Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NAS-132668 / 24.10.2 / Make FIPS not use ReadonlyRootfsManager as due to systemd-sysext … (by themylogin) #15016

Merged
merged 1 commit into from
Nov 22, 2024
Merged

NAS-132668 / 24.10.2 / Make FIPS not use ReadonlyRootfsManager as due to systemd-sysext … (by themylogin) #15016

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions debian/debian/preinst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
#!/bin/sh -ex

mkdir -p /var/lib/ssl
mv /usr/lib/ssl/fipsmodule.cnf /var/lib/ssl/fipsmodule.cnf
ln -s /var/lib/ssl/fipsmodule.cnf /usr/lib/ssl/fipsmodule.cnf
Empty file modified src/freenas/debian/preinst
100644 → 100755
View file
Open in desktop
Empty file.
28 changes: 1 addition & 27 deletions src/middlewared/middlewared/scripts/configure_fips.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
import shutil
import sqlite3
import subprocess
import typing

from middlewared.utils.db import query_config_table

Expand Down Expand Up @@ -38,42 +37,17 @@ def configure_fips(enable_fips: bool) -> None:
modify_openssl_config(enable_fips)


def get_active_be() -> typing.Optional[str]:
cp = subprocess.run(['zfs', 'get', '-o', 'name', '-H', 'name', '/'], capture_output=True, check=False)
if cp.returncode or not (active_be := cp.stdout.decode().strip()):
return None

return active_be


def set_readonly(readonly: bool) -> None:
active_be = get_active_be()
if not active_be or subprocess.run(
['zfs', 'get', '-H', 'truenas:developer', active_be], capture_output=True, check=False
).stdout.decode().split()[-2] == 'on':
# We do not want to do anything here if developer mode is enabled or if we are not able to find active be
# because we are in chroot env in that case
return

subprocess.run(
['zfs', 'set', f'readonly={"on" if readonly else "off"}', os.path.join(active_be, 'usr')],
capture_output=True, check=False
)


def main() -> None:
validate_system_state()
try:
security_settings = query_config_table('system_security')
except (sqlite3.OperationalError, IndexError):
# This is for the case when users are upgrading and in that case table will not exist
# This is for the case when users are upgrading and in that case table will not exist,
# so we should always disable fips as a default because users might not be able to ssh
# into the system
security_settings = {'enable_fips': False}

set_readonly(False)
configure_fips(security_settings['enable_fips'])
set_readonly(True)


if __name__ == '__main__':
Expand Down
Loading