Add USRETC_AS_ETC commit modifier flag

This labels /usr/etc as if it was /etc, so that it can be moved at runtime to /etc without relabeling. Either directly, or indirectly as e.g. lower in an overlayfs mount. Also available as --usretc-as-etc on ostree commit command line.
ostreedev · Oct 6, 2023 · 9847a08 · 9847a08
1 parent befd844
commit 9847a08
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 1 deletion.
diff --git a/src/libostree/ostree-repo-commit.c b/src/libostree/ostree-repo-commit.c
@@ -3272,8 +3272,13 @@ get_final_xattrs (OstreeRepo *self, OstreeRepoCommitModifier *modifier, const ch
   if (modifier && modifier->sepolicy)
     {
       g_autofree char *label = NULL;
+      const char *path_for_labeling = relpath;
 
-      if (!ostree_sepolicy_get_label (modifier->sepolicy, relpath,
+      if ((modifier->flags & OSTREE_REPO_COMMIT_MODIFIER_FLAGS_USRETC_AS_ETC) != 0
+          && g_str_has_prefix (relpath, "/usr/etc"))
+        path_for_labeling += strlen ("/usr");
+
+      if (!ostree_sepolicy_get_label (modifier->sepolicy, path_for_labeling,
                                       g_file_info_get_attribute_uint32 (file_info, "unix::mode"),
                                       &label, cancellable, error))
         return FALSE;

diff --git a/src/libostree/ostree-repo.h b/src/libostree/ostree-repo.h
@@ -517,6 +517,8 @@ typedef OstreeRepoCommitFilterResult (*OstreeRepoCommitFilter) (OstreeRepo *repo
  * 2017.13
  * @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_DEVINO_CANONICAL: If a devino cache hit is found, skip
  * modifier filters (non-directories only); Since: 2017.14
+ * @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_USRETC_AS_ETC: : For SELinux and other systems, label /usr/etc
+ * as if it was /etc.; Since: 2023.7
  *
  * Flags modifying commit behavior. In bare-user-only mode,
  * @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_CANONICAL_PERMISSIONS and
@@ -532,6 +534,7 @@ typedef enum
   OSTREE_REPO_COMMIT_MODIFIER_FLAGS_ERROR_ON_UNLABELED = (1 << 3),
   OSTREE_REPO_COMMIT_MODIFIER_FLAGS_CONSUME = (1 << 4),
   OSTREE_REPO_COMMIT_MODIFIER_FLAGS_DEVINO_CANONICAL = (1 << 5),
+  OSTREE_REPO_COMMIT_MODIFIER_FLAGS_USRETC_AS_ETC = (1 << 6),
 } OstreeRepoCommitModifierFlags;
 
 /**

diff --git a/src/ostree/ot-builtin-commit.c b/src/ostree/ot-builtin-commit.c
@@ -58,6 +58,7 @@ static gboolean opt_canonical_permissions;
 static gboolean opt_ro_executables;
 static gboolean opt_consume;
 static gboolean opt_devino_canonical;
+static gboolean opt_usretc_as_etc;
 static char *opt_base;
 static char **opt_trees;
 static gint opt_owner_uid = -1;
@@ -138,6 +139,8 @@ static GOptionEntry options[] = {
     "Optimize for commits of trees composed of hardlinks into the repository", NULL },
   { "devino-canonical", 'I', 0, G_OPTION_ARG_NONE, &opt_devino_canonical,
     "Assume hardlinked objects are unmodified.  Implies --link-checkout-speedup", NULL },
+  { "usretc-as-etc", 'I', 0, G_OPTION_ARG_NONE, &opt_usretc_as_etc,
+    "For SELinux and other systems, label /usr/etc as if it was /etc.", NULL },
   { "tar-autocreate-parents", 0, 0, G_OPTION_ARG_NONE, &opt_tar_autocreate_parents,
     "When loading tar archives, automatically create parent directories as needed", NULL },
   { "tar-pathname-filter", 0, 0, G_OPTION_ARG_STRING, &opt_tar_pathname_filter,
@@ -597,6 +600,8 @@ ostree_builtin_commit (int argc, char **argv, OstreeCommandInvocation *invocatio
     flags |= OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SKIP_XATTRS;
   if (opt_consume)
     flags |= OSTREE_REPO_COMMIT_MODIFIER_FLAGS_CONSUME;
+  if (opt_usretc_as_etc)
+    flags |= OSTREE_REPO_COMMIT_MODIFIER_FLAGS_USRETC_AS_ETC;
   if (opt_devino_canonical)
     {
       opt_link_checkout_speedup = TRUE; /* Imply this */