yaml; yaml.safe_load(open("version.yaml"))'
@ -445,6 +445,22 @@ assert_file_has_content checkout-test-union-add/union-add-test 'existing file fo
assert_file_has_content checkout-test-union-add/union-add-test2 'another file for union add testing' assert_file_has_content checkout-test-union-add/union-add-test2 'another file for union add testing'
echo "ok checkout union add" echo "ok checkout union add"
cd ${test_tmpdir}
rm files -rf && mkdir files
mkdir files/worldwritable-dir
chmod a+w files/worldwritable-dir
$CMD_PREFIX ostree --repo=repo commit -b content-with-dir-world-writable --tree=dir=files
rm dir-co -rf
$CMD_PREFIX ostree --repo=repo checkout -U -H -M content-with-dir-world-writable dir-co
assert_file_has_mode dir-co/worldwritable-dir 775
if ! is_bare_user_only_repo repo; then
rm dir-co -rf
$CMD_PREFIX ostree --repo=repo checkout -U -H content-with-dir-world-writable dir-co
assert_file_has_mode dir-co/worldwritable-dir 777
fi
rm dir-co -rf
echo "ok checkout bareuseronly dir"
cd ${test_tmpdir} cd ${test_tmpdir}
rm -rf shadow-repo rm -rf shadow-repo
mkdir shadow-repo mkdir shadow-repo