Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bootloader/zipl: Run in target deployment as container if needed #3104

Merged
merged 4 commits into from
Dec 1, 2023
Merged

bootloader/zipl: Run in target deployment as container if needed #3104

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
791337f
sysroot: Expose deployment container executor internally
cgwalters Nov 30, 2023
7445697
sysroot: Support specifying bwrap arguments
cgwalters Dec 1, 2023
aa635bf
sysroot: Expose deployment runner outside of selinux
cgwalters Dec 1, 2023
c3aa295
bootloader/zipl: Run in target deployment as container if needed
cgwalters Nov 30, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
44 changes: 37 additions & 7 deletions src/libostree/ostree-bootloader-zipl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -434,10 +434,19 @@ _ostree_bootloader_zipl_post_bls_sync (OstreeBootloader *bootloader, int bootver
if (getuid () != 0)
return TRUE;

/* Note that unlike the grub2-mkconfig backend, we make no attempt to
* chroot().
*/
g_assert (self->sysroot->booted_deployment);
// If we're in a booted deployment, we don't need to spawn a container.
// Also avoid containerizing if there's no deployments to target, which shouldn't
// generally happen.
OstreeDeployment *target_deployment;
if (self->sysroot->booted_deployment || self->sysroot->deployments->len == 0)
{
target_deployment = NULL;
}
else
{
g_assert_cmpint (self->sysroot->deployments->len, >, 0);
target_deployment = self->sysroot->deployments->pdata[0];
}

if (!glnx_fstatat_allow_noent (self->sysroot->sysroot_fd, zipl_requires_execute_path, NULL, 0,
error))
Expand Down Expand Up @@ -467,9 +476,30 @@ _ostree_bootloader_zipl_post_bls_sync (OstreeBootloader *bootloader, int bootver
const char *const zipl_argv[]
= { "zipl", "--secure", (sb_enabled == TRUE) ? "1" : "auto", "-V", NULL };
int estatus;
if (!g_spawn_sync (NULL, (char **)zipl_argv, NULL, G_SPAWN_SEARCH_PATH, NULL, NULL, NULL, NULL,
&estatus, error))
return FALSE;
if (target_deployment != NULL)
{
g_debug ("executing zipl in deployment root");
g_autofree char *deployment_path
= ostree_sysroot_get_deployment_dirpath (self->sysroot, target_deployment);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As i see, this function uses bwrap but doesn't map/bind /boot , so zipl uses its default zipl.conf. This could be also avoided by using --blsdir option.

glnx_autofd int deployment_dfd = -1;
if (!glnx_opendirat (self->sysroot->sysroot_fd, deployment_path, TRUE, &deployment_dfd,
error))
return FALSE;

g_autofree char *sysroot_boot
= g_build_filename (gs_file_get_path_cached (self->sysroot->path), "boot", NULL);
const char *bwrap_args[] = { "--bind", sysroot_boot, "/boot", NULL };
if (!_ostree_sysroot_run_in_deployment (deployment_dfd, bwrap_args, zipl_argv, &estatus, NULL,
error))
return glnx_prefix_error (error, "Failed to invoke zipl");
}
else
{
g_debug ("executing zipl from booted system");
if (!g_spawn_sync (NULL, (char **)zipl_argv, NULL, G_SPAWN_SEARCH_PATH, NULL, NULL, NULL,
NULL, &estatus, error))
return FALSE;
}
if (!g_spawn_check_exit_status (estatus, error))
return FALSE;
if (!glnx_unlinkat (self->sysroot->sysroot_fd, zipl_requires_execute_path, 0, error))
Expand Down
20 changes: 14 additions & 6 deletions src/libostree/ostree-sysroot-deploy.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3151,7 +3151,6 @@ get_var_dfd (OstreeSysroot *self, int osdeploy_dfd, OstreeDeployment *deployment
return glnx_opendirat (base_dfd, base_path, TRUE, ret_fd, error);
}

#ifdef HAVE_SELINUX
static void
child_setup_fchdir (gpointer data)
{
Expand All @@ -3164,9 +3163,10 @@ child_setup_fchdir (gpointer data)
/*
* Derived from rpm-ostree's rust/src/bwrap.rs
*/
static gboolean
run_in_deployment (int deployment_dfd, const gchar *const *child_argv, gint *exit_status,
gchar **stdout, GError **error)
gboolean
_ostree_sysroot_run_in_deployment (int deployment_dfd, const char *const *bwrap_argv,
const gchar *const *child_argv, gint *exit_status,
gchar **stdout, GError **error)
{
static const gchar *const COMMON_ARGV[] = { "/usr/bin/bwrap",
"--dev",
Expand Down Expand Up @@ -3229,6 +3229,11 @@ run_in_deployment (int deployment_dfd, const gchar *const *child_argv, gint *exi

for (char **it = (char **)COMMON_ARGV; it && *it; it++)
g_ptr_array_add (args, *it);
for (char **it = (char **)bwrap_argv; it && *it; it++)
g_ptr_array_add (args, *it);

// Separate bwrap args from child args
g_ptr_array_add (args, "--");

for (char **it = (char **)child_argv; it && *it; it++)
g_ptr_array_add (args, *it);
Expand All @@ -3239,6 +3244,7 @@ run_in_deployment (int deployment_dfd, const gchar *const *child_argv, gint *exi
(gpointer)(uintptr_t)deployment_dfd, stdout, NULL, exit_status, error);
}

#ifdef HAVE_SELINUX
/*
* Run semodule to check if the module content changed after merging /etc
* and rebuild the policy if needed.
Expand All @@ -3264,7 +3270,8 @@ sysroot_finalize_selinux_policy (int deployment_dfd, GError **error)
* flag is not supported by semodule.
*/
static const gchar *const SEMODULE_HELP_ARGV[] = { "semodule", "--help", NULL };
if (!run_in_deployment (deployment_dfd, SEMODULE_HELP_ARGV, &exit_status, &stdout, error))
if (!_ostree_sysroot_run_in_deployment (deployment_dfd, NULL, SEMODULE_HELP_ARGV, &exit_status,
&stdout, error))
return FALSE;
if (!g_spawn_check_exit_status (exit_status, error))
return glnx_prefix_error (error, "failed to run semodule");
Expand All @@ -3278,7 +3285,8 @@ sysroot_finalize_selinux_policy (int deployment_dfd, GError **error)

ot_journal_print (LOG_INFO, "Refreshing SELinux policy");
guint64 start_msec = g_get_monotonic_time () / 1000;
if (!run_in_deployment (deployment_dfd, SEMODULE_REBUILD_ARGV, &exit_status, NULL, error))
if (!_ostree_sysroot_run_in_deployment (deployment_dfd, NULL, SEMODULE_REBUILD_ARGV, &exit_status,
NULL, error))
return FALSE;
guint64 end_msec = g_get_monotonic_time () / 1000;
ot_journal_print (LOG_INFO, "Refreshed SELinux policy in %" G_GUINT64_FORMAT " ms",
Expand Down
4 changes: 4 additions & 0 deletions src/libostree/ostree-sysroot-private.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,10 @@ gboolean _ostree_sysroot_rmrf_deployment (OstreeSysroot *sysroot, OstreeDeployme

char *_ostree_sysroot_get_runstate_path (OstreeDeployment *deployment, const char *key);

gboolean _ostree_sysroot_run_in_deployment (int deployment_dfd, const char *const *bwrap_argv,
const gchar *const *child_argv, gint *exit_status,
gchar **stdout, GError **error);

char *_ostree_sysroot_join_lines (GPtrArray *lines);

gboolean _ostree_sysroot_ensure_boot_fd (OstreeSysroot *self, GError **error);
Expand Down