shaba/ostree
1
0
Fork 0
mirror of https://github.com/ostreedev/ostree.git synced 2025-01-04 09:18:32 +03:00
Code Issues Projects Releases Wiki Activity

Merge pull request #3230 from cgwalters/initfs-epoch-2

Browse Source 
init-fs: Add --epoch=2
This commit is contained in:
Colin Walters 2024-04-12 19:56:35 -04:00 committed by GitHub
commit 99ef9806e2
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
man/ostree-admin-init-fs.xml
View File

@ -87,7 +87,15 @@ License along with this library. If not, see <https://www.gnu.org/licenses/>.
should only be mounted in the final deployment root. The main exception should only be mounted in the final deployment root. The main exception
is <literal>/boot</literal>, which may need to be mounted in some setups is <literal>/boot</literal>, which may need to be mounted in some setups
before the target root. before the target root.
</para></listitem> </para>
<para>
Epoch 2 is the same as 1, except that the toplevel <literal>ostree</literal>
directory is mode 0700, denying access from unprivileged code. This
is a new recommended best practice as it avoids access to old configuration
files in <literal>/etc</literal> in previous deployments, as well as
potentially old setuid binaries in <literal>/ostree/repo</literal>.
</para>
</listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>

8
src/ostree/ot-admin-builtin-init-fs.c
View File

@ -99,6 +99,14 @@ ot_admin_builtin_init_fs (int argc, char **argv, OstreeCommandInvocation *invoca
return FALSE; return FALSE;
} }
} }
else if (opt_epoch == 2)
{
/* In epoch 2, ostree is 0700 - no access from unprivileged code. See
* https://github.com/ostreedev/ostree/issues/3211
*/
if (!glnx_shutil_mkdir_p_at (root_dfd, "ostree", 0700, cancellable, error))
return FALSE;
}
g_autoptr (GFile) dir = g_file_new_for_path (sysroot_path); g_autoptr (GFile) dir = g_file_new_for_path (sysroot_path);
g_autoptr (OstreeSysroot) sysroot = ostree_sysroot_new (dir); g_autoptr (OstreeSysroot) sysroot = ostree_sysroot_new (dir);

4
tests/admin-test.sh
View File

@ -29,6 +29,10 @@ for flag in --modern --epoch=1; do
assert_not_has_dir sysrootmin/home assert_not_has_dir sysrootmin/home
rm sysrootmin -rf rm sysrootmin -rf
done done
mkdir sysrootmin
${CMD_PREFIX} ostree admin init-fs --epoch=2 sysrootmin
assert_streq "$(stat -c '%f' sysrootmin/ostree)" 41c0
assert_not_has_dir sysrootmin/home
echo "ok init-fs" echo "ok init-fs"
function validate_bootloader() { function validate_bootloader() {