From 293b4343209f22e7f369f0f08c80fd35d740665b Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 18 Oct 2024 08:41:05 -0400 Subject: [PATCH] deploy: Don't copy xattrs for devicetree For the kernel/initramfs that we copy to `/boot` we use an explicit relabeling today, ignoring the source SELinux context. When we added handling for devicetree it reuse the `copy_dir_recurse` we have for `etc` handling, and that copied the source xattrs. Let's ensure that the devicetree is also `boot_t` by *not* copying xattrs and relying on the default labeling. --- src/libostree/ostree-sysroot-deploy.c | 31 +++++++++++++++------------ 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c index d52eecf3de..a105b768e5 100644 --- a/src/libostree/ostree-sysroot-deploy.c +++ b/src/libostree/ostree-sysroot-deploy.c @@ -184,8 +184,8 @@ install_into_boot (OstreeRepo *repo, OstreeSePolicy *sepolicy, int src_dfd, cons /* Copy ownership, mode, and xattrs from source directory to destination */ static gboolean dirfd_copy_attributes_and_xattrs (int src_parent_dfd, const char *src_name, int src_dfd, - int dest_dfd, OstreeSysrootDebugFlags flags, - GCancellable *cancellable, GError **error) + int dest_dfd, GLnxFileCopyFlags flags, GCancellable *cancellable, + GError **error) { g_autoptr (GVariant) xattrs = NULL; @@ -193,7 +193,7 @@ dirfd_copy_attributes_and_xattrs (int src_parent_dfd, const char *src_name, int * right. This will allow other users access if they have ACLs, but * oh well. */ - if (!(flags & OSTREE_SYSROOT_DEBUG_NO_XATTRS)) + if (!(flags & GLNX_FILE_COPY_NOXATTRS)) { if (!glnx_dfd_name_get_all_xattrs (src_parent_dfd, src_name, &xattrs, cancellable, error)) return FALSE; @@ -284,7 +284,8 @@ checksum_dir_recurse (int dfd, const char *path, OtChecksum *checksum, GCancella static gboolean copy_dir_recurse (int src_parent_dfd, int dest_parent_dfd, const char *name, - OstreeSysrootDebugFlags flags, GCancellable *cancellable, GError **error) + GLnxFileCopyFlags copy_flags, OstreeSysrootDebugFlags sysroot_flags, + GCancellable *cancellable, GError **error) { g_auto (GLnxDirFdIterator) src_dfd_iter = { 0, @@ -302,8 +303,8 @@ copy_dir_recurse (int src_parent_dfd, int dest_parent_dfd, const char *name, if (!glnx_opendirat (dest_parent_dfd, name, TRUE, &dest_dfd, error)) return FALSE; - if (!dirfd_copy_attributes_and_xattrs (src_parent_dfd, name, src_dfd_iter.fd, dest_dfd, flags, - cancellable, error)) + if (!dirfd_copy_attributes_and_xattrs (src_parent_dfd, name, src_dfd_iter.fd, dest_dfd, + copy_flags, cancellable, error)) return glnx_prefix_error (error, "Copying attributes of %s", name); while (TRUE) @@ -320,18 +321,18 @@ copy_dir_recurse (int src_parent_dfd, int dest_parent_dfd, const char *name, if (S_ISDIR (child_stbuf.st_mode)) { - if (!copy_dir_recurse (src_dfd_iter.fd, dest_dfd, dent->d_name, flags, cancellable, - error)) + if (!copy_dir_recurse (src_dfd_iter.fd, dest_dfd, dent->d_name, copy_flags, sysroot_flags, + cancellable, error)) return FALSE; } else { if (S_ISLNK (child_stbuf.st_mode) || S_ISREG (child_stbuf.st_mode)) { + GLnxFileCopyFlags final_copy_flags = sysroot_flags_to_copy_flags ( + GLNX_FILE_COPY_OVERWRITE | copy_flags, sysroot_flags); if (!glnx_file_copy_at (src_dfd_iter.fd, dent->d_name, &child_stbuf, dest_dfd, - dent->d_name, - sysroot_flags_to_copy_flags (GLNX_FILE_COPY_OVERWRITE, flags), - cancellable, error)) + dent->d_name, final_copy_flags, cancellable, error)) return glnx_prefix_error (error, "Copying %s", dent->d_name); } else @@ -468,7 +469,7 @@ copy_modified_config_file (int orig_etc_fd, int modified_etc_fd, int new_etc_fd, if (S_ISDIR (modified_stbuf.st_mode)) { - if (!copy_dir_recurse (modified_etc_fd, new_etc_fd, path, flags, cancellable, error)) + if (!copy_dir_recurse (modified_etc_fd, new_etc_fd, path, 0, flags, cancellable, error)) return FALSE; } else if (S_ISLNK (modified_stbuf.st_mode) || S_ISREG (modified_stbuf.st_mode)) @@ -1900,9 +1901,11 @@ install_deployment_kernel (OstreeSysroot *sysroot, int new_bootversion, } else { + // Don't copy xattrs for devicetree; Fedora derives label them modules_t which is + // wrong for when they're installed, we want the default boot_t. if (!copy_dir_recurse (kernel_layout->boot_dfd, bootcsum_dfd, - kernel_layout->devicetree_srcpath, sysroot->debug_flags, - cancellable, error)) + kernel_layout->devicetree_srcpath, GLNX_FILE_COPY_NOXATTRS, + sysroot->debug_flags, cancellable, error)) return FALSE; } }