packaging
/
ostree
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #2569 from WOnder93/finalize-deployment-selinux-policy 

deploy: Try to rebuild policy in new deployment if needed
This commit is contained in:
Colin Walters 2022-03-28 20:55:07 -04:00 committed by GitHub
parent 86741ad18a c58a4fe661
commit fdfb353f19
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 121 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ci/gh-install.sh
View File

@ -69,6 +69,7 @@ case "$ID" in
automake automake
bison bison
build-essential build-essential
bubblewrap
ca-certificates ca-certificates
cpio cpio
debhelper debhelper

120
src/libostree/ostree-sysroot-deploy.c
View File

@ -2830,6 +2830,121 @@ get_var_dfd (OstreeSysroot *self,
return glnx_opendirat (base_dfd, base_path, TRUE, ret_fd, error); return glnx_opendirat (base_dfd, base_path, TRUE, ret_fd, error);
} }
#ifdef HAVE_SELINUX
static void
child_setup_fchdir (gpointer data)
{
int fd = (int) (uintptr_t) data;
int rc __attribute__((unused));
rc = fchdir (fd);
}
/*
* Derived from rpm-ostree's rust/src/bwrap.rs
*/
static gboolean
run_in_deployment (int deployment_dfd,
const gchar * const *child_argv,
gsize child_argc,
gint *exit_status,
gchar **stdout,
GError **error)
{
static const gchar * const COMMON_ARGV[] = {
"/usr/bin/bwrap",
"--dev", "/dev", "--proc", "/proc", "--dir", "/run", "--dir", "/tmp",
"--chdir", "/",
"--die-with-parent",
"--unshare-pid",
"--unshare-uts",
"--unshare-ipc",
"--unshare-cgroup-try",
"--ro-bind", "/sys/block", "/sys/block",
"--ro-bind", "/sys/bus", "/sys/bus",
"--ro-bind", "/sys/class", "/sys/class",
"--ro-bind", "/sys/dev", "/sys/dev",
"--ro-bind", "/sys/devices", "/sys/devices",
"--bind", "usr", "/usr",
"--bind", "etc", "/etc",
"--bind", "var", "/var",
"--symlink", "/usr/lib", "/lib",
"--symlink", "/usr/lib32", "/lib32",
"--symlink", "/usr/lib64", "/lib64",
"--symlink", "/usr/bin", "/bin",
"--symlink", "/usr/sbin", "/sbin",
};
static const gsize COMMON_ARGC = sizeof (COMMON_ARGV) / sizeof (*COMMON_ARGV);
gsize i;
GPtrArray *args = g_ptr_array_sized_new (COMMON_ARGC + child_argc + 1);
g_autofree gchar **args_raw = NULL;
for (i = 0; i < COMMON_ARGC; i++)
g_ptr_array_add (args, (gchar *) COMMON_ARGV[i]);
for (i = 0; i < child_argc; i++)
g_ptr_array_add (args, (gchar *) child_argv[i]);
g_ptr_array_add (args, NULL);
args_raw = (gchar **) g_ptr_array_free (args, FALSE);
return g_spawn_sync (NULL, args_raw, NULL, 0, &child_setup_fchdir,
(gpointer) (uintptr_t) deployment_dfd,
stdout, NULL, exit_status, error);
}
/*
* Run semodule to check if the module content changed after merging /etc
* and rebuild the policy if needed.
*/
static gboolean
sysroot_finalize_selinux_policy (int deployment_dfd, GError **error)
{
struct stat stbuf;
gint exit_status;
g_autofree gchar *stdout = NULL;
if (!glnx_fstatat_allow_noent (deployment_dfd, "etc/selinux/config", &stbuf,
AT_SYMLINK_NOFOLLOW, error))
return FALSE;
/* Skip the SELinux policy refresh if /etc/selinux/config doesn't exist. */
if (errno != 0)
return TRUE;
/*
* Skip the SELinux policy refresh if the --rebuild-if-modules-changed
* flag is not supported by semodule.
*/
static const gchar * const SEMODULE_HELP_ARGV[] = {
"semodule", "--help"
};
static const gsize SEMODULE_HELP_ARGC = sizeof (SEMODULE_HELP_ARGV) / sizeof (*SEMODULE_HELP_ARGV);
if (!run_in_deployment (deployment_dfd, SEMODULE_HELP_ARGV,
SEMODULE_HELP_ARGC, &exit_status, &stdout, error))
return FALSE;
if (!g_spawn_check_exit_status (exit_status, error))
return glnx_prefix_error (error, "failed to run semodule");
if (!strstr(stdout, "--rebuild-if-modules-changed"))
{
ot_journal_print (LOG_INFO, "semodule does not have --rebuild-if-modules-changed");
return TRUE;
}
static const gchar * const SEMODULE_REBUILD_ARGV[] = {
"semodule", "-N", "--rebuild-if-modules-changed"
};
static const gsize SEMODULE_REBUILD_ARGC = sizeof (SEMODULE_REBUILD_ARGV) / sizeof (*SEMODULE_REBUILD_ARGV);
if (!run_in_deployment (deployment_dfd, SEMODULE_REBUILD_ARGV,
SEMODULE_REBUILD_ARGC, &exit_status, NULL, error))
return FALSE;
return g_spawn_check_exit_status (exit_status, error);
}
#endif /* HAVE_SELINUX */
static gboolean static gboolean
sysroot_finalize_deployment (OstreeSysroot *self, sysroot_finalize_deployment (OstreeSysroot *self,
OstreeDeployment *deployment, OstreeDeployment *deployment,
@ -2866,6 +2981,11 @@ sysroot_finalize_deployment (OstreeSysroot *self,
return FALSE; return FALSE;
} }
#ifdef HAVE_SELINUX
if (!sysroot_finalize_selinux_policy(deployment_dfd, error))
return FALSE;
#endif /* HAVE_SELINUX */
const char *osdeploypath = glnx_strjoina ("ostree/deploy/", ostree_deployment_get_osname (deployment)); const char *osdeploypath = glnx_strjoina ("ostree/deploy/", ostree_deployment_get_osname (deployment));
glnx_autofd int os_deploy_dfd = -1; glnx_autofd int os_deploy_dfd = -1;
if (!glnx_opendirat (self->sysroot_fd, osdeploypath, TRUE, &os_deploy_dfd, error)) if (!glnx_opendirat (self->sysroot_fd, osdeploypath, TRUE, &os_deploy_dfd, error))