deploy: Don't copy xattrs for devicetree

For the kernel/initramfs that we copy to `/boot` we use an explicit relabeling today, ignoring the source SELinux context. When we added handling for devicetree it reuse the `copy_dir_recurse` we have for `etc` handling, and that copied the source xattrs. Let's ensure that the devicetree is also `boot_t` by *not* copying xattrs and relying on the default labeling.
ostreedev · Oct 18, 2024 · 293b434 · 293b434
1 parent f7018d8
commit 293b434
Showing 1 changed file with 17 additions and 14 deletions.
diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c
@@ -184,16 +184,16 @@ install_into_boot (OstreeRepo *repo, OstreeSePolicy *sepolicy, int src_dfd, cons
 /* Copy ownership, mode, and xattrs from source directory to destination */
 static gboolean
 dirfd_copy_attributes_and_xattrs (int src_parent_dfd, const char *src_name, int src_dfd,
-                                  int dest_dfd, OstreeSysrootDebugFlags flags,
-                                  GCancellable *cancellable, GError **error)
+                                  int dest_dfd, GLnxFileCopyFlags flags, GCancellable *cancellable,
+                                  GError **error)
 {
   g_autoptr (GVariant) xattrs = NULL;
 
   /* Clone all xattrs first, so we get the SELinux security context
    * right.  This will allow other users access if they have ACLs, but
    * oh well.
    */
-  if (!(flags & OSTREE_SYSROOT_DEBUG_NO_XATTRS))
+  if (!(flags & GLNX_FILE_COPY_NOXATTRS))
     {
       if (!glnx_dfd_name_get_all_xattrs (src_parent_dfd, src_name, &xattrs, cancellable, error))
         return FALSE;
@@ -284,7 +284,8 @@ checksum_dir_recurse (int dfd, const char *path, OtChecksum *checksum, GCancella
 
 static gboolean
 copy_dir_recurse (int src_parent_dfd, int dest_parent_dfd, const char *name,
-                  OstreeSysrootDebugFlags flags, GCancellable *cancellable, GError **error)
+                  GLnxFileCopyFlags copy_flags, OstreeSysrootDebugFlags sysroot_flags,
+                  GCancellable *cancellable, GError **error)
 {
   g_auto (GLnxDirFdIterator) src_dfd_iter = {
     0,
@@ -302,8 +303,8 @@ copy_dir_recurse (int src_parent_dfd, int dest_parent_dfd, const char *name,
   if (!glnx_opendirat (dest_parent_dfd, name, TRUE, &dest_dfd, error))
     return FALSE;
 
-  if (!dirfd_copy_attributes_and_xattrs (src_parent_dfd, name, src_dfd_iter.fd, dest_dfd, flags,
-                                         cancellable, error))
+  if (!dirfd_copy_attributes_and_xattrs (src_parent_dfd, name, src_dfd_iter.fd, dest_dfd,
+                                         copy_flags, cancellable, error))
     return glnx_prefix_error (error, "Copying attributes of %s", name);
 
   while (TRUE)
@@ -320,18 +321,18 @@ copy_dir_recurse (int src_parent_dfd, int dest_parent_dfd, const char *name,
 
       if (S_ISDIR (child_stbuf.st_mode))
         {
-          if (!copy_dir_recurse (src_dfd_iter.fd, dest_dfd, dent->d_name, flags, cancellable,
-                                 error))
+          if (!copy_dir_recurse (src_dfd_iter.fd, dest_dfd, dent->d_name, copy_flags, sysroot_flags,
+                                 cancellable, error))
             return FALSE;
         }
       else
         {
           if (S_ISLNK (child_stbuf.st_mode) || S_ISREG (child_stbuf.st_mode))
             {
+              GLnxFileCopyFlags final_copy_flags = sysroot_flags_to_copy_flags (
+                  GLNX_FILE_COPY_OVERWRITE | copy_flags, sysroot_flags);
               if (!glnx_file_copy_at (src_dfd_iter.fd, dent->d_name, &child_stbuf, dest_dfd,
-                                      dent->d_name,
-                                      sysroot_flags_to_copy_flags (GLNX_FILE_COPY_OVERWRITE, flags),
-                                      cancellable, error))
+                                      dent->d_name, final_copy_flags, cancellable, error))
                 return glnx_prefix_error (error, "Copying %s", dent->d_name);
             }
           else
@@ -468,7 +469,7 @@ copy_modified_config_file (int orig_etc_fd, int modified_etc_fd, int new_etc_fd,
 
   if (S_ISDIR (modified_stbuf.st_mode))
     {
-      if (!copy_dir_recurse (modified_etc_fd, new_etc_fd, path, flags, cancellable, error))
+      if (!copy_dir_recurse (modified_etc_fd, new_etc_fd, path, 0, flags, cancellable, error))
         return FALSE;
     }
   else if (S_ISLNK (modified_stbuf.st_mode) || S_ISREG (modified_stbuf.st_mode))
@@ -1900,9 +1901,11 @@ install_deployment_kernel (OstreeSysroot *sysroot, int new_bootversion,
         }
       else
         {
+          // Don't copy xattrs for devicetree; Fedora derives label them modules_t which is
+          // wrong for when they're installed, we want the default boot_t.
           if (!copy_dir_recurse (kernel_layout->boot_dfd, bootcsum_dfd,
-                                 kernel_layout->devicetree_srcpath, sysroot->debug_flags,
-                                 cancellable, error))
+                                 kernel_layout->devicetree_srcpath, GLNX_FILE_COPY_NOXATTRS,
+                                 sysroot->debug_flags, cancellable, error))
             return FALSE;
         }
     }