rpms/rpm-ostree
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import OL rpm-ostree-2024.3-4.el9_4

Browse Source
This commit is contained in:
eabdullin 2024-06-13 12:31:30 +00:00
parent 4dcd5a37f9
commit 6b5f5ec343
2 changed files with 97 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
SOURCES/0004-core-also-wrap-kernel-install-for-scriptlets.patch Normal file
View File

@ -0,0 +1,91 @@
From 6714c34bae041c036277ddb509af2b4135b759d5 Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Tue, 7 May 2024 10:05:03 -0400
Subject: [PATCH 1/1] core: also wrap `kernel-install` for scriptlets
It's confusing right now how specifically for the kernel, one has to use
this obscure `rpm-ostree cliwrap install-to-root /` command to make it
work. Let's just always enable it: in the client-side layering case, we
don't run kernel scriptlets anyway so the wrapper is unused, and in the
container case, this will allow users to not have to enable cliwrap and
have it leak into their derived image.
I guess in theory, this should also allow us to *stop* ignoring kernel
scriptlets and rely on this instead, though let's leave that for a
separate investigation.
Closes: #4949
---
rust/src/core.rs | 18 +++++++++++++++++-
src/libpriv/kernel-install-wrapper.sh | 9 +++++++++
2 files changed, 26 insertions(+), 1 deletion(-)
create mode 100644 src/libpriv/kernel-install-wrapper.sh
diff --git a/rust/src/core.rs b/rust/src/core.rs
index 8cd1ee03..ec24ed99 100644
--- a/rust/src/core.rs
+++ b/rust/src/core.rs
@@ -44,6 +44,8 @@ const USERADD_PATH: &str = "usr/sbin/useradd";
const USERADD_WRAPPER: &[u8] = include_bytes!("../../src/libpriv/useradd-wrapper.sh");
const USERMOD_PATH: &str = "usr/sbin/usermod";
const USERMOD_WRAPPER: &[u8] = include_bytes!("../../src/libpriv/usermod-wrapper.sh");
+const KERNEL_INSTALL_PATH: &str = "usr/bin/kernel-install";
+const KERNEL_INSTALL_WRAPPER: &[u8] = include_bytes!("../../src/libpriv/kernel-install-wrapper.sh");
const RPMOSTREE_CORE_STAGED_RPMS_DIR: &str = "rpm-ostree/staged-rpms";
@@ -143,6 +145,7 @@ impl FilesystemScriptPrep {
(SYSTEMCTL_PATH, SYSTEMCTL_WRAPPER),
(USERADD_PATH, USERADD_WRAPPER),
(USERMOD_PATH, USERMOD_WRAPPER),
+ (KERNEL_INSTALL_PATH, KERNEL_INSTALL_WRAPPER),
];
fn saved_name(name: &str) -> String {
@@ -436,7 +439,7 @@ mod test {
// Replaced usermod.
{
let original_usermod = "original usermod";
- d.atomic_write_with_perms(super::USERMOD_PATH, original_usermod, mode)?;
+ d.atomic_write_with_perms(super::USERMOD_PATH, original_usermod, mode.clone())?;
let contents = d.read_to_string(super::USERMOD_PATH)?;
assert_eq!(contents, original_usermod);
let mut g = super::prepare_filesystem_script_prep(d.as_raw_fd())?;
@@ -446,6 +449,19 @@ mod test {
let contents = d.read_to_string(super::USERMOD_PATH)?;
assert_eq!(contents, original_usermod);
}
+ // Replaced kernel-install.
+ {
+ let original_kernel_install = "original kernel_install";
+ d.atomic_write_with_perms(super::KERNEL_INSTALL_PATH, original_kernel_install, mode)?;
+ let contents = d.read_to_string(super::KERNEL_INSTALL_PATH)?;
+ assert_eq!(contents, original_kernel_install);
+ let mut g = super::prepare_filesystem_script_prep(d.as_raw_fd())?;
+ let contents = d.read_to_string(super::KERNEL_INSTALL_PATH)?;
+ assert_eq!(contents.as_bytes(), super::KERNEL_INSTALL_WRAPPER);
+ g.undo()?;
+ let contents = d.read_to_string(super::KERNEL_INSTALL_PATH)?;
+ assert_eq!(contents, original_kernel_install);
+ }
Ok(())
}
diff --git a/src/libpriv/kernel-install-wrapper.sh b/src/libpriv/kernel-install-wrapper.sh
new file mode 100644
index 00000000..4cfb605b
--- /dev/null
+++ b/src/libpriv/kernel-install-wrapper.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/bash
+# Used in the container layering path to make kernel replacements Just Work
+# without having to enable cliwrap first. If cliwrap is enabled, then this will
+# technically override the cliwrap wrapper, but the script is exactly the same.
+# This wrapper is technically also installed when doing client-side layering,
+# but we already ignore kernel scriptlets there anyway.
+# See also https://github.com/coreos/rpm-ostree/issues/4949
+
+exec /usr/bin/rpm-ostree cliwrap kernel-install "$@"
--
2.45.0

7
SPECS/rpm-ostree.spec
View File

@ -4,7 +4,7 @@
Summary: Hybrid image/package system Summary: Hybrid image/package system
Name: rpm-ostree Name: rpm-ostree
Version: 2024.3 Version: 2024.3
Release: 3%{?dist} Release: 4%{?dist}
License: LGPLv2+ License: LGPLv2+
URL: https://github.com/coreos/rpm-ostree URL: https://github.com/coreos/rpm-ostree
# This tarball is generated via "cd packaging && make -f Makefile.dist-packaging dist-snapshot" # This tarball is generated via "cd packaging && make -f Makefile.dist-packaging dist-snapshot"
@ -15,6 +15,7 @@ Patch0: 0001-cliwrap-rpm-mark-eval-E-as-safe.patch
Patch1: 0001-passwd-create-etc-g-shadow-with-mode-0.patch Patch1: 0001-passwd-create-etc-g-shadow-with-mode-0.patch
Patch2: 0002-unit-chmod-etc-g-shadow-to-0000.patch Patch2: 0002-unit-chmod-etc-g-shadow-to-0000.patch
Patch3: 0003-shadow-Adjust-all-deployments.patch Patch3: 0003-shadow-Adjust-all-deployments.patch
Patch4: 0004-core-also-wrap-kernel-install-for-scriptlets.patch
ExclusiveArch: %{rust_arches} ExclusiveArch: %{rust_arches}
@ -249,6 +250,10 @@ fi
%files devel -f files.devel %files devel -f files.devel
%changelog %changelog
* Fri May 10 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.3-4
- Backport https://github.com/coreos/rpm-ostree/pull/4950
Resolves: #RHEL-36085
* Tue Apr 16 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.3-3 * Tue Apr 16 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.3-3
- Backport https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6 - Backport https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6
Resolves: #RHEL-31852 Resolves: #RHEL-31852