IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Coverity warns when we're checking the return value in most-but-not-all
instances. The code is correct in these instances; we're initializing
the values to defaults. So add a `(void)` cast like we are doing
in many other places.
We shouldn't load anything from the target root filesystem *before*
verifying its integrity if composefs is enabled.
In effect, we want to force composefs users to migrate to
`/usr/lib/ostree/prepare-root.conf` which lives in the initramfs.
(But because we enable sysroot.readonly=true if composefs is enabled
too, they don't actually need to)
Using the repository configuration for configuration of this
program was always a bit hacky.
But actually with composefs, we really must validate
the target root *before* we parse anything in it.
Let's add a config file for `ostree-prepare-root` that can live
in the initramfs, which will already have been verified.
In the future we'll also add configuration for composefs here.
We expect OS builders to drop this in `/usr/lib/ostree/prepare-root.conf`,
but system local configuration can live in `/etc`.
This pushes down the code for parsing the `ostree=` cmdline
in the generator into code that's part of libostree-1.so.
This is prep for using logic shared in libotcore.la.
But in general it's just cleaner to also keep the binary
entrypoint to just be a trampoline into the C library.
This must have always been dead code. We're trying to iterate
towards a place where it's only `ostree-prepare-root.c` which
parses the `ostree=` kernel argument, and canonically sets up
`/run/ostree-booted`.
I just noticed that this was another constant string duplicated
between prepare-root.c and libostree-1.so, and I went to make
it a common `#define` in libotcore.la.
But then I thought "it's ugly to have this directory mixed into
the deployment namespace" because in some theoretical world
it could also be in the ostree commit, which would cause weird
behavior.
I think this is transient state that is better in `/run`, so move
it there.
As I (and others) will be backporting the fix in
de6fddc6ad
pretty far, I want a way for sysadmins and OS builders to
be able to reliably see when their version of ostree has this fix
(Because comparing version numbers isn't portable).
Now that we use androidboot.slot_suffix karg to determine whether we
boot into /ostree/root.a or /ostree/root.b, we can use ostree= karg
simply for parsing the stateroot, although we will still boot into
what's pointed to by /ostree/root.a or /ostree/root.b.
Most of this was used for the old composefs signature model. We
now reuse the core signature code and link to glib, so we don't
need reimplementations of hex strings and reading files.
Avoid having two copies of a regular expression for parsing
the `ostree=` kernel argument. Because the `ostree-system-generator`
binary already has access to the internals because it's implemented
in the shared library, expose the sysroot version internally
and use that.
Motivated by an attempt to change one of these copies but not
the other.
The semantics of this function now keep the key assigned
even if we fail to validate it, which is ugly. Only assign
the key after verifying its length.
Add a helper to compare lengths which includes the found
and expected values. Use it consistently.
The error message "Incorrect" is misleading; one might think
one had the *wrong* key. "Ill-formed" makes it clearer that
we're not parsing it at all.
Given the kernel argument androidboot.slot_suffix= is required in
Android AB updates [1] there is no need to check for ostree= or ostree=aboot
at all in the aboot case. This also ensures if the dependancy on ostree=
is removed, the android-boot technique will work regardless.
[1]: https://source.android.com/docs/core/ota/ab/ab_implement
Passing the private key via a direct command line argument
is just a bad idea because it's highly likely to get logged
or appear in `ps`.
Spotted in review of work for composefs signatures.
- Convert the current enum into a struct, using `OtTristate` and
two member variables (expected signature and digest)
- Factor out a helper function to parse this config
- Clean up the logging by consistently using `composefs:` as a prefix
- Add more assertions to more strictly verify our runtime state
since this is security relevant
There's no additional dependencies, and it's a small amount
of new code.
The riskiest thing is the changes to ostree-prepare-root, but
I believe that things are in a good state now there.
Again, this just enables it at *build time* - it's still
off at runtime by default.
I think this was only ever used in the "static pid1" path which
is now split out into a separate file.
We always expect that e.g. systemd does the switchroot in
the initramfs, so drop this dead code.