Skip to content

Commit

Permalink
install: manually label {/etc/fstab,tmpfile.d/bootc-root-ssh.conf}
Browse files Browse the repository at this point in the history
Right now bootc supports an experimental install from a non-selinux
host when using the `BOOTC_SKIP_SELINUX_HOST_CHECK=1` option.

This is nice and works relatively well. However files written
during the install like /etc/fstab or the tmpfiles.dfile
in /etc/tmpfile.d/bootc-root-ssh.conf must be labeled too.

This commit adds a (rather crude) manual way to do this.

Closes containers#362

Signed-off-by: Michael Vogt <[email protected]>
  • Loading branch information
mvo5 committed Mar 14, 2024
1 parent b809bcf commit 23bbc5a
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 3 deletions.
12 changes: 11 additions & 1 deletion lib/src/install.rs
Original file line number Diff line number Diff line change
Expand Up @@ -644,8 +644,18 @@ async fn initialize_ostree_root_from_self(
}
f.flush()?;

let fstab_path = Utf8PathBuf::from(rootfs)
.join(path.as_str())
.join("etc/fstab");
state.lsm_label(&fstab_path, "/etc/fstab".into(), false)?;

if let Some(contents) = state.root_ssh_authorized_keys.as_deref() {
osconfig::inject_root_ssh_authorized_keys(&root, contents)?;
osconfig::inject_root_ssh_authorized_keys(
&root,
&Utf8PathBuf::from(rootfs).join(path.as_str()),
&state,
contents,
)?;
}

let uname = rustix::system::uname();
Expand Down
17 changes: 15 additions & 2 deletions lib/src/install/osconfig.rs
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
use anyhow::Result;
use camino::Utf8Path;
use camino::{Utf8Path, Utf8PathBuf};
use cap_std::fs::Dir;
use cap_std_ext::{cap_std, dirext::CapStdExtDirExt};
use fn_error_context::context;
Expand All @@ -8,7 +8,12 @@ const ETC_TMPFILES: &str = "etc/tmpfiles.d";
const ROOT_SSH_TMPFILE: &str = "bootc-root-ssh.conf";

#[context("Injecting root authorized_keys")]
pub(crate) fn inject_root_ssh_authorized_keys(root: &Dir, contents: &str) -> Result<()> {
pub(crate) fn inject_root_ssh_authorized_keys(
root: &Dir,
root_path: &Utf8PathBuf,
state: &crate::install::State,
contents: &str,
) -> Result<()> {
// While not documented right now, this one looks like it does not newline wrap
let b64_encoded = ostree_ext::glib::base64_encode(contents.as_bytes());
// See the example in https://systemd.io/CREDENTIALS/
Expand All @@ -18,6 +23,14 @@ pub(crate) fn inject_root_ssh_authorized_keys(root: &Dir, contents: &str) -> Res
root.create_dir_all(tmpfiles_dir)?;
let target = tmpfiles_dir.join(ROOT_SSH_TMPFILE);
root.atomic_write(&target, &tmpfiles_content)?;

let as_path = Utf8Path::new(ETC_TMPFILES).join(ROOT_SSH_TMPFILE);
state.lsm_label(
&Utf8PathBuf::from("/").join(root_path).join(&as_path),
&Utf8PathBuf::from("/").join(&as_path),
false,
)?;

println!("Injected: {target}");
Ok(())
}
Expand Down

0 comments on commit 23bbc5a

Please sign in to comment.