Add ostree_sepolicy_new_from_root() helper

This is similar to ostree_sepolicy_new_from_commit, but works on a OstreeRepoFile instead of a commit. We need this so we can load the selinux policy during commit, before there a commit id exists.
ostreedev · Oct 2, 2023 · 86767ac · 86767ac
1 parent 8c25452
commit 86767ac
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 0 deletions.
diff --git a/src/libostree/ostree-sepolicy-private.h b/src/libostree/ostree-sepolicy-private.h
@@ -36,4 +36,7 @@ gboolean _ostree_sepolicy_preparefscreatecon (OstreeSepolicyFsCreatecon *con, Os
 
 GVariant *_ostree_filter_selinux_xattr (GVariant *xattrs);
 
+OstreeSePolicy *ostree_sepolicy_new_from_root (OstreeRepo *repo, OstreeRepoFile *root,
+                                               GCancellable *cancellable, GError **error);
+
 G_END_DECLS
diff --git a/src/libostree/ostree-sepolicy.c b/src/libostree/ostree-sepolicy.c
@@ -310,6 +310,53 @@ ostree_sepolicy_new_from_commit (OstreeRepo *repo, const char *rev, GCancellable
   return ret;
 }
 
+OstreeSePolicy *
+ostree_sepolicy_new_from_root (OstreeRepo *repo, OstreeRepoFile *root, GCancellable *cancellable,
+                               GError **error)
+{
+  GLNX_AUTO_PREFIX_ERROR ("setting sepolicy from root", error);
+  const char policypath[] = "usr/etc/selinux";
+  g_autoptr (GFile) policyroot = g_file_get_child (G_FILE (root), policypath);
+
+  GLnxTmpDir tmpdir = {
+    0,
+  };
+  if (!glnx_mkdtemp ("ostree-commit-sepolicy-XXXXXX", 0700, &tmpdir, error))
+    return FALSE;
+  g_autoptr (GFile) tmpdir_file = g_file_new_for_path (tmpdir.path);
+  if (!glnx_shutil_mkdir_p_at (tmpdir.fd, "usr/etc", 0755, cancellable, error))
+    return FALSE;
+  g_autoptr (GFile) usr_etc = g_file_get_child (tmpdir_file, "usr/etc");
+
+  g_autoptr (GError) tmp_error = NULL;
+  g_autoptr (GFileInfo) file_info
+      = g_file_query_info (policyroot, OSTREE_GIO_FAST_QUERYINFO,
+                           G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS, cancellable, &tmp_error);
+  if (!file_info && !g_error_matches (tmp_error, G_IO_ERROR, G_IO_ERROR_NOT_FOUND))
+    return glnx_prefix_error_null (error, "policy open");
+
+  if (file_info)
+    {
+      if (!ostree_repo_file_ensure_resolved (OSTREE_REPO_FILE (policyroot), error))
+        return glnx_prefix_error_null (error, "policy resolve");
+
+      g_autoptr (GFile) usr_etc_selinux = g_file_get_child (usr_etc, "selinux");
+
+      if (!ostree_repo_checkout_tree (repo, OSTREE_REPO_CHECKOUT_MODE_USER,
+                                      OSTREE_REPO_CHECKOUT_OVERWRITE_NONE, usr_etc_selinux,
+                                      OSTREE_REPO_FILE (policyroot), file_info, cancellable, error))
+        return glnx_prefix_error_null (error, "policy checkout");
+    }
+
+  OstreeSePolicy *ret = ostree_sepolicy_new_at (tmpdir.fd, cancellable, error);
+  if (!ret)
+    return NULL;
+  /* Transfer ownership of tmpdir */
+  ret->tmpdir = tmpdir;
+  tmpdir.initialized = FALSE;
+  return ret;
+}
+
 /* Workaround for http://marc.info/?l=selinux&m=149323809332417&w=2 */
 #ifdef HAVE_SELINUX
 static gboolean