From 83b385bc598434a77b0a43b1ce36fe4ccdf2b0e8 Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Wed, 17 Jun 2020 12:21:02 -0400
Subject: [PATCH] libpriv/scripts: Replace crypto-policies lua script

The latest crypto-policies package changed recently to dynamically set
the policy at install time so that if FIPS is enabled, the selected
backend is `FIPS`:

https://src.fedoraproject.org/rpms/crypto-policies/c/9b9c9f7378c3fd375b9a08d5283c530a51a5de34?branch=master

This doesn't really make sense for us though since the compose server
configuration should be decoupled from the installroot. (More generally,
this also affects e.g. `yum install --installroot`).

Override the script for now so that we always select the `DEFAULT`
policy. We'll discuss with upstream to see what the right solution is
there.

This also works around the fact that rpm-ostree doesn't yet implement
Lua (#749).

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1847454
Resolves: https://github.com/coreos/fedora-coreos-tracker/issues/540
---
 src/libpriv/rpmostree-scripts.c       | 14 ++++++++++++++
 tests/kolainst/nondestructive/misc.sh |  4 ++++
 2 files changed, 18 insertions(+)

diff --git a/src/libpriv/rpmostree-scripts.c b/src/libpriv/rpmostree-scripts.c
index 4de07b723b..035f21f18e 100644
--- a/src/libpriv/rpmostree-scripts.c
+++ b/src/libpriv/rpmostree-scripts.c
@@ -170,6 +170,20 @@ static const RpmOstreeLuaReplacement lua_replacements[] = {
     "libdir=" LIBDIR "\n"
     "exec iconvconfig -o ${libdir}/gconv/gconv-modules.cache --nostdlib ${libdir}/gconv"
   },
+  /* See https://bugzilla.redhat.com/show_bug.cgi?id=1847454.
+   * Code originally introduced in:
+   * https://src.fedoraproject.org/rpms/crypto-policies/c/9b9c9f7378c3fd375b9a08d5283c530a51a5de34?branch=master
+   * Keying off the installed machines FIPS mode for the installroot doesn't make sense, so
+   * just revert back to baking in the DEFAULT config.
+   */
+  { "crypto-policies.post",
+    "/usr/bin/bash",
+    "cp " DATADIR "/crypto-policies/default-config " SYSCONFDIR "/crypto-policies/config\n"
+    "echo DEFAULT > " SYSCONFDIR "/crypto-policies/state/current\n"
+    "for f in " DATADIR "/crypto-policies/DEFAULT/*; do\n"
+    "  ln -sf $f " SYSCONFDIR "/crypto-policies/back-ends/$(basename $f .txt).config\n"
+    "done"
+  },
   /* Just for the tests */
   { "rpmostree-lua-override-test.post",
     "/usr/bin/sh",
diff --git a/tests/kolainst/nondestructive/misc.sh b/tests/kolainst/nondestructive/misc.sh
index 1679f2b492..6b8082229f 100755
--- a/tests/kolainst/nondestructive/misc.sh
+++ b/tests/kolainst/nondestructive/misc.sh
@@ -81,3 +81,7 @@ echo "ok coreos-rootfs seal"
 # Reload as root https://github.com/projectatomic/rpm-ostree/issues/976
 rpm-ostree reload
 echo "ok reload"
+
+# See rpmostree-scripts.c
+grep ^DEFAULT /etc/crypto-policies/config
+echo "ok crypto-policies DEFAULT backend"