fix CSI drivers and kaniko

GLOSSARY.md

@@ -12,7 +12,6 @@
   Used for system maintenance and connectivity.
 * [**host-ctr**](sources/host-ctr): The program started by `[email protected]` for each host container.
   Its job is to start the specified host container on the “host” instance of containerd, which is separate from the “user” instance of containerd used for Kubernetes pods.
-* [**laika**](sources/preinit/laika): A crate that builds a binary (`/sbin/preinit`) that's used to mount filesystems before starting init (`systemd`).
 * [**model**](sources/models): The API system has a data model defined for each variant, and this model is used by other programs to serialize and deserialize requests while maintaining safety around data types.
 * [**netdog**](sources/api/netdog): A program called by wicked to retrieve and write out network configuration from DHCP.
 * [**pluto**](sources/api/pluto): A setting generator called by sundog to find networking settings required by Kubernetes.

packages/os/Cargo.toml

@@ -16,7 +16,6 @@ source-groups = [
     "webpki-roots-shim",
     "logdog",
     "models",
-    "preinit",
 ]
 
 [lib]

packages/os/os.spec

@@ -142,11 +142,6 @@ Summary: Bottlerocket log extractor
 %description -n %{_cross_os}logdog
 use logdog to extract logs from the Bottlerocket host
 
-%package -n %{_cross_os}preinit
-Summary: Bottlerocket pre-init system setup
-%description -n %{_cross_os}preinit
-%{summary}.
-
 %package -n %{_cross_os}migrations
 Summary: Thar data store migrations
 %description -n %{_cross_os}migrations
@@ -177,7 +172,6 @@ mkdir bin
     -p updog \
     -p logdog \
     -p growpart \
-    -p laika \
     %{nil}
 
 %cargo_build_static --manifest-path %{_builddir}/sources/Cargo.toml \
@@ -207,7 +201,7 @@ for p in apiclient ; do
 done
 
 install -d %{buildroot}%{_cross_sbindir}
-for p in growpart preinit ; do
+for p in growpart ; do
   install -p -m 0755 ${HOME}/.cache/%{__cargo_target}/release/${p} %{buildroot}%{_cross_sbindir}
 done
 
@@ -336,7 +330,4 @@ install -p -m 0644 %{S:202} %{buildroot}%{_cross_tmpfilesdir}/thar-be-updates.co
 %files -n %{_cross_os}logdog
 %{_cross_bindir}/logdog
 
-%files -n %{_cross_os}preinit
-%{_cross_sbindir}/preinit
-
 %changelog

packages/release/etc-cni.mount

@@ -0,0 +1,14 @@
+[Unit]
+Description=CNI Configuration Directory (/etc/cni)
+DefaultDependencies=no
+Conflicts=umount.target
+Before=local-fs.target umount.target
+
+[Mount]
+What=tmpfs
+Where=/etc/cni
+Type=tmpfs
+Options=nosuid,nodev,noexec,noatime
+
+[Install]
+WantedBy=local-fs.target

packages/release/release.spec

@@ -22,6 +22,7 @@ Source1008: opt.mount
 Source1009: usr-src-kernels.mount.in
 Source1010: var-lib-bottlerocket.mount
 Source1011: usr-share-licenses.mount.in
+Source1012: etc-cni.mount
 
 BuildArch: noarch
 Requires: %{_cross_os}acpid
@@ -60,7 +61,6 @@ Requires: %{_cross_os}migration
 Requires: %{_cross_os}updog
 Requires: %{_cross_os}logdog
 Requires: %{_cross_os}util-linux
-Requires: %{_cross_os}preinit
 Requires: %{_cross_os}wicked
 Requires: %{_cross_os}os
 
@@ -93,7 +93,9 @@ ID=bottlerocket
 EOF
 
 install -d %{buildroot}%{_cross_unitdir}
-install -p -m 0644 %{S:1002} %{S:1006} %{S:1007} %{S:1008} %{S:1010} %{buildroot}%{_cross_unitdir}
+install -p -m 0644 \
+  %{S:1002} %{S:1006} %{S:1007} %{S:1008} %{S:1010} %{S:1012} \
+  %{buildroot}%{_cross_unitdir}
 # Mounting on usr/src/kernels requires using the real path: %{_cross_usrsrc}/kernels
 KERNELPATH=$(systemd-escape --path %{_cross_usrsrc}/kernels)
 sed -e 's|PREFIX|%{_cross_prefix}|' %{S:1009} > ${KERNELPATH}.mount
@@ -118,6 +120,7 @@ install -p -m 0644 %{S:200} %{buildroot}%{_cross_templatedir}/motd
 %{_cross_unitdir}/prepare-local.service
 %{_cross_unitdir}/var.mount
 %{_cross_unitdir}/opt.mount
+%{_cross_unitdir}/etc-cni.mount
 %{_cross_unitdir}/*-kernels.mount
 %{_cross_unitdir}/*-licenses.mount
 %{_cross_unitdir}/var-lib-bottlerocket.mount

packages/selinux-policy/fs.cil

@@ -80,7 +80,7 @@
 (filecon "/dev/.*" any ())
 
 ; Label tmpfs mounts.
-(filecon "/etc" any any)
+(filecon "/etc" any etc)
 (filecon "/etc/.*" any ())
 (filecon "/tmp" any any)
 (filecon "/tmp/.*" any ())

packages/selinux-policy/object.cil

@@ -45,6 +45,11 @@
 (roletype object_r any_t)
 (context any (system_u object_r any_t s0))
 
+; Files for system configuration.
+(type etc_t)
+(roletype object_r etc_t)
+(context etc (system_u object_r etc_t s0))
+
 ; Files that have no label, or perhaps an invalid label.
 (type unlabeled_t)
 (roletype object_r unlabeled_t)
@@ -85,9 +90,9 @@
 (roletype object_r external_t)
 (context external (system_u object_r external_t s0))
 
-; Ephemeral objects reside on temporary storage.
-(typeattribute ephemeral_o)
-(typeattributeset ephemeral_o (any_t))
+; Dynamic objects are files on temporary storage with special rules.
+(typeattribute dynamic_o)
+(typeattributeset dynamic_o (etc_t))
 
 ; Protected objects are files on local storage with special rules.
 (typeattribute protected_o)
@@ -100,16 +105,17 @@
   os_t init_exec_t api_exec_t clock_exec_t
   network_exec_t bus_exec_t runtime_exec_t))
 
-; Foreign objects reside on storage with a different lifecycle from
-; the rest of the OS, such as EBS volumes and EFS filesystems.
-(typeattribute foreign_o)
-(typeattributeset foreign_o (external_t unlabeled_t))
+; Ephemeral objects reside on storage with a different lifecycle
+; from the rest of the OS, such as tmpfs filesystems, EBS volumes,
+; and EFS filesystems.
+(typeattribute ephemeral_o)
+(typeattributeset ephemeral_o (any_t external_t unlabeled_t))
 
 ; The set of all objects.
 (typeattribute all_o)
 (typeattributeset all_o (
   os_t init_exec_t api_exec_t clock_exec_t
   network_exec_t bus_exec_t runtime_exec_t
-  any_t unlabeled_t external_t
+  any_t etc_t unlabeled_t external_t
   local_t private_t cache_t
   lease_t measure_t state_t))

packages/selinux-policy/rules.cil

@@ -58,8 +58,10 @@
 ; Unlike the above transitions, this depends on correct labeling for
 ; objects on local storage.
 (typetransition runtime_t local_t process container_t)
+(typetransition runtime_t cache_t process container_t)
 (allow runtime_t container_s (processes (transform)))
 (allow container_s local_t (file (entrypoint)))
+(allow container_s cache_t (file (entrypoint)))
 
 ; Allow containers to communicate with runtimes via pipes.
 (allow container_s runtime_t (files (mutate)))
@@ -85,11 +87,19 @@
 ; They can also set watches on those objects.
 (allow all_s self (files (mutate watch)))
 
-; All subjects are allowed to write to and set watches for "foreign"
-; and "ephemeral" objects, such as files in /mnt and /tmp.
-; They can also manage mounts for "foreign" objects.
-(allow all_s ephemeral_o (files (mutate watch)))
-(allow all_s foreign_o (files (mutate watch mount)))
+; All subjects are allowed to write to, set watches for, and manage
+; mounts for "ephemeral" objects, such as files in /mnt and /tmp.
+(allow all_s ephemeral_o (files (mutate watch mount)))
+
+; Trusted subjects are allowed to write to, set watches for, and
+; manage mounts for "dynamic" files in /etc.
+(allow trusted_s dynamic_o (files (mutate watch mount)))
+
+; wicked calls netdog which writes /etc/resolv.conf.
+(allow network_t etc_t (files (mutate)))
+
+; Other subjects cannot modify these "dynamic" files.
+(neverallow other_s dynamic_o (files (mutate watch mount)))
 
 ; Most subjects are allowed to write to, set watches for, and manage
 ; mounts for "local" files and directories on /local.
@@ -144,7 +154,7 @@
 
 ; Files that exist elsewhere should not be an entrypoint.
 (neverallow all_s ephemeral_o (files (enter)))
-(neverallow all_s foreign_o (files (enter)))
+(neverallow all_s dynamic_o (files (enter)))
 
 ; All subjects are allowed to use most actions related to sockets,
 ; networks, and IPC mechanisms.

packages/systemd/9001-use-absolute-path-for-var-run-symlink.patch

@@ -1,7 +1,7 @@
-From 04341003db574d474b578a8587c39e365955f4f7 Mon Sep 17 00:00:00 2001
+From 761f4dfb91c5b8d80dafd7a8b7952c09e61bc981 Mon Sep 17 00:00:00 2001
 From: Ben Cressey <[email protected]>
 Date: Tue, 17 Sep 2019 01:35:51 +0000
-Subject: [PATCH 9001/9004] use absolute path for /var/run symlink
+Subject: [PATCH 9001/9005] use absolute path for /var/run symlink
 
 Otherwise the symlink may be broken if /var is a bind mount from
 somewhere else.

packages/systemd/9002-core-add-separate-timeout-for-system-shutdown.patch

@@ -1,7 +1,7 @@
-From b3ac8393c51d1c2806526f0ef138e87e825783f2 Mon Sep 17 00:00:00 2001
+From adcae5edbf78586335a64744dca2df6449537953 Mon Sep 17 00:00:00 2001
 From: Ben Cressey <[email protected]>
 Date: Tue, 10 Mar 2020 20:30:10 +0000
-Subject: [PATCH 9002/9004] core: add separate timeout for system shutdown
+Subject: [PATCH 9002/9005] core: add separate timeout for system shutdown
 
 There is an existing setting for this (DefaultTimeoutStopUSec), but
 changing it has no effect because `reset_arguments()` is called just

packages/systemd/9003-repart-always-use-random-UUIDs.patch

@@ -1,7 +1,7 @@
-From c867691ea344e8d518dac292e082e832dafa87a0 Mon Sep 17 00:00:00 2001
+From b080e8af77c4484a3fdd40c599454b69e5a193a5 Mon Sep 17 00:00:00 2001
 From: Ben Cressey <[email protected]>
 Date: Thu, 16 Apr 2020 15:10:41 +0000
-Subject: [PATCH 9003/9004] repart: always use random UUIDs
+Subject: [PATCH 9003/9005] repart: always use random UUIDs
 
 We would like to avoid adding OpenSSL to the base OS, and for our use
 case we do not need the UUIDs assigned to disks or partitions to be

packages/systemd/9004-machine-id-setup-generate-stable-ID-under-Xen.patch

@@ -1,7 +1,7 @@
-From f17dd7d63c9a3424e8b592d3e3afb70209102706 Mon Sep 17 00:00:00 2001
+From 2c7e1e97cd82ed7c20f63d1842cd26de37b53f34 Mon Sep 17 00:00:00 2001
 From: Ben Cressey <[email protected]>
 Date: Tue, 7 Jul 2020 22:38:20 +0000
-Subject: [PATCH 9004/9004] machine-id-setup: generate stable ID under Xen
+Subject: [PATCH 9004/9005] machine-id-setup: generate stable ID under Xen
 
 Signed-off-by: Ben Cressey <[email protected]>
 ---

packages/systemd/9005-core-mount-etc-with-specific-label.patch

@@ -0,0 +1,29 @@
+From b84340cd6e390483a22839c7c3d8d8ff39534d11 Mon Sep 17 00:00:00 2001
+From: Ben Cressey <[email protected]>
+Date: Thu, 9 Jul 2020 20:00:36 +0000
+Subject: [PATCH 9005/9005] core: mount /etc with specific label
+
+The filesystem is mounted after we load the SELinux policy, so we can
+apply the label we need to restrict access.
+
+Signed-off-by: Ben Cressey <[email protected]>
+---
+ src/core/mount-setup.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
+index 5dfcb61..5cad963 100644
+--- a/src/core/mount-setup.c
++++ b/src/core/mount-setup.c
+@@ -74,6 +74,8 @@ static const MountPoint mount_table[] = {
+         { "tmpfs",       "/dev/shm",                  "tmpfs",      "mode=1777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+           mac_smack_use, MNT_FATAL                  },
+ #endif
++        { "tmpfs",       "/etc",                      "tmpfs",      "mode=755,context=system_u:object_r:etc_t:s0", MS_NOSUID|MS_NODEV|MS_NOATIME|MS_NOEXEC,
++          NULL,          MNT_FATAL|MNT_IN_CONTAINER },
+         { "tmpfs",       "/dev/shm",                  "tmpfs",      "mode=1777",               MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+           NULL,          MNT_FATAL|MNT_IN_CONTAINER },
+         { "devpts",      "/dev/pts",                  "devpts",     "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
+-- 
+2.21.0
+

packages/systemd/systemd.spec

@@ -27,6 +27,9 @@ Patch9003: 9003-repart-always-use-random-UUIDs.patch
 # the dom0 case first, where the UUID is all zeroes and hence not unique.
 Patch9004: 9004-machine-id-setup-generate-stable-ID-under-Xen.patch
 
+# Local patch to handle mounting /etc with our SELinux label.
+Patch9005: 9005-core-mount-etc-with-specific-label.patch
+
 BuildRequires: gperf
 BuildRequires: intltool
 BuildRequires: meson