Skip to content

Commit

Permalink
install: manually label {/etc/fstab,tmpfile.d/bootc-root-ssh.conf}
Browse files Browse the repository at this point in the history
Right now bootc supports an experimental install from a non-selinux
host when using the `BOOTC_SKIP_SELINUX_HOST_CHECK=1` option.

This is nice and works relatively well. However files written
during the install like /etc/fstab or the tmpfiles.dfile
in /etc/tmpfile.d/bootc-root-ssh.conf must be labeled too.

This commit adds a (rather crude) manual way to do this.

Closes containers#362

Signed-off-by: Michael Vogt <[email protected]>
  • Loading branch information
mvo5 committed Mar 14, 2024
1 parent b809bcf commit f5ff122
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 3 deletions.
5 changes: 4 additions & 1 deletion lib/src/install.rs
Original file line number Diff line number Diff line change
Expand Up @@ -644,8 +644,11 @@ async fn initialize_ostree_root_from_self(
}
f.flush()?;

let fstab_path = Utf8PathBuf::try_from(root.canonicalize("etc/fstab")?)?;
state.lsm_label(&fstab_path, "/etc/fstab".into(), false)?;

if let Some(contents) = state.root_ssh_authorized_keys.as_deref() {
osconfig::inject_root_ssh_authorized_keys(&root, contents)?;
osconfig::inject_root_ssh_authorized_keys(&root, &state, contents)?;
}

let uname = rustix::system::uname();
Expand Down
17 changes: 15 additions & 2 deletions lib/src/install/osconfig.rs
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
use anyhow::Result;
use camino::Utf8Path;
use camino::{Utf8Path, Utf8PathBuf};
use cap_std::fs::Dir;
use cap_std_ext::{cap_std, dirext::CapStdExtDirExt};
use fn_error_context::context;
Expand All @@ -8,7 +8,11 @@ const ETC_TMPFILES: &str = "etc/tmpfiles.d";
const ROOT_SSH_TMPFILE: &str = "bootc-root-ssh.conf";

#[context("Injecting root authorized_keys")]
pub(crate) fn inject_root_ssh_authorized_keys(root: &Dir, contents: &str) -> Result<()> {
pub(crate) fn inject_root_ssh_authorized_keys(
root: &Dir,
state: &crate::install::State,
contents: &str,
) -> Result<()> {
// While not documented right now, this one looks like it does not newline wrap
let b64_encoded = ostree_ext::glib::base64_encode(contents.as_bytes());
// See the example in https://systemd.io/CREDENTIALS/
Expand All @@ -18,6 +22,15 @@ pub(crate) fn inject_root_ssh_authorized_keys(root: &Dir, contents: &str) -> Res
root.create_dir_all(tmpfiles_dir)?;
let target = tmpfiles_dir.join(ROOT_SSH_TMPFILE);
root.atomic_write(&target, &tmpfiles_content)?;

let as_path = Utf8Path::new(ETC_TMPFILES).join(ROOT_SSH_TMPFILE);
let as_root_dir_path = root.canonicalize(&as_path)?;
state.lsm_label(
&Utf8PathBuf::try_from(as_root_dir_path)?,
&Utf8PathBuf::from("/").join(as_path),
false,
)?;

println!("Injected: {target}");
Ok(())
}
Expand Down

0 comments on commit f5ff122

Please sign in to comment.