Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SELinux relabeling during commit causes the wrong content hash to be stored if ACLs or user xattrs are present #3343

Closed
prydom opened this issue Nov 26, 2024 · 2 comments · Fixed by #3346
Closed

SELinux relabeling during commit causes the wrong content hash to be stored if ACLs or user xattrs are present #3343

prydom opened this issue Nov 26, 2024 · 2 comments · Fixed by #3346

Comments

@prydom
Copy link

prydom commented Nov 26, 2024
edited
Loading

Putting a pointer to containers/bootc#920 (comment) here. Please read the initial report there for a minimal reproduction script. The observed behavior was:

  • Failed container pulls via bootc and failing ostree fsck on a bootable base image created from an ostree commit.
  • Successful pulls but subsequent failures of ostree fsck if further container layers added xattrs.

I originally filed in bootc since I thought the bug was in the ostree-ext-rs crate but based on the following analysis I think the issue is in OSTree.

I think I can answer why this happens for the "pure ostree" case, @cgwalters. It seems the root cause has been in https://github.com/ostreedev/ostree for a while and it may just be some coincidental changes in libdnf5, librpm or librepo which caused this to start failing container pulls now.

libglnx will always sort the extended attributes returned from glnx_dfd_name_get_all_xattrs with canonicalize_xattrs(). This ensures we should always get the same content hash as long as the same file contents + uid/gid/perms/xattrs match even if the underlying filesystem returns a different order.

However, during commit the way get_final_xattrs() works is to first delete the security.selinux attribute with _ostree_filter_selinux_xattr() and then append the new label to the end of the gvariant array.

Linux capabilities have been working because "security.capabilities" always comes before "security.selinux". However the existence of any "user.*" attributes means that list will no longer be sorted and therefore the hash calculated at commit time will not match what is stored in the bare repo and what is copied into the encapsulated commit container image.

So, preserving system.* (e.g. ACLs) or trusted.* extended attributes would be bit by this same bug. I have reproduced the same failure to pull the container by adding an ACL.

# Create a new commit with just a single file with an extended attribute
mkdir commit
cd commit
echo "hello world" > test.txt
setfattr -n security.selinux -v "system_u:object_r:etc_runtime_t:s0" test.txt
setfacl -m "u:root:rw-" test.txt
setcap 'cap_net_bind_service=ep' test.txt
getfattr -d -m - -- *
stat test.txt
cd ..
@prydom prydom changed the title SELinux relabling during commit causes the wrong content hash to be stored if ACLs or user xattrs are present SELinux relabeling during commit causes the wrong content hash to be stored if ACLs or user xattrs are present Nov 26, 2024
@cgwalters
Copy link
Member

Thanks for that analysis! Indeed this looks like a basic bug in core ostree, we need to always ensure the xattrs are sorted. (composefs does this)

I recently hit a related bug in #3261 - and so a good first step here would be to change our object writing code and fsck code to enforce this.

cgwalters added a commit to cgwalters/ostree that referenced this issue Nov 27, 2024
@cgwalters
core: Always sort incoming xattrs
2be4c52 
When recomputing selinux attrs during commit, we weren't sorting,
which could cause various issues like fsck failures.

This is a big hammer; change things so we always canonicalize
(i.e. sort) the incoming xattrs when creating a file header.

I think almost all places in the code were already keeping
things sorted, but it's better to ensure correctness first.
If we ever have some performance issue (I'm doubtful) we
could add something like `_ostree_file_header_known_canonicalized`
or so.

Closes: ostreedev#3343

Signed-off-by: Colin Walters <[email protected]>
@cgwalters cgwalters mentioned this issue Nov 27, 2024
Merged
@prydom
Copy link
Author

prydom commented Nov 27, 2024

@cgwalters, based on my recent test of #3346 it looks like we might need an accompanying change to ostree-ext-rs/bootc to ensure xattrs introduced by container layering are also sorted.

I undid my workaround that stripped all the user.* attributes from buildah layered images during that test.

cgwalters added a commit to cgwalters/ostree that referenced this issue Nov 27, 2024
@cgwalters
core: Always sort incoming xattrs
c863558 
When recomputing selinux attrs during commit, we weren't sorting,
which could cause various issues like fsck failures.

This is a big hammer; change things so we always canonicalize
(i.e. sort) the incoming xattrs when creating a file header
and directory metadata.

I think almost all places in the code were already keeping
things sorted, but it's better to ensure correctness first.
If we ever have some performance issue (I'm doubtful) we
could add something like `_ostree_file_header_known_canonicalized`
or so.

Closes: ostreedev#3343

Signed-off-by: Colin Walters <[email protected]>
@prydom prydom mentioned this issue Dec 2, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

core: Always sort incoming xattrs cgwalters/ostree
2 participants
@cgwalters @prydom