diff --git a/.gitignore b/.gitignore index d40d4ca..aca1a0c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libostree-2018.1.tar.xz +SOURCES/libostree-2018.5.tar.xz diff --git a/.ostree.metadata b/.ostree.metadata index 1377786..53d5555 100644 --- a/.ostree.metadata +++ b/.ostree.metadata @@ -1 +1 @@ -6f8cd6291a19068606fabec3e91fd6e59af86b79 SOURCES/libostree-2018.1.tar.xz +d4358ab204553ee86b1dc185d069c8c2a39f0d84 SOURCES/libostree-2018.5.tar.xz diff --git a/SOURCES/0001-deploy-SELinux-relabel-installed-kernel-initramfs-da.patch b/SOURCES/0001-deploy-SELinux-relabel-installed-kernel-initramfs-da.patch deleted file mode 100644 index 00d9292..0000000 --- a/SOURCES/0001-deploy-SELinux-relabel-installed-kernel-initramfs-da.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 9455cc49a6c53d7d5680031bcd5cb8d64ff9ca7d Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Mon, 5 Feb 2018 17:51:40 +0000 -Subject: [PATCH] deploy: SELinux-relabel installed kernel/initramfs data - -When we changed around the kernel location in rpm-ostree, we -started installing the kernel into `/boot` as `modules_object_t`, -and the current policy didn't permit that. For maximum compatibility, -relabel installed kernel/initramfs/dtb as `boot_t`. - -https://bugzilla.redhat.com/show_bug.cgi?id=1536991 ---- - src/libostree/ostree-sysroot-deploy.c | 60 ++++++++++++++++++++++++----------- - 1 file changed, 41 insertions(+), 19 deletions(-) - -diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c -index 5dc5bde..63ed149 100644 ---- a/src/libostree/ostree-sysroot-deploy.c -+++ b/src/libostree/ostree-sysroot-deploy.c -@@ -97,20 +97,38 @@ sysroot_flags_to_copy_flags (GLnxFileCopyFlags defaults, - * hardlink if we're on the same partition. - */ - static gboolean --hardlink_or_copy_at (int src_dfd, -- const char *src_subpath, -- int dest_dfd, -- const char *dest_subpath, -- OstreeSysrootDebugFlags flags, -- GCancellable *cancellable, -- GError **error) -+install_into_boot (OstreeSePolicy *sepolicy, -+ int src_dfd, -+ const char *src_subpath, -+ int dest_dfd, -+ const char *dest_subpath, -+ OstreeSysrootDebugFlags flags, -+ GCancellable *cancellable, -+ GError **error) - { - if (linkat (src_dfd, src_subpath, dest_dfd, dest_subpath, 0) != 0) - { - if (G_IN_SET (errno, EMLINK, EXDEV)) -- return glnx_file_copy_at (src_dfd, src_subpath, NULL, dest_dfd, dest_subpath, -- sysroot_flags_to_copy_flags (0, flags), -- cancellable, error); -+ { -+ /* Be sure we relabel when copying the kernel, as in current -+ * e.g. Fedora it might be labeled module_object_t or usr_t, -+ * but policy may not allow other processes to read from that -+ * like kdump. -+ * See also https://github.com/fedora-selinux/selinux-policy/commit/747f4e6775d773ab74efae5aa37f3e5e7f0d4aca -+ * This means we also drop xattrs but...I doubt anyone uses -+ * non-SELinux xattrs for the kernel anyways aside from perhaps -+ * IMA but that's its own story. -+ */ -+ g_auto(OstreeSepolicyFsCreatecon) fscreatecon = { 0, }; -+ const char *boot_path = glnx_strjoina ("/boot/", glnx_basename (dest_subpath)); -+ if (!_ostree_sepolicy_preparefscreatecon (&fscreatecon, sepolicy, -+ boot_path, S_IFREG | 0644, -+ error)) -+ return FALSE; -+ return glnx_file_copy_at (src_dfd, src_subpath, NULL, dest_dfd, dest_subpath, -+ GLNX_FILE_COPY_NOXATTRS, -+ cancellable, error); -+ } - else - return glnx_throw_errno_prefix (error, "linkat(%s)", dest_subpath); - } -@@ -1567,6 +1585,11 @@ install_deployment_kernel (OstreeSysroot *sysroot, - &deployment_dfd, error)) - return FALSE; - -+ /* We need to label the kernels */ -+ g_autoptr(OstreeSePolicy) sepolicy = ostree_sepolicy_new_at (deployment_dfd, cancellable, error); -+ if (!sepolicy) -+ return FALSE; -+ - /* Find the kernel/initramfs in the tree */ - g_autoptr(OstreeKernelLayout) kernel_layout = NULL; - if (!get_kernel_from_tree (deployment_dfd, &kernel_layout, -@@ -1602,11 +1625,10 @@ install_deployment_kernel (OstreeSysroot *sysroot, - return FALSE; - if (errno == ENOENT) - { -- if (!hardlink_or_copy_at (kernel_layout->boot_dfd, -- kernel_layout->kernel_srcpath, -- bootcsum_dfd, kernel_layout->kernel_namever, -- sysroot->debug_flags, -- cancellable, error)) -+ if (!install_into_boot (sepolicy, kernel_layout->boot_dfd, kernel_layout->kernel_srcpath, -+ bootcsum_dfd, kernel_layout->kernel_namever, -+ sysroot->debug_flags, -+ cancellable, error)) - return FALSE; - } - -@@ -1620,10 +1642,10 @@ install_deployment_kernel (OstreeSysroot *sysroot, - return FALSE; - if (errno == ENOENT) - { -- if (!hardlink_or_copy_at (kernel_layout->boot_dfd, kernel_layout->initramfs_srcpath, -- bootcsum_dfd, kernel_layout->initramfs_namever, -- sysroot->debug_flags, -- cancellable, error)) -+ if (!install_into_boot (sepolicy, kernel_layout->boot_dfd, kernel_layout->initramfs_srcpath, -+ bootcsum_dfd, kernel_layout->initramfs_namever, -+ sysroot->debug_flags, -+ cancellable, error)) - return FALSE; - } - } --- -2.14.3 - diff --git a/SOURCES/0001-switchroot-Ensure-sysroot-is-set-to-private-propagat.patch b/SOURCES/0001-switchroot-Ensure-sysroot-is-set-to-private-propagat.patch deleted file mode 100644 index dbdf748..0000000 --- a/SOURCES/0001-switchroot-Ensure-sysroot-is-set-to-private-propagat.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 2b8d586c5a10e9574acd1ae49a60cbf11cf22830 Mon Sep 17 00:00:00 2001 -From: Colin Walters -Date: Mon, 29 Jan 2018 13:48:02 +0100 -Subject: [PATCH] switchroot: Ensure /sysroot is set to "private" propagation - -Downstream BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1498281 - -This came up as a problem with `oci-umount` which was trying to ensure some host -mounts like `/var/lib/containers` don't leak into privileged containers. But -since our `/sysroot` mount wasn't private we also got a copy there. - -We should have done this from the very start - it makes `findmnt` way, way less -ugly and is just the obviously right thing to do, will possibly create world -peace etc. - -Closes: #1438 -Approved by: rhvgoyal ---- - src/switchroot/ostree-prepare-root.c | 11 +++++++++++ - src/switchroot/ostree-remount.c | 9 +++++++++ - 2 files changed, 20 insertions(+) - -diff --git a/src/switchroot/ostree-prepare-root.c b/src/switchroot/ostree-prepare-root.c -index 43e15fcc..671a6a26 100644 ---- a/src/switchroot/ostree-prepare-root.c -+++ b/src/switchroot/ostree-prepare-root.c -@@ -244,6 +244,17 @@ main(int argc, char *argv[]) - err (EXIT_FAILURE, "failed to MS_MOVE %s to %s", deploy_path, root_mountpoint); - } - -+ /* The /sysroot mount needs to be private to avoid having a mount for e.g. /var/cache -+ * also propagate to /sysroot/ostree/deploy/$stateroot/var/cache -+ * -+ * Now in reality, today this is overridden by systemd: the *actual* way we fix this up -+ * is in ostree-remount.c. But let's do it here to express the semantics we want -+ * at the very start (perhaps down the line systemd will have compile/runtime option -+ * to say that the initramfs environment did everything right from the start). -+ */ -+ if (mount ("none", "sysroot", NULL, MS_PRIVATE, NULL) < 0) -+ err (EXIT_FAILURE, "remounting 'sysroot' private"); -+ - if (getpid() == 1) - { - execl ("/sbin/init", "/sbin/init", NULL); -diff --git a/src/switchroot/ostree-remount.c b/src/switchroot/ostree-remount.c -index fe6b6f44..cc2b81b3 100644 ---- a/src/switchroot/ostree-remount.c -+++ b/src/switchroot/ostree-remount.c -@@ -44,6 +44,15 @@ main(int argc, char *argv[]) - struct stat stbuf; - int i; - -+ /* The /sysroot mount needs to be private to avoid having a mount for e.g. /var/cache -+ * also propagate to /sysroot/ostree/deploy/$stateroot/var/cache -+ * -+ * Today systemd remounts / (recursively) as shared, so we're undoing that as early -+ * as possible. See also a copy of this in ostree-prepare-root.c. -+ */ -+ if (mount ("none", "/sysroot", NULL, MS_REC | MS_PRIVATE, NULL) < 0) -+ perror ("warning: While remounting /sysroot MS_PRIVATE"); -+ - if (path_is_on_readonly_fs ("/")) - { - /* If / isn't writable, don't do any remounts; we don't want --- -2.14.3 - diff --git a/SOURCES/91-ostree.preset b/SOURCES/91-ostree.preset deleted file mode 100644 index ad0970b..0000000 --- a/SOURCES/91-ostree.preset +++ /dev/null @@ -1 +0,0 @@ -enable ostree-remount.service diff --git a/SPECS/ostree.spec b/SPECS/ostree.spec index c74c97f..9b92646 100644 --- a/SPECS/ostree.spec +++ b/SPECS/ostree.spec @@ -1,20 +1,14 @@ Summary: Tool for managing bootable, immutable filesystem trees Name: ostree -Version: 2018.1 -Release: 4%{?dist} +Version: 2018.5 +Release: 1%{?dist} #VCS: git:https://github.com/ostreedev/ostree # The source tarball is generated via make -C packaging dist-snapshot # which handles git submodules. Source0: https://github.com/ostreedev/%{name}/releases/download/v%{version}/libostree-%{version}.tar.xz -Source1: 91-ostree.preset License: LGPLv2+ URL: https://github.com/ostreedev/ostree -# https://bugzilla.redhat.com/show_bug.cgi?id=1498281 -Patch0: 0001-switchroot-Ensure-sysroot-is-set-to-private-propagat.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1536991 -Patch1: 0001-deploy-SELinux-relabel-installed-kernel-initramfs-da.patch - # For autosetup BuildRequires: git # We always run autogen.sh @@ -103,7 +97,6 @@ make %{?_smp_mflags} %install make install DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p -c" find $RPM_BUILD_ROOT -name '*.la' -delete -install -D -m 0644 %{SOURCE1} $RPM_BUILD_ROOT/%{_prefix}/lib/systemd/system-preset/91-ostree.preset # Right now we aren't doing installed tests here rm -f %{buildroot}%{_libexecdir}/libostree/ostree-trivial-httpd @@ -131,11 +124,9 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/girepository-1.0/OSTree-1.0.typelib %{_mandir}/man*/*.gz %{_prefix}/lib/systemd/system-generators/ostree-system-generator -%{_prefix}/lib/systemd/system-preset/91-ostree.preset %exclude %{_sysconfdir}/grub.d/*ostree %exclude %{_libexecdir}/libostree/grub2* -%{_prefix}/lib/ostree/ostree-prepare-root -%{_prefix}/lib/ostree/ostree-remount +%{_prefix}/lib/ostree %{_prefix}/lib/tmpfiles.d/* %{_libexecdir}/libostree/* @@ -156,6 +147,9 @@ rm -rf $RPM_BUILD_ROOT %endif %changelog +* Tue May 29 2018 Jonathan Lebon - 2018.5-1 +- New upstream version for 7.5.2 + * Mon Feb 05 2018 Colin Walters - 2018.1-4 - Backport patch for SELinux labels of kernels in /boot - Resolves: #1536991