From 4e3c41be9f7b62e015a5fdea277b6c3a38c7a97f Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Tue, 10 Dec 2019 15:59:20 +0000 Subject: [PATCH] kernel: Append /dev/{u,}random to initrd instead of dracut caps Rather than giving dracut `cap_mknod` which won't work in unprivileged scenarios, append a tiny static pre-generated CPIO blob with `/dev/random` and `/dev/urandom` to the output of dracut. This is a hack until dracut does this itself. But the problem is patches to dracut will take eleven billion years to ship in RHCOS. Closes: https://github.com/coreos/rpm-ostree/issues/1950 --- src/libpriv/dracut-random.cpio.gz | Bin 0 -> 171 bytes src/libpriv/gresources.xml | 2 ++ src/libpriv/rpmostree-kernel.c | 30 ++++++++++++++++++++++++------ 3 files changed, 26 insertions(+), 6 deletions(-) create mode 100644 src/libpriv/dracut-random.cpio.gz diff --git a/src/libpriv/dracut-random.cpio.gz b/src/libpriv/dracut-random.cpio.gz new file mode 100644 index 0000000000000000000000000000000000000000..53104ced8c8b39f3deca955474c3f64f40aa40ac GIT binary patch literal 171 zcmV;c095}UiwFqyuba$#;{Z*4APaA|J+g;ATp|4w!isP}&K}PW__9yp;T026VfPscg3;ly*k8yA*D@0Y=;sVJ4{n?(dKw ZM^7KuAVoz*hEXtN006ZxAr=4x0007mMr{B9 literal 0 HcmV?d00001 diff --git a/src/libpriv/gresources.xml b/src/libpriv/gresources.xml index 371a24cea6..53d57b9cd6 100644 --- a/src/libpriv/gresources.xml +++ b/src/libpriv/gresources.xml @@ -2,5 +2,7 @@ systemctl-wrapper.sh + + dracut-random.cpio.gz diff --git a/src/libpriv/rpmostree-kernel.c b/src/libpriv/rpmostree-kernel.c index a7fffcb674..47092aa820 100644 --- a/src/libpriv/rpmostree-kernel.c +++ b/src/libpriv/rpmostree-kernel.c @@ -494,6 +494,7 @@ rpmostree_run_dracut (int rootfs_dfd, g_autoptr(RpmOstreeBwrap) bwrap = NULL; g_autoptr(GPtrArray) rebuild_argv = NULL; g_auto(GLnxTmpfile) tmpf = { 0, }; + g_autoptr(GBytes) random_cpio_data = NULL; /* Previously we used to error out if argv or rebuild_from_initramfs were both * not set; now we simply use the defaults (which in Fedora today also means @@ -564,12 +565,6 @@ rpmostree_run_dracut (int rootfs_dfd, rpmostree_bwrap_bind_read (bwrap, "usr", "/usr"); } - /* Need to let dracut create devices like /dev/urandom: - * https://bugzilla.redhat.com/show_bug.cgi?id=1778940 - * https://bugzilla.redhat.com/show_bug.cgi?id=1401444 - * https://bugzilla.redhat.com/show_bug.cgi?id=1380866 */ - rpmostree_bwrap_append_bwrap_argv (bwrap, "--cap-add", "cap_mknod", NULL); - if (dracut_host_tmpdir) rpmostree_bwrap_bind_readwrite (bwrap, dracut_host_tmpdir->path, "/tmp/dracut"); @@ -586,6 +581,29 @@ rpmostree_run_dracut (int rootfs_dfd, if (!rpmostree_bwrap_run (bwrap, cancellable, error)) goto out; + /* For FIPS mode we need /dev/urandom pre-created because the FIPS + * standards authors require that randomness is tested in a + * *shared library constructor* (instead of first use as would be + * the sane thing). + * https://bugzilla.redhat.com/show_bug.cgi?id=1778940 + * https://bugzilla.redhat.com/show_bug.cgi?id=1401444 + * https://bugzilla.redhat.com/show_bug.cgi?id=1380866 + * */ + random_cpio_data = g_resources_lookup_data ("/rpmostree/dracut-random.cpio.gz", + G_RESOURCE_LOOKUP_FLAGS_NONE, + error); + if (!random_cpio_data) + return FALSE; + gsize random_cpio_data_len = 0; + const guint8* random_cpio_data_p = g_bytes_get_data (random_cpio_data, &random_cpio_data_len); + if (lseek (tmpf.fd, 0, SEEK_END) < 0) + return glnx_throw_errno_prefix (error, "lseek"); + if (glnx_loop_write (tmpf.fd, random_cpio_data_p, random_cpio_data_len) < 0) + { + glnx_set_error_from_errno (error); + goto out; + } + if (rebuild_from_initramfs) (void) unlinkat (rootfs_dfd, rebuild_from_initramfs, 0);