diff --git a/man/ostree-prepare-root.xml b/man/ostree-prepare-root.xml index 8726ccf18a..f33df045bf 100644 --- a/man/ostree-prepare-root.xml +++ b/man/ostree-prepare-root.xml @@ -114,8 +114,14 @@ License along with this library. If not, see . A boolean value; the default is false. If this is set to true, then the /sysroot mount point is mounted read-only. - + + + sysroot.etc + A string value; the default is persitent. If this is set to transient, then the /sysroot mount point is mounted transiently i.e. a non-persistent location. + + + systemd @@ -136,4 +142,4 @@ License along with this library. If not, see . - + \ No newline at end of file diff --git a/src/switchroot/ostree-prepare-root.c b/src/switchroot/ostree-prepare-root.c index fe080b4a51..bcedf4c620 100644 --- a/src/switchroot/ostree-prepare-root.c +++ b/src/switchroot/ostree-prepare-root.c @@ -82,6 +82,7 @@ const char *config_roots[] = { "/usr/lib", "/etc" }; #define SYSROOT_KEY "sysroot" #define READONLY_KEY "readonly" +#define ETC_KEY "etc" // Possible values = "persistent" "transient" // The kernel argument we support to configure composefs. #define OT_COMPOSEFS_KARG "ot-composefs" @@ -326,6 +327,29 @@ load_composefs_config (GError **error) return g_steal_pointer (&ret); } +static gboolean +copy_selinux_context (const char *src_path, const char *dst_path, GError **error) +{ + ssize_t bytes_read, real_size; + + if (TEMP_FAILURE_RETRY (bytes_read = lgetxattr (src_path, "security.selinux", NULL, 0)) < 0) + { + if (errno == ENODATA || errno == ENOTSUP) + return TRUE; /* no selinux context, we're done */ + return glnx_throw_errno_prefix (error, "lgetxattr(security.selinux)"); + } + + g_autofree guint8 *buf = g_malloc (bytes_read); + if (TEMP_FAILURE_RETRY (real_size = lgetxattr (src_path, "security.selinux", buf, bytes_read)) + < 0) + return glnx_throw_errno_prefix (error, "lgetxattr(security.selinux)"); + + if (lsetxattr (dst_path, "security.selinux", buf, real_size, 0) < 0) + return glnx_throw_errno_prefix (error, "lsetxattr(security.selinux)"); + + return TRUE; +} + int main (int argc, char *argv[]) { @@ -569,18 +593,70 @@ main (int argc, char *argv[]) } } + g_autofree char *etc_config = NULL; + if (!ot_keyfile_get_value_with_default (config, SYSROOT_KEY, ETC_KEY, "persistent", &etc_config, + &error)) + errx (EXIT_FAILURE, "failed to parse %s.%s: %s", SYSROOT_KEY, ETC_KEY, error->message); + bool etc_transient = false; + if (g_str_equal (etc_config, "persistent")) + etc_transient = false; + else if (g_str_equal (etc_config, "transient")) + etc_transient = true; + else + errx (EXIT_FAILURE, "Invalid %s.%s: %s", SYSROOT_KEY, ETC_KEY, etc_config); + + // In theory these could be distinct, but no reason to try to support it. + if (etc_transient && !sysroot_readonly) + errx (EXIT_FAILURE, "Must specify %s.%s for %s.%s=transient", SYSROOT_KEY, READONLY_KEY, + SYSROOT_KEY, ETC_KEY); + /* Prepare /etc. * No action required if sysroot is writable. Otherwise, a bind-mount for * the deployment needs to be created and remounted as read/write. */ if (sysroot_readonly || using_composefs) { - /* Bind-mount /etc (at deploy path), and remount as writable. */ - if (mount ("etc", TMP_SYSROOT "/etc", NULL, MS_BIND | MS_SILENT, NULL) < 0) - err (EXIT_FAILURE, "failed to prepare /etc bind-mount at /sysroot.tmp/etc"); - if (mount (TMP_SYSROOT "/etc", TMP_SYSROOT "/etc", NULL, MS_BIND | MS_REMOUNT | MS_SILENT, - NULL) - < 0) - err (EXIT_FAILURE, "failed to make writable /etc bind-mount at /sysroot.tmp/etc"); + if (etc_transient) + { + g_autofree char *etc_ovldir + = g_build_filename (OTCORE_RUN_OSTREE_PRIVATE, "etc-transient", NULL); + g_autofree char *upper = g_build_filename (etc_ovldir, "upper", NULL); + g_autofree char *work = g_build_filename (etc_ovldir, "work", NULL); + + if (mkdirat (AT_FDCWD, etc_ovldir, 0700) < 0) + err (EXIT_FAILURE, "Failed to create %s", etc_ovldir); + if (mkdirat (AT_FDCWD, upper, 0755) < 0) + err (EXIT_FAILURE, "Failed to create %s", upper); + if (mkdirat (AT_FDCWD, work, 0755) < 0) + err (EXIT_FAILURE, "Failed to create %s", work); + + g_autofree char *etc_ovl_options = g_strdup_printf ("lowerdir=%s,upperdir=%s,workdir=%s", + TMP_SYSROOT "/usr/etc", upper, work); + if (mount ("overlay", TMP_SYSROOT "/etc", "overlay", MS_SILENT, etc_ovl_options) < 0) + err (EXIT_FAILURE, "failed to mount transient etc overlayfs"); + + g_autoptr (GError) local_error = NULL; + if (!copy_selinux_context (TMP_SYSROOT "/usr/etc", TMP_SYSROOT "/etc", &local_error)) + err (EXIT_FAILURE, "failed to copy /usr/etc selinux label: %s", local_error->message); + + /* We make ovldir read-only to avoid it being relabeled to + * var_run_t when /run is relabeled */ + if (mount (etc_ovldir, etc_ovldir, NULL, MS_BIND | MS_SILENT, NULL) < 0) + err (EXIT_FAILURE, "failed to bind mount (class:readonly) %s", etc_ovldir); + if (mount (etc_ovldir, etc_ovldir, NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_SILENT, + NULL) + < 0) + err (EXIT_FAILURE, "failed to bind mount (class:readonly) %s", etc_ovldir); + } + else + { + /* Bind-mount /etc (at deploy path), and remount as writable. */ + if (mount ("etc", TMP_SYSROOT "/etc", NULL, MS_BIND | MS_SILENT, NULL) < 0) + err (EXIT_FAILURE, "failed to prepare /etc bind-mount at /sysroot.tmp/etc"); + if (mount (TMP_SYSROOT "/etc", TMP_SYSROOT "/etc", NULL, MS_BIND | MS_REMOUNT | MS_SILENT, + NULL) + < 0) + err (EXIT_FAILURE, "failed to make writable /etc bind-mount at /sysroot.tmp/etc"); + } } /* Prepare /usr.