diff --git a/Cargo.lock b/Cargo.lock index 1e02228045..19e2ba11d2 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -267,18 +267,6 @@ dependencies = [ "winapi", ] -[[package]] -name = "cjson" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a2b601fb350e2fdbbd2ffb19aef2141fa90864d8fdca83d64466cb9bdb5694a7" -dependencies = [ - "itoa 0.4.7", - "serde", - "serde_derive", - "serde_json", -] - [[package]] name = "clap" version = "3.2.23" @@ -1600,6 +1588,17 @@ dependencies = [ "thiserror", ] +[[package]] +name = "olpc-cjson" +version = "0.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "87dc75cf72208cd853671c1abccc5d5d1e43b1e378dde67340ef933219a8c13c" +dependencies = [ + "serde", + "serde_json", + "unicode-normalization", +] + [[package]] name = "once_cell" version = "1.16.0" @@ -1697,9 +1696,9 @@ dependencies = [ [[package]] name = "ostree-ext" -version = "0.10.2" +version = "0.10.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "97a42fe3d8c03891e75cca54d34850996c3dadcdd3f275f8baa5e8d2150bad93" +checksum = "ef836913a9f14fb36da644f977c82fa59a72097d6185ff0281618aa0419ad6d7" dependencies = [ "anyhow", "async-compression", @@ -1708,7 +1707,6 @@ dependencies = [ "cap-std-ext", "cap-tempfile", "chrono", - "cjson", "clap", "containers-image-proxy", "flate2", @@ -1721,6 +1719,7 @@ dependencies = [ "libc", "libsystemd", "oci-spec", + "olpc-cjson", "once_cell", "openssl", "ostree", diff --git a/configure.ac b/configure.ac index 8557329dbb..b10aaf0780 100644 --- a/configure.ac +++ b/configure.ac @@ -3,7 +3,7 @@ dnl dnl SEE RELEASE.md FOR INSTRUCTIONS ON HOW TO DO A RELEASE. dnl m4_define([year_version], [2022]) -m4_define([release_version], [18]) +m4_define([release_version], [19]) m4_define([package_version], [year_version.release_version]) AC_INIT([rpm-ostree], [package_version], [coreos@lists.fedoraproject.org]) AC_CONFIG_HEADER([config.h]) diff --git a/rust/src/isolation.rs b/rust/src/isolation.rs index bc07c061f2..cfc55672bb 100644 --- a/rust/src/isolation.rs +++ b/rust/src/isolation.rs @@ -60,6 +60,7 @@ pub(crate) fn run_systemd_worker_sync(cfg: &UnitConfig) -> Result<()> { /// Return a prepared subprocess configuration that will run as an unprivileged user if possible. /// /// This currently only drops privileges when run under systemd with DynamicUser. +#[allow(dead_code)] pub(crate) fn unprivileged_subprocess(binary: &str) -> Command { // TODO: if we detect we're running in a container as uid 0, perhaps at least switch to the // "bin" user if we can? diff --git a/rust/src/sysroot_upgrade.rs b/rust/src/sysroot_upgrade.rs index f97adf7ba5..b62040e28f 100644 --- a/rust/src/sysroot_upgrade.rs +++ b/rust/src/sysroot_upgrade.rs @@ -2,13 +2,9 @@ // SPDX-License-Identifier: Apache-2.0 OR MIT -use std::path::PathBuf; -use std::sync::Arc; - use crate::cxxrsutil::*; use crate::ffi::{output_message, ContainerImageState}; use anyhow::Result; -use cap_std_ext::cmdext::CapStdExtCommandExt; use ostree::glib; use ostree::prelude::*; use ostree_container::store::{ @@ -64,20 +60,12 @@ async fn layer_progress_print(mut r: Receiver) { fn default_container_pull_config() -> Result { let mut cfg = ImageProxyConfig::default(); - ostree_container::merge_default_container_proxy_opts(&mut cfg)?; - let mut cmd = crate::isolation::unprivileged_subprocess("skopeo"); - // Read the default authfile if it exists and pass it via file descriptor - // which will ensure it's readable when we drop privileges. - if let Some(authfile) = cfg.authfile.take() { - let authbytes = std::fs::read(authfile)?; - let authfd = crate::utils::impl_sealed_memfd("pullsecret", &authbytes)?; - let authfd: Arc = Arc::new(authfd.into()); - drop(authbytes); - let n = 5; - cmd.take_fd_n(authfd, n); - cfg.authfile = Some(PathBuf::from(format!("/proc/self/fd/{n}"))); - } - cfg.skopeo_cmd = Some(cmd); + let isolation_systemd = crate::utils::running_in_systemd().then(|| "rpm-ostree"); + let isolation_default = cap_std_ext::rustix::process::getuid() + .is_root() + .then(|| "nobody"); + let isolation_user = isolation_systemd.or(isolation_default); + ostree_container::merge_default_container_proxy_opts_with_isolation(&mut cfg, isolation_user)?; Ok(cfg) }