From 21b30476b6bf0b77f2154574cd1591ecaba3e14c Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Thu, 9 Jul 2020 20:49:47 +0000 Subject: [PATCH 1/5] selinux-policy: revise policy for tmpfs mounts We need to allow containers to manage tmpfs mounts, since this is expected by the EBS CSI driver, and is a pretty reasonable thing to want to do. We also need to avoid letting containers manage the tmpfs mount for /etc, since this would offer a way to replace the configuration and service files we generate. Signed-off-by: Ben Cressey --- packages/selinux-policy/fs.cil | 2 +- packages/selinux-policy/object.cil | 22 ++++++++++++++-------- packages/selinux-policy/rules.cil | 20 ++++++++++++++------ 3 files changed, 29 insertions(+), 15 deletions(-) diff --git a/packages/selinux-policy/fs.cil b/packages/selinux-policy/fs.cil index e14a2ba3ae0..29a27bed9de 100644 --- a/packages/selinux-policy/fs.cil +++ b/packages/selinux-policy/fs.cil @@ -80,7 +80,7 @@ (filecon "/dev/.*" any ()) ; Label tmpfs mounts. -(filecon "/etc" any any) +(filecon "/etc" any etc) (filecon "/etc/.*" any ()) (filecon "/tmp" any any) (filecon "/tmp/.*" any ()) diff --git a/packages/selinux-policy/object.cil b/packages/selinux-policy/object.cil index a62889ca16b..7a402026df9 100644 --- a/packages/selinux-policy/object.cil +++ b/packages/selinux-policy/object.cil @@ -45,6 +45,11 @@ (roletype object_r any_t) (context any (system_u object_r any_t s0)) +; Files for system configuration. +(type etc_t) +(roletype object_r etc_t) +(context etc (system_u object_r etc_t s0)) + ; Files that have no label, or perhaps an invalid label. (type unlabeled_t) (roletype object_r unlabeled_t) @@ -85,9 +90,9 @@ (roletype object_r external_t) (context external (system_u object_r external_t s0)) -; Ephemeral objects reside on temporary storage. -(typeattribute ephemeral_o) -(typeattributeset ephemeral_o (any_t)) +; Dynamic objects are files on temporary storage with special rules. +(typeattribute dynamic_o) +(typeattributeset dynamic_o (etc_t)) ; Protected objects are files on local storage with special rules. (typeattribute protected_o) @@ -100,16 +105,17 @@ os_t init_exec_t api_exec_t clock_exec_t network_exec_t bus_exec_t runtime_exec_t)) -; Foreign objects reside on storage with a different lifecycle from -; the rest of the OS, such as EBS volumes and EFS filesystems. -(typeattribute foreign_o) -(typeattributeset foreign_o (external_t unlabeled_t)) +; Ephemeral objects reside on storage with a different lifecycle +; from the rest of the OS, such as tmpfs filesystems, EBS volumes, +; and EFS filesystems. +(typeattribute ephemeral_o) +(typeattributeset ephemeral_o (any_t external_t unlabeled_t)) ; The set of all objects. (typeattribute all_o) (typeattributeset all_o ( os_t init_exec_t api_exec_t clock_exec_t network_exec_t bus_exec_t runtime_exec_t - any_t unlabeled_t external_t + any_t etc_t unlabeled_t external_t local_t private_t cache_t lease_t measure_t state_t)) diff --git a/packages/selinux-policy/rules.cil b/packages/selinux-policy/rules.cil index de7cea5203b..6aefd5c5824 100644 --- a/packages/selinux-policy/rules.cil +++ b/packages/selinux-policy/rules.cil @@ -85,11 +85,19 @@ ; They can also set watches on those objects. (allow all_s self (files (mutate watch))) -; All subjects are allowed to write to and set watches for "foreign" -; and "ephemeral" objects, such as files in /mnt and /tmp. -; They can also manage mounts for "foreign" objects. -(allow all_s ephemeral_o (files (mutate watch))) -(allow all_s foreign_o (files (mutate watch mount))) +; All subjects are allowed to write to, set watches for, and manage +; mounts for "ephemeral" objects, such as files in /mnt and /tmp. +(allow all_s ephemeral_o (files (mutate watch mount))) + +; Trusted subjects are allowed to write to, set watches for, and +; manage mounts for "dynamic" files in /etc. +(allow trusted_s dynamic_o (files (mutate watch mount))) + +; wicked calls netdog which writes /etc/resolv.conf. +(allow network_t etc_t (files (mutate))) + +; Other subjects cannot modify these "dynamic" files. +(neverallow other_s dynamic_o (files (mutate watch mount))) ; Most subjects are allowed to write to, set watches for, and manage ; mounts for "local" files and directories on /local. @@ -144,7 +152,7 @@ ; Files that exist elsewhere should not be an entrypoint. (neverallow all_s ephemeral_o (files (enter))) -(neverallow all_s foreign_o (files (enter))) +(neverallow all_s dynamic_o (files (enter))) ; All subjects are allowed to use most actions related to sockets, ; networks, and IPC mechanisms. From b1b3acff7b781ec63b2a1acd8fcf67bf101f6bef Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Thu, 9 Jul 2020 21:06:29 +0000 Subject: [PATCH 2/5] systemd: handle mount for /etc This eliminates the need for a separate preinit program to handle the mount for /etc, and ensures that the filesystem is labeled correctly. Signed-off-by: Ben Cressey --- ...se-absolute-path-for-var-run-symlink.patch | 4 +-- ...separate-timeout-for-system-shutdown.patch | 4 +-- .../9003-repart-always-use-random-UUIDs.patch | 4 +-- ...d-setup-generate-stable-ID-under-Xen.patch | 4 +-- ...5-core-mount-etc-with-specific-label.patch | 29 +++++++++++++++++++ packages/systemd/systemd.spec | 3 ++ 6 files changed, 40 insertions(+), 8 deletions(-) create mode 100644 packages/systemd/9005-core-mount-etc-with-specific-label.patch diff --git a/packages/systemd/9001-use-absolute-path-for-var-run-symlink.patch b/packages/systemd/9001-use-absolute-path-for-var-run-symlink.patch index 794cbaaca1f..7db86c057b3 100644 --- a/packages/systemd/9001-use-absolute-path-for-var-run-symlink.patch +++ b/packages/systemd/9001-use-absolute-path-for-var-run-symlink.patch @@ -1,7 +1,7 @@ -From 04341003db574d474b578a8587c39e365955f4f7 Mon Sep 17 00:00:00 2001 +From 761f4dfb91c5b8d80dafd7a8b7952c09e61bc981 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Tue, 17 Sep 2019 01:35:51 +0000 -Subject: [PATCH 9001/9004] use absolute path for /var/run symlink +Subject: [PATCH 9001/9005] use absolute path for /var/run symlink Otherwise the symlink may be broken if /var is a bind mount from somewhere else. diff --git a/packages/systemd/9002-core-add-separate-timeout-for-system-shutdown.patch b/packages/systemd/9002-core-add-separate-timeout-for-system-shutdown.patch index 552cbd4427c..c61a4d5009d 100644 --- a/packages/systemd/9002-core-add-separate-timeout-for-system-shutdown.patch +++ b/packages/systemd/9002-core-add-separate-timeout-for-system-shutdown.patch @@ -1,7 +1,7 @@ -From b3ac8393c51d1c2806526f0ef138e87e825783f2 Mon Sep 17 00:00:00 2001 +From adcae5edbf78586335a64744dca2df6449537953 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Tue, 10 Mar 2020 20:30:10 +0000 -Subject: [PATCH 9002/9004] core: add separate timeout for system shutdown +Subject: [PATCH 9002/9005] core: add separate timeout for system shutdown There is an existing setting for this (DefaultTimeoutStopUSec), but changing it has no effect because `reset_arguments()` is called just diff --git a/packages/systemd/9003-repart-always-use-random-UUIDs.patch b/packages/systemd/9003-repart-always-use-random-UUIDs.patch index df41793959d..3ac757d71d0 100644 --- a/packages/systemd/9003-repart-always-use-random-UUIDs.patch +++ b/packages/systemd/9003-repart-always-use-random-UUIDs.patch @@ -1,7 +1,7 @@ -From c867691ea344e8d518dac292e082e832dafa87a0 Mon Sep 17 00:00:00 2001 +From b080e8af77c4484a3fdd40c599454b69e5a193a5 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Thu, 16 Apr 2020 15:10:41 +0000 -Subject: [PATCH 9003/9004] repart: always use random UUIDs +Subject: [PATCH 9003/9005] repart: always use random UUIDs We would like to avoid adding OpenSSL to the base OS, and for our use case we do not need the UUIDs assigned to disks or partitions to be diff --git a/packages/systemd/9004-machine-id-setup-generate-stable-ID-under-Xen.patch b/packages/systemd/9004-machine-id-setup-generate-stable-ID-under-Xen.patch index e29d9b11c15..dc48b9ad344 100644 --- a/packages/systemd/9004-machine-id-setup-generate-stable-ID-under-Xen.patch +++ b/packages/systemd/9004-machine-id-setup-generate-stable-ID-under-Xen.patch @@ -1,7 +1,7 @@ -From f17dd7d63c9a3424e8b592d3e3afb70209102706 Mon Sep 17 00:00:00 2001 +From 2c7e1e97cd82ed7c20f63d1842cd26de37b53f34 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Tue, 7 Jul 2020 22:38:20 +0000 -Subject: [PATCH 9004/9004] machine-id-setup: generate stable ID under Xen +Subject: [PATCH 9004/9005] machine-id-setup: generate stable ID under Xen Signed-off-by: Ben Cressey --- diff --git a/packages/systemd/9005-core-mount-etc-with-specific-label.patch b/packages/systemd/9005-core-mount-etc-with-specific-label.patch new file mode 100644 index 00000000000..513611c4d3b --- /dev/null +++ b/packages/systemd/9005-core-mount-etc-with-specific-label.patch @@ -0,0 +1,29 @@ +From b84340cd6e390483a22839c7c3d8d8ff39534d11 Mon Sep 17 00:00:00 2001 +From: Ben Cressey +Date: Thu, 9 Jul 2020 20:00:36 +0000 +Subject: [PATCH 9005/9005] core: mount /etc with specific label + +The filesystem is mounted after we load the SELinux policy, so we can +apply the label we need to restrict access. + +Signed-off-by: Ben Cressey +--- + src/core/mount-setup.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c +index 5dfcb61..5cad963 100644 +--- a/src/core/mount-setup.c ++++ b/src/core/mount-setup.c +@@ -74,6 +74,8 @@ static const MountPoint mount_table[] = { + { "tmpfs", "/dev/shm", "tmpfs", "mode=1777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME, + mac_smack_use, MNT_FATAL }, + #endif ++ { "tmpfs", "/etc", "tmpfs", "mode=755,context=system_u:object_r:etc_t:s0", MS_NOSUID|MS_NODEV|MS_NOATIME|MS_NOEXEC, ++ NULL, MNT_FATAL|MNT_IN_CONTAINER }, + { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, + NULL, MNT_FATAL|MNT_IN_CONTAINER }, + { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, +-- +2.21.0 + diff --git a/packages/systemd/systemd.spec b/packages/systemd/systemd.spec index 242689a560e..768273c69db 100644 --- a/packages/systemd/systemd.spec +++ b/packages/systemd/systemd.spec @@ -27,6 +27,9 @@ Patch9003: 9003-repart-always-use-random-UUIDs.patch # the dom0 case first, where the UUID is all zeroes and hence not unique. Patch9004: 9004-machine-id-setup-generate-stable-ID-under-Xen.patch +# Local patch to handle mounting /etc with our SELinux label. +Patch9005: 9005-core-mount-etc-with-specific-label.patch + BuildRequires: gperf BuildRequires: intltool BuildRequires: meson From 607fb17faac5f2b5b9354f51c4a4f76971731301 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Thu, 9 Jul 2020 21:39:42 +0000 Subject: [PATCH 3/5] remove laika Now that systemd handles the /etc mount, we no longer need it. Signed-off-by: Ben Cressey --- GLOSSARY.md | 1 - packages/os/Cargo.toml | 1 - packages/os/os.spec | 11 +-- packages/release/release.spec | 1 - sources/Cargo.lock | 58 ---------------- sources/Cargo.toml | 2 - sources/preinit/laika/Cargo.toml | 16 ----- sources/preinit/laika/README.md | 13 ---- sources/preinit/laika/README.tpl | 9 --- sources/preinit/laika/build.rs | 32 --------- sources/preinit/laika/src/bin/preinit.rs | 88 ------------------------ tools/rpm2img | 2 +- 12 files changed, 2 insertions(+), 232 deletions(-) delete mode 100644 sources/preinit/laika/Cargo.toml delete mode 100644 sources/preinit/laika/README.md delete mode 100644 sources/preinit/laika/README.tpl delete mode 100644 sources/preinit/laika/build.rs delete mode 100644 sources/preinit/laika/src/bin/preinit.rs diff --git a/GLOSSARY.md b/GLOSSARY.md index 546fe145145..060c75f1084 100644 --- a/GLOSSARY.md +++ b/GLOSSARY.md @@ -12,7 +12,6 @@ Used for system maintenance and connectivity. * [**host-ctr**](sources/host-ctr): The program started by `host-containers@.service` for each host container. Its job is to start the specified host container on the “host” instance of containerd, which is separate from the “user” instance of containerd used for Kubernetes pods. -* [**laika**](sources/preinit/laika): A crate that builds a binary (`/sbin/preinit`) that's used to mount filesystems before starting init (`systemd`). * [**model**](sources/models): The API system has a data model defined for each variant, and this model is used by other programs to serialize and deserialize requests while maintaining safety around data types. * [**netdog**](sources/api/netdog): A program called by wicked to retrieve and write out network configuration from DHCP. * [**pluto**](sources/api/pluto): A setting generator called by sundog to find networking settings required by Kubernetes. diff --git a/packages/os/Cargo.toml b/packages/os/Cargo.toml index 9c90b87dc54..287ebe6502d 100644 --- a/packages/os/Cargo.toml +++ b/packages/os/Cargo.toml @@ -16,7 +16,6 @@ source-groups = [ "webpki-roots-shim", "logdog", "models", - "preinit", ] [lib] diff --git a/packages/os/os.spec b/packages/os/os.spec index 3ba3e3c1934..a9f77c4232c 100644 --- a/packages/os/os.spec +++ b/packages/os/os.spec @@ -142,11 +142,6 @@ Summary: Bottlerocket log extractor %description -n %{_cross_os}logdog use logdog to extract logs from the Bottlerocket host -%package -n %{_cross_os}preinit -Summary: Bottlerocket pre-init system setup -%description -n %{_cross_os}preinit -%{summary}. - %package -n %{_cross_os}migrations Summary: Thar data store migrations %description -n %{_cross_os}migrations @@ -177,7 +172,6 @@ mkdir bin -p updog \ -p logdog \ -p growpart \ - -p laika \ %{nil} %cargo_build_static --manifest-path %{_builddir}/sources/Cargo.toml \ @@ -207,7 +201,7 @@ for p in apiclient ; do done install -d %{buildroot}%{_cross_sbindir} -for p in growpart preinit ; do +for p in growpart ; do install -p -m 0755 ${HOME}/.cache/%{__cargo_target}/release/${p} %{buildroot}%{_cross_sbindir} done @@ -336,7 +330,4 @@ install -p -m 0644 %{S:202} %{buildroot}%{_cross_tmpfilesdir}/thar-be-updates.co %files -n %{_cross_os}logdog %{_cross_bindir}/logdog -%files -n %{_cross_os}preinit -%{_cross_sbindir}/preinit - %changelog diff --git a/packages/release/release.spec b/packages/release/release.spec index 9608c026944..37bc7fdaab1 100644 --- a/packages/release/release.spec +++ b/packages/release/release.spec @@ -60,7 +60,6 @@ Requires: %{_cross_os}migration Requires: %{_cross_os}updog Requires: %{_cross_os}logdog Requires: %{_cross_os}util-linux -Requires: %{_cross_os}preinit Requires: %{_cross_os}wicked Requires: %{_cross_os}os diff --git a/sources/Cargo.lock b/sources/Cargo.lock index e16751883de..de8d297941e 100644 --- a/sources/Cargo.lock +++ b/sources/Cargo.lock @@ -792,25 +792,6 @@ dependencies = [ "synstructure 0.12.3 (registry+https://github.com/rust-lang/crates.io-index)", ] -[[package]] -name = "errno" -version = "0.2.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -dependencies = [ - "errno-dragonfly 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)", - "libc 0.2.70 (registry+https://github.com/rust-lang/crates.io-index)", - "winapi 0.3.8 (registry+https://github.com/rust-lang/crates.io-index)", -] - -[[package]] -name = "errno-dragonfly" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -dependencies = [ - "gcc 0.3.55 (registry+https://github.com/rust-lang/crates.io-index)", - "libc 0.2.70 (registry+https://github.com/rust-lang/crates.io-index)", -] - [[package]] name = "error-chain" version = "0.12.2" @@ -990,11 +971,6 @@ dependencies = [ "byteorder 1.3.4 (registry+https://github.com/rust-lang/crates.io-index)", ] -[[package]] -name = "gcc" -version = "0.3.55" -source = "registry+https://github.com/rust-lang/crates.io-index" - [[package]] name = "generic-array" version = "0.12.3" @@ -1293,16 +1269,6 @@ dependencies = [ "winapi-build 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)", ] -[[package]] -name = "laika" -version = "0.1.0" -dependencies = [ - "cargo-readme 3.2.0 (registry+https://github.com/rust-lang/crates.io-index)", - "filetime 0.2.9 (registry+https://github.com/rust-lang/crates.io-index)", - "snafu 0.6.8 (registry+https://github.com/rust-lang/crates.io-index)", - "sys-mount 1.2.1 (registry+https://github.com/rust-lang/crates.io-index)", -] - [[package]] name = "language-tags" version = "0.2.2" @@ -1351,15 +1317,6 @@ dependencies = [ "tempfile 3.1.0 (registry+https://github.com/rust-lang/crates.io-index)", ] -[[package]] -name = "loopdev" -version = "0.2.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -dependencies = [ - "errno 0.2.5 (registry+https://github.com/rust-lang/crates.io-index)", - "libc 0.2.70 (registry+https://github.com/rust-lang/crates.io-index)", -] - [[package]] name = "lru-cache" version = "0.1.2" @@ -2500,16 +2457,6 @@ dependencies = [ "unicode-xid 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)", ] -[[package]] -name = "sys-mount" -version = "1.2.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -dependencies = [ - "bitflags 1.2.1 (registry+https://github.com/rust-lang/crates.io-index)", - "libc 0.2.70 (registry+https://github.com/rust-lang/crates.io-index)", - "loopdev 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)", -] - [[package]] name = "tar" version = "0.4.26" @@ -3139,8 +3086,6 @@ dependencies = [ "checksum enum-as-inner 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)" = "bc4bfcfacb61d231109d1d55202c1f33263319668b168843e02ad4652725ec9c" "checksum envy 0.4.1 (registry+https://github.com/rust-lang/crates.io-index)" = "f938a4abd5b75fe3737902dbc2e79ca142cc1526827a9e40b829a086758531a9" "checksum err-derive 0.2.3 (registry+https://github.com/rust-lang/crates.io-index)" = "82f46c91bbed409ee74495549acbfcc7fae856e712e1df15afe75d0775eedc6c" -"checksum errno 0.2.5 (registry+https://github.com/rust-lang/crates.io-index)" = "b480f641ccf0faf324e20c1d3e53d81b7484c698b42ea677f6907ae4db195371" -"checksum errno-dragonfly 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "14ca354e36190500e1e1fb267c647932382b54053c50b14970856c0b00a35067" "checksum error-chain 0.12.2 (registry+https://github.com/rust-lang/crates.io-index)" = "d371106cc88ffdfb1eabd7111e432da544f16f3e2d7bf1dfe8bf575f1df045cd" "checksum failure 0.1.7 (registry+https://github.com/rust-lang/crates.io-index)" = "b8529c2421efa3066a5cbd8063d2244603824daccb6936b079010bb2aa89464b" "checksum failure_derive 0.1.7 (registry+https://github.com/rust-lang/crates.io-index)" = "030a733c8287d6213886dd487564ff5c8f6aae10278b3588ed177f9d18f8d231" @@ -3162,7 +3107,6 @@ dependencies = [ "checksum futures-task 0.3.4 (registry+https://github.com/rust-lang/crates.io-index)" = "7b0a34e53cf6cdcd0178aa573aed466b646eb3db769570841fda0c7ede375a27" "checksum futures-util 0.3.4 (registry+https://github.com/rust-lang/crates.io-index)" = "22766cf25d64306bedf0384da004d05c9974ab104fcc4528f1236181c18004c5" "checksum fxhash 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "c31b6d751ae2c7f11320402d34e41349dd1016f8d5d45e48c4312bc8625af50c" -"checksum gcc 0.3.55 (registry+https://github.com/rust-lang/crates.io-index)" = "8f5f3913fa0bfe7ee1fd8248b6b9f42a5af4b9d65ec2dd2c3c26132b950ecfc2" "checksum generic-array 0.12.3 (registry+https://github.com/rust-lang/crates.io-index)" = "c68f0274ae0e023facc3c97b2e00f076be70e254bc851d972503b328db79b2ec" "checksum getrandom 0.1.14 (registry+https://github.com/rust-lang/crates.io-index)" = "7abc8dd8451921606d809ba32e95b6111925cd2906060d2dcc29c070220503eb" "checksum glob 0.2.11 (registry+https://github.com/rust-lang/crates.io-index)" = "8be18de09a56b60ed0edf84bc9df007e30040691af7acd1c41874faac5895bfb" @@ -3197,7 +3141,6 @@ dependencies = [ "checksum linked-hash-map 0.5.2 (registry+https://github.com/rust-lang/crates.io-index)" = "ae91b68aebc4ddb91978b11a1b02ddd8602a05ec19002801c5666000e05e0f83" "checksum lock_api 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)" = "79b2de95ecb4691949fea4716ca53cdbcfccb2c612e19644a8bad05edcf9f47b" "checksum log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)" = "14b6052be84e6b71ab17edffc2eeabf5c2c3ae1fdb464aae35ac50c67a44e1f7" -"checksum loopdev 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "ac9e35cfb6646d67059f2ca8913a90e6c60633053c103df423975297f33d6fcc" "checksum lru-cache 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)" = "31e24f1ad8321ca0e8a1e0ac13f23cb668e6f5466c2c57319f6a5cf1cc8e3b1c" "checksum lz4 1.23.1 (registry+https://github.com/rust-lang/crates.io-index)" = "43c94a9f09a60017f373020cc93d4291db4cd92b0db64ff25927f27d09dc23d5" "checksum lz4-sys 1.8.3 (registry+https://github.com/rust-lang/crates.io-index)" = "20ab022822e9331c58d373acdd6b98085bace058ac6837b8266f213a2fccdafe" @@ -3304,7 +3247,6 @@ dependencies = [ "checksum syn 1.0.17 (registry+https://github.com/rust-lang/crates.io-index)" = "0df0eb663f387145cab623dea85b09c2c5b4b0aef44e945d928e682fce71bb03" "checksum syn-mid 0.5.0 (registry+https://github.com/rust-lang/crates.io-index)" = "7be3539f6c128a931cf19dcee741c1af532c7fd387baa739c03dd2e96479338a" "checksum synstructure 0.12.3 (registry+https://github.com/rust-lang/crates.io-index)" = "67656ea1dc1b41b1451851562ea232ec2e5a80242139f7e679ceccfb5d61f545" -"checksum sys-mount 1.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "62f5703caf67c45ad3450104001b4620a605e9def0cef13dde3c9add23f73cee" "checksum tar 0.4.26 (registry+https://github.com/rust-lang/crates.io-index)" = "b3196bfbffbba3e57481b6ea32249fbaf590396a52505a2615adbb79d9d826d3" "checksum tempdir 0.3.7 (registry+https://github.com/rust-lang/crates.io-index)" = "15f2b5fb00ccdf689e0149d1b1b3c03fead81c2b37735d812fa8bddbbf41b6d8" "checksum tempfile 3.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "7a6e24d9338a0a5be79593e2fa15a648add6138caa803e2d5bc782c371732ca9" diff --git a/sources/Cargo.toml b/sources/Cargo.toml index 75b15038968..e5f08ab54ac 100644 --- a/sources/Cargo.toml +++ b/sources/Cargo.toml @@ -31,8 +31,6 @@ members = [ "parse-datetime", - "preinit/laika", - "updater/block-party", "updater/signpost", "updater/update_metadata", diff --git a/sources/preinit/laika/Cargo.toml b/sources/preinit/laika/Cargo.toml deleted file mode 100644 index 5b7eb37b4a5..00000000000 --- a/sources/preinit/laika/Cargo.toml +++ /dev/null @@ -1,16 +0,0 @@ -[package] -name = "laika" -version = "0.1.0" -authors = ["Erikson Tung "] -license = "Apache-2.0 OR MIT" -edition = "2018" -publish = false -build = "build.rs" - -[dependencies] -sys-mount = "1.2.1" -filetime = "0.2.7" -snafu = "0.6.0" - -[build-dependencies] -cargo-readme = "3.1" diff --git a/sources/preinit/laika/README.md b/sources/preinit/laika/README.md deleted file mode 100644 index 0e444e55815..00000000000 --- a/sources/preinit/laika/README.md +++ /dev/null @@ -1,13 +0,0 @@ -# laika - -Current version: 0.1.0 - -## Introduction - -laika is a preinit agent that mounts the necessary filesystems for setting up Bottlerocket. - -After the filesystems are mounted, laika then invokes the init process. - -## Colophon - -This text was generated from `README.tpl` using [cargo-readme](https://crates.io/crates/cargo-readme), and includes the rustdoc from `src/bin/preinit.rs`. \ No newline at end of file diff --git a/sources/preinit/laika/README.tpl b/sources/preinit/laika/README.tpl deleted file mode 100644 index 691067a5259..00000000000 --- a/sources/preinit/laika/README.tpl +++ /dev/null @@ -1,9 +0,0 @@ -# {{crate}} - -Current version: {{version}} - -{{readme}} - -## Colophon - -This text was generated from `README.tpl` using [cargo-readme](https://crates.io/crates/cargo-readme), and includes the rustdoc from `src/bin/preinit.rs`. diff --git a/sources/preinit/laika/build.rs b/sources/preinit/laika/build.rs deleted file mode 100644 index 33e3980d303..00000000000 --- a/sources/preinit/laika/build.rs +++ /dev/null @@ -1,32 +0,0 @@ -// Automatically generate README.md from rustdoc. - -use std::env; -use std::fs::File; -use std::io::Write; -use std::path::PathBuf; - -fn main() { - // Check for environment variable "SKIP_README". If it is set, - // skip README generation - if env::var_os("SKIP_README").is_some() { - return; - } - - let mut source = File::open("src/bin/preinit.rs").unwrap(); - let mut template = File::open("README.tpl").unwrap(); - - let content = cargo_readme::generate_readme( - &PathBuf::from("."), // root - &mut source, // source - Some(&mut template), // template - // The "add x" arguments don't apply when using a template. - true, // add title - false, // add badges - false, // add license - true, // indent headings - ) - .unwrap(); - - let mut readme = File::create("README.md").unwrap(); - readme.write_all(content.as_bytes()).unwrap(); -} diff --git a/sources/preinit/laika/src/bin/preinit.rs b/sources/preinit/laika/src/bin/preinit.rs deleted file mode 100644 index 0ca0a9cc6f1..00000000000 --- a/sources/preinit/laika/src/bin/preinit.rs +++ /dev/null @@ -1,88 +0,0 @@ -/*! -# Introduction - -laika is a preinit agent that mounts the necessary filesystems for setting up Bottlerocket. - -After the filesystems are mounted, laika then invokes the init process. -*/ - -#![deny(rust_2018_idioms)] - -use filetime::FileTime; -use snafu::{IntoError, ResultExt}; -use std::os::unix::process::CommandExt; -use std::process::Command; -use sys_mount::{Mount, MountFlags}; - -type Result = std::result::Result; - -mod error { - use snafu::Snafu; - - /// Potential errors during pre-init process. - #[derive(Debug, Snafu)] - #[snafu(visibility = "pub(super)")] - pub(super) enum LaikaError { - #[snafu(display("Failed to mount {} to {} : {}", device, target, source))] - MountFailed { - device: String, - target: String, - source: std::io::Error, - }, - - #[snafu(display("Failed to create directory {}: {}", directory, source))] - CreateDirectoryFailed { - directory: String, - source: std::io::Error, - }, - - #[snafu(display("Failed to set timestamp for {} to {}: {}", path, time, source))] - ModifyFileTime { - path: String, - time: filetime::FileTime, - source: std::io::Error, - }, - - #[snafu(display("Failed to execute {}: {}", path, source))] - InitExecFailed { - path: String, - source: std::io::Error, - }, - } -} - -fn main() -> Result<()> { - // Mount flag consts - const NOATIME: MountFlags = MountFlags::NOATIME; - const NOSUID: MountFlags = MountFlags::NOSUID; - const NODEV: MountFlags = MountFlags::NODEV; - const NOEXEC: MountFlags = MountFlags::NOEXEC; - - // Try and mount tmpfs directories - for target in vec![("/etc", NOATIME | NOSUID | NODEV | NOEXEC)] { - Mount::new("tmpfs", target.0, "tmpfs", target.1, Some("mode=0755")).context( - error::MountFailed { - device: "tmpfs", - target: target.0, - }, - )?; - } - - let unix_epoch = FileTime::zero(); - - // Set the file modification times to the unix epoch time to ensure that systemd - // detects these directories as 'outdated/uninitialized' and performs all the - // initialization it needs to do at boot time (e.g. systemd-tmpfiles) - for dir in vec!["/etc"] { - filetime::set_file_mtime(dir, unix_epoch).context(error::ModifyFileTime { - path: dir, - time: unix_epoch, - })?; - } - - // Start the init process - let err = Command::new("/sbin/init").exec(); - - // If the exec call succeeded, it should not have returned. - Err(error::InitExecFailed { path: "/sbin/init" }.into_error(err)) -} diff --git a/tools/rpm2img b/tools/rpm2img index 4e391c2b281..d02795bcc21 100755 --- a/tools/rpm2img +++ b/tools/rpm2img @@ -161,7 +161,7 @@ set default="0" set timeout="0" menuentry "Bottlerocket OS ${VERSION_ID}" { - linux (\$root)/vmlinuz root=/dev/dm-0 rootwait ro init=/sbin/preinit \\ + linux (\$root)/vmlinuz root=/dev/dm-0 rootwait ro \\ console=tty0 console=ttyS0 random.trust_cpu=on selinux=1 enforcing=1 \\ systemd.log_target=journal-or-kmsg systemd.log_color=0 net.ifnames=0 \\ biosdevname=0 dm_verity.max_bios=-1 dm_verity.dev_wait=1 \\ From ea01afc2ac823d2641df871effe36e2b5f52c801 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Thu, 9 Jul 2020 23:40:59 +0000 Subject: [PATCH 4/5] release: mount tmpfs on /etc/cni This allows CNI plugin containers to write the configuration that containerd uses, even if they are not running with a privileged label. Signed-off-by: Ben Cressey --- packages/release/etc-cni.mount | 14 ++++++++++++++ packages/release/release.spec | 6 +++++- 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 packages/release/etc-cni.mount diff --git a/packages/release/etc-cni.mount b/packages/release/etc-cni.mount new file mode 100644 index 00000000000..1f3b0fdb406 --- /dev/null +++ b/packages/release/etc-cni.mount @@ -0,0 +1,14 @@ +[Unit] +Description=CNI Configuration Directory (/etc/cni) +DefaultDependencies=no +Conflicts=umount.target +Before=local-fs.target umount.target + +[Mount] +What=tmpfs +Where=/etc/cni +Type=tmpfs +Options=nosuid,nodev,noexec,noatime + +[Install] +WantedBy=local-fs.target diff --git a/packages/release/release.spec b/packages/release/release.spec index 37bc7fdaab1..437f21c26fa 100644 --- a/packages/release/release.spec +++ b/packages/release/release.spec @@ -22,6 +22,7 @@ Source1008: opt.mount Source1009: usr-src-kernels.mount.in Source1010: var-lib-bottlerocket.mount Source1011: usr-share-licenses.mount.in +Source1012: etc-cni.mount BuildArch: noarch Requires: %{_cross_os}acpid @@ -92,7 +93,9 @@ ID=bottlerocket EOF install -d %{buildroot}%{_cross_unitdir} -install -p -m 0644 %{S:1002} %{S:1006} %{S:1007} %{S:1008} %{S:1010} %{buildroot}%{_cross_unitdir} +install -p -m 0644 \ + %{S:1002} %{S:1006} %{S:1007} %{S:1008} %{S:1010} %{S:1012} \ + %{buildroot}%{_cross_unitdir} # Mounting on usr/src/kernels requires using the real path: %{_cross_usrsrc}/kernels KERNELPATH=$(systemd-escape --path %{_cross_usrsrc}/kernels) sed -e 's|PREFIX|%{_cross_prefix}|' %{S:1009} > ${KERNELPATH}.mount @@ -117,6 +120,7 @@ install -p -m 0644 %{S:200} %{buildroot}%{_cross_templatedir}/motd %{_cross_unitdir}/prepare-local.service %{_cross_unitdir}/var.mount %{_cross_unitdir}/opt.mount +%{_cross_unitdir}/etc-cni.mount %{_cross_unitdir}/*-kernels.mount %{_cross_unitdir}/*-licenses.mount %{_cross_unitdir}/var-lib-bottlerocket.mount From 102d29d0ee856e1b655077fabaa0ea3c55e3c5ed Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Fri, 10 Jul 2020 05:10:36 +0000 Subject: [PATCH 5/5] selinux-policy: enable transitions via cache_t When starting a container with a command that resides in a different layer, `runc` might see the lower label (`cache_t`) rather than the upper one (`local_t`). Either type is a valid entrypoint into the container domain. Signed-off-by: Ben Cressey --- packages/selinux-policy/rules.cil | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packages/selinux-policy/rules.cil b/packages/selinux-policy/rules.cil index 6aefd5c5824..bcc04d81dda 100644 --- a/packages/selinux-policy/rules.cil +++ b/packages/selinux-policy/rules.cil @@ -58,8 +58,10 @@ ; Unlike the above transitions, this depends on correct labeling for ; objects on local storage. (typetransition runtime_t local_t process container_t) +(typetransition runtime_t cache_t process container_t) (allow runtime_t container_s (processes (transform))) (allow container_s local_t (file (entrypoint))) +(allow container_s cache_t (file (entrypoint))) ; Allow containers to communicate with runtimes via pipes. (allow container_s runtime_t (files (mutate)))