From 9847a083300381b95ac375d0df5417cefada5a84 Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Mon, 2 Oct 2023 17:17:25 +0200 Subject: [PATCH] Add USRETC_AS_ETC commit modifier flag This labels /usr/etc as if it was /etc, so that it can be moved at runtime to /etc without relabeling. Either directly, or indirectly as e.g. lower in an overlayfs mount. Also available as --usretc-as-etc on ostree commit command line. --- src/libostree/ostree-repo-commit.c | 7 ++++++- src/libostree/ostree-repo.h | 3 +++ src/ostree/ot-builtin-commit.c | 5 +++++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/src/libostree/ostree-repo-commit.c b/src/libostree/ostree-repo-commit.c index c269142e72..ca57804841 100644 --- a/src/libostree/ostree-repo-commit.c +++ b/src/libostree/ostree-repo-commit.c @@ -3272,8 +3272,13 @@ get_final_xattrs (OstreeRepo *self, OstreeRepoCommitModifier *modifier, const ch if (modifier && modifier->sepolicy) { g_autofree char *label = NULL; + const char *path_for_labeling = relpath; - if (!ostree_sepolicy_get_label (modifier->sepolicy, relpath, + if ((modifier->flags & OSTREE_REPO_COMMIT_MODIFIER_FLAGS_USRETC_AS_ETC) != 0 + && g_str_has_prefix (relpath, "/usr/etc")) + path_for_labeling += strlen ("/usr"); + + if (!ostree_sepolicy_get_label (modifier->sepolicy, path_for_labeling, g_file_info_get_attribute_uint32 (file_info, "unix::mode"), &label, cancellable, error)) return FALSE; diff --git a/src/libostree/ostree-repo.h b/src/libostree/ostree-repo.h index 2dea909223..011d532b80 100644 --- a/src/libostree/ostree-repo.h +++ b/src/libostree/ostree-repo.h @@ -517,6 +517,8 @@ typedef OstreeRepoCommitFilterResult (*OstreeRepoCommitFilter) (OstreeRepo *repo * 2017.13 * @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_DEVINO_CANONICAL: If a devino cache hit is found, skip * modifier filters (non-directories only); Since: 2017.14 + * @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_USRETC_AS_ETC: : For SELinux and other systems, label /usr/etc + * as if it was /etc.; Since: 2023.7 * * Flags modifying commit behavior. In bare-user-only mode, * @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_CANONICAL_PERMISSIONS and @@ -532,6 +534,7 @@ typedef enum OSTREE_REPO_COMMIT_MODIFIER_FLAGS_ERROR_ON_UNLABELED = (1 << 3), OSTREE_REPO_COMMIT_MODIFIER_FLAGS_CONSUME = (1 << 4), OSTREE_REPO_COMMIT_MODIFIER_FLAGS_DEVINO_CANONICAL = (1 << 5), + OSTREE_REPO_COMMIT_MODIFIER_FLAGS_USRETC_AS_ETC = (1 << 6), } OstreeRepoCommitModifierFlags; /** diff --git a/src/ostree/ot-builtin-commit.c b/src/ostree/ot-builtin-commit.c index 98aa5f952a..59c184f3e2 100644 --- a/src/ostree/ot-builtin-commit.c +++ b/src/ostree/ot-builtin-commit.c @@ -58,6 +58,7 @@ static gboolean opt_canonical_permissions; static gboolean opt_ro_executables; static gboolean opt_consume; static gboolean opt_devino_canonical; +static gboolean opt_usretc_as_etc; static char *opt_base; static char **opt_trees; static gint opt_owner_uid = -1; @@ -138,6 +139,8 @@ static GOptionEntry options[] = { "Optimize for commits of trees composed of hardlinks into the repository", NULL }, { "devino-canonical", 'I', 0, G_OPTION_ARG_NONE, &opt_devino_canonical, "Assume hardlinked objects are unmodified. Implies --link-checkout-speedup", NULL }, + { "usretc-as-etc", 'I', 0, G_OPTION_ARG_NONE, &opt_usretc_as_etc, + "For SELinux and other systems, label /usr/etc as if it was /etc.", NULL }, { "tar-autocreate-parents", 0, 0, G_OPTION_ARG_NONE, &opt_tar_autocreate_parents, "When loading tar archives, automatically create parent directories as needed", NULL }, { "tar-pathname-filter", 0, 0, G_OPTION_ARG_STRING, &opt_tar_pathname_filter, @@ -597,6 +600,8 @@ ostree_builtin_commit (int argc, char **argv, OstreeCommandInvocation *invocatio flags |= OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SKIP_XATTRS; if (opt_consume) flags |= OSTREE_REPO_COMMIT_MODIFIER_FLAGS_CONSUME; + if (opt_usretc_as_etc) + flags |= OSTREE_REPO_COMMIT_MODIFIER_FLAGS_USRETC_AS_ETC; if (opt_devino_canonical) { opt_link_checkout_speedup = TRUE; /* Imply this */