diff --git a/.gitignore b/.gitignore index 911dda1..d40d4ca 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libostree-2017.14.tar.xz +SOURCES/libostree-2018.1.tar.xz diff --git a/.ostree.metadata b/.ostree.metadata index 2052abf..1377786 100644 --- a/.ostree.metadata +++ b/.ostree.metadata @@ -1 +1 @@ -bf5c21801eb160bdc1c06c1f63b361eafdd7af57 SOURCES/libostree-2017.14.tar.xz +6f8cd6291a19068606fabec3e91fd6e59af86b79 SOURCES/libostree-2018.1.tar.xz diff --git a/SOURCES/0001-deploy-SELinux-relabel-installed-kernel-initramfs-da.patch b/SOURCES/0001-deploy-SELinux-relabel-installed-kernel-initramfs-da.patch new file mode 100644 index 0000000..00d9292 --- /dev/null +++ b/SOURCES/0001-deploy-SELinux-relabel-installed-kernel-initramfs-da.patch @@ -0,0 +1,114 @@ +From 9455cc49a6c53d7d5680031bcd5cb8d64ff9ca7d Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 5 Feb 2018 17:51:40 +0000 +Subject: [PATCH] deploy: SELinux-relabel installed kernel/initramfs data + +When we changed around the kernel location in rpm-ostree, we +started installing the kernel into `/boot` as `modules_object_t`, +and the current policy didn't permit that. For maximum compatibility, +relabel installed kernel/initramfs/dtb as `boot_t`. + +https://bugzilla.redhat.com/show_bug.cgi?id=1536991 +--- + src/libostree/ostree-sysroot-deploy.c | 60 ++++++++++++++++++++++++----------- + 1 file changed, 41 insertions(+), 19 deletions(-) + +diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c +index 5dc5bde..63ed149 100644 +--- a/src/libostree/ostree-sysroot-deploy.c ++++ b/src/libostree/ostree-sysroot-deploy.c +@@ -97,20 +97,38 @@ sysroot_flags_to_copy_flags (GLnxFileCopyFlags defaults, + * hardlink if we're on the same partition. + */ + static gboolean +-hardlink_or_copy_at (int src_dfd, +- const char *src_subpath, +- int dest_dfd, +- const char *dest_subpath, +- OstreeSysrootDebugFlags flags, +- GCancellable *cancellable, +- GError **error) ++install_into_boot (OstreeSePolicy *sepolicy, ++ int src_dfd, ++ const char *src_subpath, ++ int dest_dfd, ++ const char *dest_subpath, ++ OstreeSysrootDebugFlags flags, ++ GCancellable *cancellable, ++ GError **error) + { + if (linkat (src_dfd, src_subpath, dest_dfd, dest_subpath, 0) != 0) + { + if (G_IN_SET (errno, EMLINK, EXDEV)) +- return glnx_file_copy_at (src_dfd, src_subpath, NULL, dest_dfd, dest_subpath, +- sysroot_flags_to_copy_flags (0, flags), +- cancellable, error); ++ { ++ /* Be sure we relabel when copying the kernel, as in current ++ * e.g. Fedora it might be labeled module_object_t or usr_t, ++ * but policy may not allow other processes to read from that ++ * like kdump. ++ * See also https://github.com/fedora-selinux/selinux-policy/commit/747f4e6775d773ab74efae5aa37f3e5e7f0d4aca ++ * This means we also drop xattrs but...I doubt anyone uses ++ * non-SELinux xattrs for the kernel anyways aside from perhaps ++ * IMA but that's its own story. ++ */ ++ g_auto(OstreeSepolicyFsCreatecon) fscreatecon = { 0, }; ++ const char *boot_path = glnx_strjoina ("/boot/", glnx_basename (dest_subpath)); ++ if (!_ostree_sepolicy_preparefscreatecon (&fscreatecon, sepolicy, ++ boot_path, S_IFREG | 0644, ++ error)) ++ return FALSE; ++ return glnx_file_copy_at (src_dfd, src_subpath, NULL, dest_dfd, dest_subpath, ++ GLNX_FILE_COPY_NOXATTRS, ++ cancellable, error); ++ } + else + return glnx_throw_errno_prefix (error, "linkat(%s)", dest_subpath); + } +@@ -1567,6 +1585,11 @@ install_deployment_kernel (OstreeSysroot *sysroot, + &deployment_dfd, error)) + return FALSE; + ++ /* We need to label the kernels */ ++ g_autoptr(OstreeSePolicy) sepolicy = ostree_sepolicy_new_at (deployment_dfd, cancellable, error); ++ if (!sepolicy) ++ return FALSE; ++ + /* Find the kernel/initramfs in the tree */ + g_autoptr(OstreeKernelLayout) kernel_layout = NULL; + if (!get_kernel_from_tree (deployment_dfd, &kernel_layout, +@@ -1602,11 +1625,10 @@ install_deployment_kernel (OstreeSysroot *sysroot, + return FALSE; + if (errno == ENOENT) + { +- if (!hardlink_or_copy_at (kernel_layout->boot_dfd, +- kernel_layout->kernel_srcpath, +- bootcsum_dfd, kernel_layout->kernel_namever, +- sysroot->debug_flags, +- cancellable, error)) ++ if (!install_into_boot (sepolicy, kernel_layout->boot_dfd, kernel_layout->kernel_srcpath, ++ bootcsum_dfd, kernel_layout->kernel_namever, ++ sysroot->debug_flags, ++ cancellable, error)) + return FALSE; + } + +@@ -1620,10 +1642,10 @@ install_deployment_kernel (OstreeSysroot *sysroot, + return FALSE; + if (errno == ENOENT) + { +- if (!hardlink_or_copy_at (kernel_layout->boot_dfd, kernel_layout->initramfs_srcpath, +- bootcsum_dfd, kernel_layout->initramfs_namever, +- sysroot->debug_flags, +- cancellable, error)) ++ if (!install_into_boot (sepolicy, kernel_layout->boot_dfd, kernel_layout->initramfs_srcpath, ++ bootcsum_dfd, kernel_layout->initramfs_namever, ++ sysroot->debug_flags, ++ cancellable, error)) + return FALSE; + } + } +-- +2.14.3 + diff --git a/SOURCES/0001-switchroot-Ensure-sysroot-is-set-to-private-propagat.patch b/SOURCES/0001-switchroot-Ensure-sysroot-is-set-to-private-propagat.patch new file mode 100644 index 0000000..dbdf748 --- /dev/null +++ b/SOURCES/0001-switchroot-Ensure-sysroot-is-set-to-private-propagat.patch @@ -0,0 +1,67 @@ +From 2b8d586c5a10e9574acd1ae49a60cbf11cf22830 Mon Sep 17 00:00:00 2001 +From: Colin Walters +Date: Mon, 29 Jan 2018 13:48:02 +0100 +Subject: [PATCH] switchroot: Ensure /sysroot is set to "private" propagation + +Downstream BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1498281 + +This came up as a problem with `oci-umount` which was trying to ensure some host +mounts like `/var/lib/containers` don't leak into privileged containers. But +since our `/sysroot` mount wasn't private we also got a copy there. + +We should have done this from the very start - it makes `findmnt` way, way less +ugly and is just the obviously right thing to do, will possibly create world +peace etc. + +Closes: #1438 +Approved by: rhvgoyal +--- + src/switchroot/ostree-prepare-root.c | 11 +++++++++++ + src/switchroot/ostree-remount.c | 9 +++++++++ + 2 files changed, 20 insertions(+) + +diff --git a/src/switchroot/ostree-prepare-root.c b/src/switchroot/ostree-prepare-root.c +index 43e15fcc..671a6a26 100644 +--- a/src/switchroot/ostree-prepare-root.c ++++ b/src/switchroot/ostree-prepare-root.c +@@ -244,6 +244,17 @@ main(int argc, char *argv[]) + err (EXIT_FAILURE, "failed to MS_MOVE %s to %s", deploy_path, root_mountpoint); + } + ++ /* The /sysroot mount needs to be private to avoid having a mount for e.g. /var/cache ++ * also propagate to /sysroot/ostree/deploy/$stateroot/var/cache ++ * ++ * Now in reality, today this is overridden by systemd: the *actual* way we fix this up ++ * is in ostree-remount.c. But let's do it here to express the semantics we want ++ * at the very start (perhaps down the line systemd will have compile/runtime option ++ * to say that the initramfs environment did everything right from the start). ++ */ ++ if (mount ("none", "sysroot", NULL, MS_PRIVATE, NULL) < 0) ++ err (EXIT_FAILURE, "remounting 'sysroot' private"); ++ + if (getpid() == 1) + { + execl ("/sbin/init", "/sbin/init", NULL); +diff --git a/src/switchroot/ostree-remount.c b/src/switchroot/ostree-remount.c +index fe6b6f44..cc2b81b3 100644 +--- a/src/switchroot/ostree-remount.c ++++ b/src/switchroot/ostree-remount.c +@@ -44,6 +44,15 @@ main(int argc, char *argv[]) + struct stat stbuf; + int i; + ++ /* The /sysroot mount needs to be private to avoid having a mount for e.g. /var/cache ++ * also propagate to /sysroot/ostree/deploy/$stateroot/var/cache ++ * ++ * Today systemd remounts / (recursively) as shared, so we're undoing that as early ++ * as possible. See also a copy of this in ostree-prepare-root.c. ++ */ ++ if (mount ("none", "/sysroot", NULL, MS_REC | MS_PRIVATE, NULL) < 0) ++ perror ("warning: While remounting /sysroot MS_PRIVATE"); ++ + if (path_is_on_readonly_fs ("/")) + { + /* If / isn't writable, don't do any remounts; we don't want +-- +2.14.3 + diff --git a/SPECS/ostree.spec b/SPECS/ostree.spec index 12e7646..c74c97f 100644 --- a/SPECS/ostree.spec +++ b/SPECS/ostree.spec @@ -1,7 +1,7 @@ Summary: Tool for managing bootable, immutable filesystem trees Name: ostree -Version: 2017.14 -Release: 2%{?dist} +Version: 2018.1 +Release: 4%{?dist} #VCS: git:https://github.com/ostreedev/ostree # The source tarball is generated via make -C packaging dist-snapshot # which handles git submodules. @@ -10,6 +10,11 @@ Source1: 91-ostree.preset License: LGPLv2+ URL: https://github.com/ostreedev/ostree +# https://bugzilla.redhat.com/show_bug.cgi?id=1498281 +Patch0: 0001-switchroot-Ensure-sysroot-is-set-to-private-propagat.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1536991 +Patch1: 0001-deploy-SELinux-relabel-installed-kernel-initramfs-da.patch + # For autosetup BuildRequires: git # We always run autogen.sh @@ -151,8 +156,18 @@ rm -rf $RPM_BUILD_ROOT %endif %changelog -* Tue Dec 05 2017 Jonathan Lebon - 2017.14-2 -- Rebuild for 7.4 +* Mon Feb 05 2018 Colin Walters - 2018.1-4 +- Backport patch for SELinux labels of kernels in /boot +- Resolves: #1536991 + +* Tue Jan 30 2018 Colin Walters - 2018.1-3 +- Backport patch to fix mount propagation of /sysroot +- Resolves: #1498281 + +* Fri Jan 19 2018 Colin Walters - 2018.1-2 +- New upstream version for 7.5.0 +- https://github.com/ostreedev/ostree/releases/tag/v2018.1 +- https://github.com/ostreedev/ostree/releases/tag/v2017.15 * Tue Dec 05 2017 Jonathan Lebon - 2017.14-1 - New upstream version for 7.4.4