libpriv/scripts: use rofiles-fuse on /etc too
We were directly bind mounting the checked out `/usr/etc` onto `/etc` which was exposing us to corruption from scriptlets. Since we already have an rofiles-fuse mount for `/usr`, let's just re-use its `etc/` subdir and bind mount that instead. Closes: #1003 Approved by: cgwalters
This commit is contained in:
parent
f089b8de1f
commit
167fd4c1dd
@ -166,6 +166,12 @@ setup_rofiles_usr (RpmOstreeBwrap *bwrap,
|
|||||||
|
|
||||||
rpmostree_bwrap_append_bwrap_argv (bwrap, "--bind", rofiles_mntpath, "/usr", NULL);
|
rpmostree_bwrap_append_bwrap_argv (bwrap, "--bind", rofiles_mntpath, "/usr", NULL);
|
||||||
|
|
||||||
|
/* also mount /etc from the rofiles mount to allow RPM scripts to change defaults, while
|
||||||
|
* still being protected; note we use bind to ensure symlinks work, see:
|
||||||
|
* https://github.com/projectatomic/rpm-ostree/pull/640 */
|
||||||
|
const char *rofiles_etc_mntpath = glnx_strjoina (rofiles_mntpath, "/etc");
|
||||||
|
rpmostree_bwrap_append_bwrap_argv (bwrap, "--bind", rofiles_etc_mntpath, "/etc", NULL);
|
||||||
|
|
||||||
return TRUE;
|
return TRUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -255,9 +255,6 @@ run_script_in_bwrap_container (int rootfs_fd,
|
|||||||
/* Scripts can see a /var with compat links like alternatives */
|
/* Scripts can see a /var with compat links like alternatives */
|
||||||
"--ro-bind", "./var", "/var",
|
"--ro-bind", "./var", "/var",
|
||||||
"--tmpfs", "/var/tmp",
|
"--tmpfs", "/var/tmp",
|
||||||
/* Allow RPM scripts to change the /etc defaults; note we use bind
|
|
||||||
* to ensure symlinks work, see https://github.com/projectatomic/rpm-ostree/pull/640 */
|
|
||||||
"--bind", "./usr/etc", "/etc",
|
|
||||||
NULL);
|
NULL);
|
||||||
if (!bwrap)
|
if (!bwrap)
|
||||||
goto out;
|
goto out;
|
||||||
|
@ -168,3 +168,25 @@ fi
|
|||||||
vm_cmd test -f /home/testuser/somedata -a -f /etc/fstab -a -f /tmp/sometmpfile -a -f /var/tmp/sometmpfile
|
vm_cmd test -f /home/testuser/somedata -a -f /etc/fstab -a -f /tmp/sometmpfile -a -f /var/tmp/sometmpfile
|
||||||
# This is the error today, we may improve it later
|
# This is the error today, we may improve it later
|
||||||
assert_file_has_content err.txt 'error: sanitycheck: Executing bwrap(/usr/bin/true)'
|
assert_file_has_content err.txt 'error: sanitycheck: Executing bwrap(/usr/bin/true)'
|
||||||
|
|
||||||
|
vm_build_rpm etc-mutate post "truncate -s 0 /etc/selinux/config"
|
||||||
|
if vm_rpmostree install etc-mutate; then
|
||||||
|
assert_not_reached "successfully installed etc-mutate?"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Ensure this is reset; at least in the Vagrant box with
|
||||||
|
# fedora-atomic:fedora/26/x86_64/atomic-host
|
||||||
|
# Version: 26.131 (2017-09-19 22:29:04)
|
||||||
|
# Commit: 98088cb6ed2a4b3f7e4e7bf6d34f9e137c296bc43640b4c1967631f22fe1802f
|
||||||
|
# it starts out modified - the modification is just deletion of trailing
|
||||||
|
# whitespace.
|
||||||
|
vm_cmd cp /{usr/,}etc/selinux/config
|
||||||
|
vm_build_rpm etc-copy post "cp /etc/selinux/config{,.new}
|
||||||
|
echo '# etc-copy comment' >> /etc/selinux/config.new
|
||||||
|
mv /etc/selinux/config{.new,}"
|
||||||
|
vm_rpmostree install etc-copy
|
||||||
|
root=$(vm_get_deployment_root 0)
|
||||||
|
vm_cmd cat $root/etc/selinux/config > new-config.txt
|
||||||
|
assert_file_has_content new-config.txt etc-copy
|
||||||
|
vm_rpmostree cleanup -p
|
||||||
|
echo "ok etc rofiles"
|
||||||
|
Loading…
Reference in New Issue
Block a user