From 24cdbc9b9871a5e8a327818099d97cfcaba4567e Mon Sep 17 00:00:00 2001 From: Elaine Zhao Date: Mon, 30 Sep 2024 18:47:22 +0000 Subject: [PATCH 01/10] add verity to EMU API --- toolkit/tools/osmodifierapi/os.go | 2 + .../tools/pkg/osmodifierlib/modifierutils.go | 39 +++++++++++++++++++ .../pkg/osmodifierlib/modifydefaultgrub.go | 4 -- 3 files changed, 41 insertions(+), 4 deletions(-) diff --git a/toolkit/tools/osmodifierapi/os.go b/toolkit/tools/osmodifierapi/os.go index 43fda9ef566..1f07603a910 100644 --- a/toolkit/tools/osmodifierapi/os.go +++ b/toolkit/tools/osmodifierapi/os.go @@ -17,6 +17,8 @@ type OS struct { SELinux imagecustomizerapi.SELinux `yaml:"selinux"` Users []imagecustomizerapi.User `yaml:"users"` Overlays *[]Overlay `yaml:"overlays"` + Verity *imagecustomizerapi.Verity `yaml:"verity"` + RootHash string `yaml:"rootHash"` } func (s *OS) IsValid() error { diff --git a/toolkit/tools/pkg/osmodifierlib/modifierutils.go b/toolkit/tools/pkg/osmodifierlib/modifierutils.go index 64a83a9f007..f4bff8da6a8 100644 --- a/toolkit/tools/pkg/osmodifierlib/modifierutils.go +++ b/toolkit/tools/pkg/osmodifierlib/modifierutils.go @@ -61,6 +61,45 @@ func doModifications(baseConfigPath string, osConfig *osmodifierapi.OS) error { } } + if osConfig.Verity != nil { + + bootCustomizer, err := imagecustomizerlib.NewBootCustomizer(dummyChroot) + if err != nil { + return err + } + + err = updateDefaultGrubForVerity(osConfig.RootHash, osConfig.Verity, bootCustomizer) + if err != nil { + return err + } + + err = bootCustomizer.WriteToFile(dummyChroot) + if err != nil { + return err + } + } + + return nil +} + +func updateDefaultGrubForVerity(roothash string, verity *imagecustomizerapi.Verity, bootCustomizer *imagecustomizerlib.BootCustomizer) error { + + var err error + + newArgs := []string{ + "rd.systemd.verity=1", + fmt.Sprintf("roothash=%s", roothash), + fmt.Sprintf("systemd.verity_root_data=%s", verity.DataPartition), + fmt.Sprintf("systemd.verity_root_hash=%s", verity.HashPartition), + fmt.Sprintf("systemd.verity_root_options=%s", verity.CorruptionOption), + } + + err = bootCustomizer.UpdateKernelCommandLineArgs("GRUB_CMDLINE_LINUX", []string{"rd.systemd.verity", "roothash", + "systemd.verity_root_data", "systemd.verity_root_hash", "systemd.verity_root_options"}, newArgs) + if err != nil { + return err + } + return nil } diff --git a/toolkit/tools/pkg/osmodifierlib/modifydefaultgrub.go b/toolkit/tools/pkg/osmodifierlib/modifydefaultgrub.go index 9d835ec12ab..d000bc644e3 100644 --- a/toolkit/tools/pkg/osmodifierlib/modifydefaultgrub.go +++ b/toolkit/tools/pkg/osmodifierlib/modifydefaultgrub.go @@ -14,12 +14,8 @@ import ( var grubArgs = []string{ "rd.overlayfs", - "roothash", "root", "rd.systemd.verity", - "systemd.verity_root_data", - "systemd.verity_root_hash", - "systemd.verity_root_options", "selinux", "enforcing", } From 6a428d6894fa2f6a7b4da59b69ecbb01940f73e0 Mon Sep 17 00:00:00 2001 From: Elaine Zhao Date: Tue, 1 Oct 2024 20:13:27 +0000 Subject: [PATCH 02/10] updates --- toolkit/tools/osmodifierapi/os.go | 2 +- .../tools/pkg/imagecustomizerlib/customizeverity.go | 4 ++-- toolkit/tools/pkg/osmodifierlib/modifierutils.go | 11 ++++++++--- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/toolkit/tools/osmodifierapi/os.go b/toolkit/tools/osmodifierapi/os.go index 1f07603a910..b3c4fd8382d 100644 --- a/toolkit/tools/osmodifierapi/os.go +++ b/toolkit/tools/osmodifierapi/os.go @@ -18,7 +18,7 @@ type OS struct { Users []imagecustomizerapi.User `yaml:"users"` Overlays *[]Overlay `yaml:"overlays"` Verity *imagecustomizerapi.Verity `yaml:"verity"` - RootHash string `yaml:"rootHash"` + RootHash string `yaml:"roothash"` } func (s *OS) IsValid() error { diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeverity.go b/toolkit/tools/pkg/imagecustomizerlib/customizeverity.go index aefcc1e1c69..b37fdb1afc5 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/customizeverity.go +++ b/toolkit/tools/pkg/imagecustomizerlib/customizeverity.go @@ -113,7 +113,7 @@ func updateGrubConfigForVerity(dataPartitionIdType imagecustomizerapi.IdType, da return err } - formattedCorruptionOption, err := systemdFormatCorruptionOption(corruptionOption) + formattedCorruptionOption, err := SystemdFormatCorruptionOption(corruptionOption) if err != nil { return err } @@ -218,7 +218,7 @@ func systemdFormatPartitionId(idType imagecustomizerapi.IdType, id string) (stri } } -func systemdFormatCorruptionOption(corruptionOption imagecustomizerapi.CorruptionOption) (string, error) { +func SystemdFormatCorruptionOption(corruptionOption imagecustomizerapi.CorruptionOption) (string, error) { switch corruptionOption { case imagecustomizerapi.CorruptionOptionDefault, imagecustomizerapi.CorruptionOptionIoError: return "", nil diff --git a/toolkit/tools/pkg/osmodifierlib/modifierutils.go b/toolkit/tools/pkg/osmodifierlib/modifierutils.go index f4bff8da6a8..e38599c7fee 100644 --- a/toolkit/tools/pkg/osmodifierlib/modifierutils.go +++ b/toolkit/tools/pkg/osmodifierlib/modifierutils.go @@ -86,12 +86,17 @@ func updateDefaultGrubForVerity(roothash string, verity *imagecustomizerapi.Veri var err error + formattedCorruptionOption, err := imagecustomizerlib.SystemdFormatCorruptionOption(verity.CorruptionOption) + if err != nil { + return err + } + newArgs := []string{ "rd.systemd.verity=1", fmt.Sprintf("roothash=%s", roothash), - fmt.Sprintf("systemd.verity_root_data=%s", verity.DataPartition), - fmt.Sprintf("systemd.verity_root_hash=%s", verity.HashPartition), - fmt.Sprintf("systemd.verity_root_options=%s", verity.CorruptionOption), + fmt.Sprintf("systemd.verity_root_data=%s", verity.DataPartition.Id), + fmt.Sprintf("systemd.verity_root_hash=%s", verity.HashPartition.Id), + fmt.Sprintf("systemd.verity_root_options=%s", formattedCorruptionOption), } err = bootCustomizer.UpdateKernelCommandLineArgs("GRUB_CMDLINE_LINUX", []string{"rd.systemd.verity", "roothash", From a5e4489bb7107b9ee93510bd7131643dcf0a3189 Mon Sep 17 00:00:00 2001 From: Elaine Zhao Date: Wed, 2 Oct 2024 00:06:01 +0000 Subject: [PATCH 03/10] remove roothash from emu api --- toolkit/tools/osmodifierapi/os.go | 8 +++++++- toolkit/tools/pkg/osmodifierlib/modifierutils.go | 7 +++---- toolkit/tools/pkg/osmodifierlib/modifydefaultgrub.go | 3 +-- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/toolkit/tools/osmodifierapi/os.go b/toolkit/tools/osmodifierapi/os.go index b3c4fd8382d..089a033f362 100644 --- a/toolkit/tools/osmodifierapi/os.go +++ b/toolkit/tools/osmodifierapi/os.go @@ -18,7 +18,6 @@ type OS struct { Users []imagecustomizerapi.User `yaml:"users"` Overlays *[]Overlay `yaml:"overlays"` Verity *imagecustomizerapi.Verity `yaml:"verity"` - RootHash string `yaml:"roothash"` } func (s *OS) IsValid() error { @@ -67,5 +66,12 @@ func (s *OS) IsValid() error { } } + if s.Verity != nil { + err = s.Verity.IsValid() + if err != nil { + return fmt.Errorf("invalid verity:\n%w", err) + } + } + return nil } diff --git a/toolkit/tools/pkg/osmodifierlib/modifierutils.go b/toolkit/tools/pkg/osmodifierlib/modifierutils.go index e38599c7fee..f585e8218dd 100644 --- a/toolkit/tools/pkg/osmodifierlib/modifierutils.go +++ b/toolkit/tools/pkg/osmodifierlib/modifierutils.go @@ -68,7 +68,7 @@ func doModifications(baseConfigPath string, osConfig *osmodifierapi.OS) error { return err } - err = updateDefaultGrubForVerity(osConfig.RootHash, osConfig.Verity, bootCustomizer) + err = updateDefaultGrubForVerity(osConfig.Verity, bootCustomizer) if err != nil { return err } @@ -82,7 +82,7 @@ func doModifications(baseConfigPath string, osConfig *osmodifierapi.OS) error { return nil } -func updateDefaultGrubForVerity(roothash string, verity *imagecustomizerapi.Verity, bootCustomizer *imagecustomizerlib.BootCustomizer) error { +func updateDefaultGrubForVerity(verity *imagecustomizerapi.Verity, bootCustomizer *imagecustomizerlib.BootCustomizer) error { var err error @@ -93,13 +93,12 @@ func updateDefaultGrubForVerity(roothash string, verity *imagecustomizerapi.Veri newArgs := []string{ "rd.systemd.verity=1", - fmt.Sprintf("roothash=%s", roothash), fmt.Sprintf("systemd.verity_root_data=%s", verity.DataPartition.Id), fmt.Sprintf("systemd.verity_root_hash=%s", verity.HashPartition.Id), fmt.Sprintf("systemd.verity_root_options=%s", formattedCorruptionOption), } - err = bootCustomizer.UpdateKernelCommandLineArgs("GRUB_CMDLINE_LINUX", []string{"rd.systemd.verity", "roothash", + err = bootCustomizer.UpdateKernelCommandLineArgs("GRUB_CMDLINE_LINUX", []string{"rd.systemd.verity", "systemd.verity_root_data", "systemd.verity_root_hash", "systemd.verity_root_options"}, newArgs) if err != nil { return err diff --git a/toolkit/tools/pkg/osmodifierlib/modifydefaultgrub.go b/toolkit/tools/pkg/osmodifierlib/modifydefaultgrub.go index d000bc644e3..4a760b45dee 100644 --- a/toolkit/tools/pkg/osmodifierlib/modifydefaultgrub.go +++ b/toolkit/tools/pkg/osmodifierlib/modifydefaultgrub.go @@ -15,7 +15,7 @@ import ( var grubArgs = []string{ "rd.overlayfs", "root", - "rd.systemd.verity", + "roothash", "selinux", "enforcing", } @@ -88,6 +88,5 @@ func extractValuesFromGrubConfig(imageChroot safechroot.ChrootInterface) ([]stri } } } - return values, rootDevice, nil } From dc5b2a173be03aa662c5c6c7acc3c58e356d0efa Mon Sep 17 00:00:00 2001 From: Elaine Zhao Date: Wed, 2 Oct 2024 00:29:34 +0000 Subject: [PATCH 04/10] remove verity check --- toolkit/tools/osmodifierapi/os.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/toolkit/tools/osmodifierapi/os.go b/toolkit/tools/osmodifierapi/os.go index 089a033f362..58ecec48368 100644 --- a/toolkit/tools/osmodifierapi/os.go +++ b/toolkit/tools/osmodifierapi/os.go @@ -66,12 +66,12 @@ func (s *OS) IsValid() error { } } - if s.Verity != nil { - err = s.Verity.IsValid() - if err != nil { - return fmt.Errorf("invalid verity:\n%w", err) - } - } + // if s.Verity != nil { + // err = s.Verity.IsValid() + // if err != nil { + // return fmt.Errorf("invalid verity:\n%w", err) + // } + // } return nil } From 92f7141fc2ce1f29f8f1067c5cd76b6da0b156d3 Mon Sep 17 00:00:00 2001 From: Elaine Zhao Date: Fri, 18 Oct 2024 22:46:59 +0000 Subject: [PATCH 05/10] add rootdevice to emu api --- toolkit/tools/osmodifierapi/os.go | 18 ++++++------------ .../tools/pkg/osmodifierlib/modifierutils.go | 18 ++++++++++++++++++ 2 files changed, 24 insertions(+), 12 deletions(-) diff --git a/toolkit/tools/osmodifierapi/os.go b/toolkit/tools/osmodifierapi/os.go index 58ecec48368..d164d140d76 100644 --- a/toolkit/tools/osmodifierapi/os.go +++ b/toolkit/tools/osmodifierapi/os.go @@ -13,11 +13,12 @@ import ( // OS defines how each system present on the image is supposed to be configured. type OS struct { - Hostname string `yaml:"hostname"` - SELinux imagecustomizerapi.SELinux `yaml:"selinux"` - Users []imagecustomizerapi.User `yaml:"users"` - Overlays *[]Overlay `yaml:"overlays"` - Verity *imagecustomizerapi.Verity `yaml:"verity"` + Hostname string `yaml:"hostname"` + SELinux imagecustomizerapi.SELinux `yaml:"selinux"` + Users []imagecustomizerapi.User `yaml:"users"` + Overlays *[]Overlay `yaml:"overlays"` + Verity *imagecustomizerapi.Verity `yaml:"verity"` + RootDevice string `yaml:"rootDevice"` } func (s *OS) IsValid() error { @@ -66,12 +67,5 @@ func (s *OS) IsValid() error { } } - // if s.Verity != nil { - // err = s.Verity.IsValid() - // if err != nil { - // return fmt.Errorf("invalid verity:\n%w", err) - // } - // } - return nil } diff --git a/toolkit/tools/pkg/osmodifierlib/modifierutils.go b/toolkit/tools/pkg/osmodifierlib/modifierutils.go index f585e8218dd..9b3e77c6361 100644 --- a/toolkit/tools/pkg/osmodifierlib/modifierutils.go +++ b/toolkit/tools/pkg/osmodifierlib/modifierutils.go @@ -79,6 +79,24 @@ func doModifications(baseConfigPath string, osConfig *osmodifierapi.OS) error { } } + if osConfig.RootDevice != "" { + + bootCustomizer, err := imagecustomizerlib.NewBootCustomizer(dummyChroot) + if err != nil { + return err + } + + err = bootCustomizer.SetRootDevice(osConfig.RootDevice) + if err != nil { + return err + } + + err = bootCustomizer.WriteToFile(dummyChroot) + if err != nil { + return err + } + } + return nil } From 7555cc3c6a687bab2b015c00c030cbb36ac5ba83 Mon Sep 17 00:00:00 2001 From: Elaine Zhao Date: Wed, 30 Oct 2024 23:44:40 +0000 Subject: [PATCH 06/10] exp --- toolkit/tools/pkg/osmodifierlib/modifierutils.go | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/toolkit/tools/pkg/osmodifierlib/modifierutils.go b/toolkit/tools/pkg/osmodifierlib/modifierutils.go index 9afe97b54df..0d787584e28 100644 --- a/toolkit/tools/pkg/osmodifierlib/modifierutils.go +++ b/toolkit/tools/pkg/osmodifierlib/modifierutils.go @@ -175,15 +175,5 @@ func handleSELinux(selinuxMode imagecustomizerapi.SELinuxMode, bootCustomizer *i return err } - err = imagecustomizerlib.UpdateSELinuxModeInConfigFile(selinuxMode, dummyChroot) - if err != nil { - return err - } - - err = imagecustomizerlib.SelinuxSetFiles(selinuxMode, dummyChroot) - if err != nil { - return err - } - return nil } From d78451ef36c5c1b31a11a995c22ad9f023ca6eb1 Mon Sep 17 00:00:00 2001 From: Elaine Zhao Date: Thu, 31 Oct 2024 18:21:14 +0000 Subject: [PATCH 07/10] add enforcing=0 for permissive mode --- .../imagegen/installutils/installutils.go | 3 +++ .../pkg/imagecustomizerlib/bootcustomizer.go | 15 +++++++++++++ .../pkg/imagecustomizerlib/grubcfgutils.go | 22 +++++++++++++++++++ .../tools/pkg/osmodifierlib/modifierutils.go | 2 +- 4 files changed, 41 insertions(+), 1 deletion(-) diff --git a/toolkit/tools/imagegen/installutils/installutils.go b/toolkit/tools/imagegen/installutils/installutils.go index 319d24cd931..3435df374ac 100644 --- a/toolkit/tools/imagegen/installutils/installutils.go +++ b/toolkit/tools/imagegen/installutils/installutils.go @@ -55,6 +55,9 @@ const ( // CmdlineSELinuxEnforcingArg is the arg required for forcing SELinux to be in enforcing mode. CmdlineSELinuxEnforcingArg = "enforcing=1" + // CmdlineSELinuxPermissiveArg is the arg required for SELinux to be in permissive mode. + CmdlineSELinuxPermissiveArg = "enforcing=0" + // CmdlineSELinuxSettings is the kernel command-line args for enabling SELinux. CmdlineSELinuxSettings = CmdlineSELinuxSecurityArg + " " + CmdlineSELinuxEnabledArg diff --git a/toolkit/tools/pkg/imagecustomizerlib/bootcustomizer.go b/toolkit/tools/pkg/imagecustomizerlib/bootcustomizer.go index ab7d4ed8b77..ccdf2c7d1b8 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/bootcustomizer.go +++ b/toolkit/tools/pkg/imagecustomizerlib/bootcustomizer.go @@ -136,6 +136,21 @@ func (b *BootCustomizer) UpdateSELinuxCommandLine(selinuxMode imagecustomizerapi return nil } +// Update the image's SELinux kernel command-line args. +func (b *BootCustomizer) UpdateSELinuxCommandLineWithEnforcingArg(selinuxMode imagecustomizerapi.SELinuxMode) error { + newSELinuxArgs, err := selinuxModeToArgsWithEnforcingArg(selinuxMode) + if err != nil { + return err + } + + err = b.UpdateKernelCommandLineArgs(defaultGrubFileVarNameCmdlineForSELinux, selinuxArgNames, newSELinuxArgs) + if err != nil { + return err + } + + return nil +} + func (b *BootCustomizer) UpdateKernelCommandLineArgs(defaultGrubFileVarName defaultGrubFileVarName, argsToRemove []string, newArgs []string, ) error { diff --git a/toolkit/tools/pkg/imagecustomizerlib/grubcfgutils.go b/toolkit/tools/pkg/imagecustomizerlib/grubcfgutils.go index d02b8ac6c4a..d7b2c316d8e 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/grubcfgutils.go +++ b/toolkit/tools/pkg/imagecustomizerlib/grubcfgutils.go @@ -591,6 +591,28 @@ func selinuxModeToArgs(selinuxMode imagecustomizerapi.SELinuxMode) ([]string, er return newSELinuxArgs, nil } +// Converts an SELinux mode into the list of required command-line args for that mode (with enforcing mode). +func selinuxModeToArgsWithEnforcingArg(selinuxMode imagecustomizerapi.SELinuxMode) ([]string, error) { + newSELinuxArgs := []string(nil) + switch selinuxMode { + case imagecustomizerapi.SELinuxModeDisabled: + newSELinuxArgs = []string{installutils.CmdlineSELinuxDisabledArg} + + case imagecustomizerapi.SELinuxModeForceEnforcing: + newSELinuxArgs = []string{installutils.CmdlineSELinuxSecurityArg, installutils.CmdlineSELinuxEnabledArg, + installutils.CmdlineSELinuxEnforcingArg} + + case imagecustomizerapi.SELinuxModePermissive, imagecustomizerapi.SELinuxModeEnforcing: + newSELinuxArgs = []string{installutils.CmdlineSELinuxSecurityArg, installutils.CmdlineSELinuxEnabledArg, + installutils.CmdlineSELinuxPermissiveArg} + + default: + return nil, fmt.Errorf("unknown SELinux mode (%s)", selinuxMode) + } + + return newSELinuxArgs, nil +} + // Update the SELinux kernel command-line args. func updateSELinuxCommandLineHelperAll(grub2Config string, selinuxMode imagecustomizerapi.SELinuxMode, allowMultiple bool, requireKernelOpts bool) (string, error) { newSELinuxArgs, err := selinuxModeToArgs(selinuxMode) diff --git a/toolkit/tools/pkg/osmodifierlib/modifierutils.go b/toolkit/tools/pkg/osmodifierlib/modifierutils.go index 0d787584e28..fe7f05ebfe1 100644 --- a/toolkit/tools/pkg/osmodifierlib/modifierutils.go +++ b/toolkit/tools/pkg/osmodifierlib/modifierutils.go @@ -170,7 +170,7 @@ func handleSELinux(selinuxMode imagecustomizerapi.SELinuxMode, bootCustomizer *i logger.Log.Infof("Configuring SELinux mode") - err = bootCustomizer.UpdateSELinuxCommandLine(selinuxMode) + err = bootCustomizer.UpdateSELinuxCommandLineWithEnforcingArg(selinuxMode) if err != nil { return err } From a074e697b10aba2a6c04e9f86781fcd4b6abd27e Mon Sep 17 00:00:00 2001 From: Elaine Zhao Date: Thu, 31 Oct 2024 18:24:26 +0000 Subject: [PATCH 08/10] add enforcing=0 for permissive mode --- toolkit/tools/pkg/imagecustomizerlib/grubcfgutils.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/toolkit/tools/pkg/imagecustomizerlib/grubcfgutils.go b/toolkit/tools/pkg/imagecustomizerlib/grubcfgutils.go index d7b2c316d8e..2c2cddc198a 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/grubcfgutils.go +++ b/toolkit/tools/pkg/imagecustomizerlib/grubcfgutils.go @@ -604,7 +604,7 @@ func selinuxModeToArgsWithEnforcingArg(selinuxMode imagecustomizerapi.SELinuxMod case imagecustomizerapi.SELinuxModePermissive, imagecustomizerapi.SELinuxModeEnforcing: newSELinuxArgs = []string{installutils.CmdlineSELinuxSecurityArg, installutils.CmdlineSELinuxEnabledArg, - installutils.CmdlineSELinuxPermissiveArg} + installutils.CmdlineSELinuxPermissiveArg} default: return nil, fmt.Errorf("unknown SELinux mode (%s)", selinuxMode) From 4be5716a9ab28e7e37823aaf7ca77aeb6e869ce8 Mon Sep 17 00:00:00 2001 From: Elaine Zhao Date: Wed, 13 Nov 2024 00:15:04 +0000 Subject: [PATCH 09/10] update --- toolkit/tools/imagegen/installutils/installutils.go | 2 +- toolkit/tools/internal/safechroot/chrootinterface.go | 1 - toolkit/tools/internal/safechroot/dummychroot.go | 4 ---- toolkit/tools/internal/safechroot/safechroot.go | 6 +++--- toolkit/tools/pkg/imagecustomizerlib/customizeos.go | 2 +- toolkit/tools/pkg/imagecustomizerlib/customizeselinux.go | 4 ++-- toolkit/tools/pkg/imagecustomizerlib/partitionutils.go | 2 +- toolkit/tools/pkg/osmodifierlib/modifierutils.go | 1 + 8 files changed, 9 insertions(+), 13 deletions(-) diff --git a/toolkit/tools/imagegen/installutils/installutils.go b/toolkit/tools/imagegen/installutils/installutils.go index 2151cf59fea..300411e1335 100644 --- a/toolkit/tools/imagegen/installutils/installutils.go +++ b/toolkit/tools/imagegen/installutils/installutils.go @@ -55,7 +55,7 @@ const ( // CmdlineSELinuxEnforcingArg is the arg required for forcing SELinux to be in enforcing mode. CmdlineSELinuxEnforcingArg = "enforcing=1" - // CmdlineSELinuxPermissiveArg is the arg required for SELinux to be in permissive mode. + // CmdlineSELinuxPermissiveArg is the arg for SELinux to be in force-permissive mode. CmdlineSELinuxPermissiveArg = "enforcing=0" // CmdlineSELinuxSettings is the kernel command-line args for enabling SELinux. diff --git a/toolkit/tools/internal/safechroot/chrootinterface.go b/toolkit/tools/internal/safechroot/chrootinterface.go index 046ed5b7f09..1cfe566b899 100644 --- a/toolkit/tools/internal/safechroot/chrootinterface.go +++ b/toolkit/tools/internal/safechroot/chrootinterface.go @@ -8,5 +8,4 @@ type ChrootInterface interface { Run(toRun func() error) error UnsafeRun(toRun func() error) error AddFiles(filesToCopy ...FileToCopy) error - GetMountPoints() []*MountPoint } diff --git a/toolkit/tools/internal/safechroot/dummychroot.go b/toolkit/tools/internal/safechroot/dummychroot.go index 52f984edb0f..f094472e1f5 100644 --- a/toolkit/tools/internal/safechroot/dummychroot.go +++ b/toolkit/tools/internal/safechroot/dummychroot.go @@ -23,7 +23,3 @@ func (d *DummyChroot) UnsafeRun(toRun func() error) (err error) { func (d *DummyChroot) AddFiles(filesToCopy ...FileToCopy) (err error) { return AddFilesToDestination(d.RootDir(), filesToCopy...) } - -func (d *DummyChroot) GetMountPoints() []*MountPoint { - return []*MountPoint{} -} diff --git a/toolkit/tools/internal/safechroot/safechroot.go b/toolkit/tools/internal/safechroot/safechroot.go index 72c409df33e..5d7e117586e 100644 --- a/toolkit/tools/internal/safechroot/safechroot.go +++ b/toolkit/tools/internal/safechroot/safechroot.go @@ -764,9 +764,9 @@ func extractWorkerTar(chroot string, workerTar string) (err error) { // GetMountPoints gets a copy of the list of mounts the Chroot was initialized with. func (c *Chroot) GetMountPoints() []*MountPoint { - // Create a copy of the list so that the caller can't mess with the list. - mountPoints := append([]*MountPoint(nil), c.mountPoints...) - return mountPoints + // Create a copy of the list so that the caller can't mess with the list. + mountPoints := append([]*MountPoint(nil), c.mountPoints...) + return mountPoints } // stopGPGComponents stops gpg-agent and keyboxd if they are running inside the chroot. diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeos.go b/toolkit/tools/pkg/imagecustomizerlib/customizeos.go index 189a90fdf38..37ca4c745a9 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/customizeos.go +++ b/toolkit/tools/pkg/imagecustomizerlib/customizeos.go @@ -102,7 +102,7 @@ func doOsCustomizations(buildDir string, baseConfigPath string, config *imagecus return err } - err = SelinuxSetFiles(selinuxMode, imageChroot) + err = selinuxSetFiles(selinuxMode, imageChroot) if err != nil { return err } diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeselinux.go b/toolkit/tools/pkg/imagecustomizerlib/customizeselinux.go index 7120d981066..5c0fa488707 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/customizeselinux.go +++ b/toolkit/tools/pkg/imagecustomizerlib/customizeselinux.go @@ -95,7 +95,7 @@ func UpdateSELinuxModeInConfigFile(selinuxMode imagecustomizerapi.SELinuxMode, i return nil } -func SelinuxSetFiles(selinuxMode imagecustomizerapi.SELinuxMode, imageChroot safechroot.ChrootInterface) error { +func selinuxSetFiles(selinuxMode imagecustomizerapi.SELinuxMode, imageChroot *safechroot.Chroot) error { if selinuxMode == imagecustomizerapi.SELinuxModeDisabled { // SELinux is disabled in the kernel command line. // So, no need to call setfiles. @@ -117,4 +117,4 @@ func SelinuxSetFiles(selinuxMode imagecustomizerapi.SELinuxMode, imageChroot saf } return nil -} +} \ No newline at end of file diff --git a/toolkit/tools/pkg/imagecustomizerlib/partitionutils.go b/toolkit/tools/pkg/imagecustomizerlib/partitionutils.go index 811f25e992d..a4a27886de3 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/partitionutils.go +++ b/toolkit/tools/pkg/imagecustomizerlib/partitionutils.go @@ -429,7 +429,7 @@ func getImageBootTypeHelper(diskPartitions []diskutils.PartitionInfo) (imagecust } } -func getNonSpecialChrootMountPoints(imageChroot safechroot.ChrootInterface) []*safechroot.MountPoint { +func getNonSpecialChrootMountPoints(imageChroot *safechroot.Chroot) []*safechroot.MountPoint { return sliceutils.FindMatches(imageChroot.GetMountPoints(), func(mountPoint *safechroot.MountPoint) bool { switch mountPoint.GetTarget() { diff --git a/toolkit/tools/pkg/osmodifierlib/modifierutils.go b/toolkit/tools/pkg/osmodifierlib/modifierutils.go index fe7f05ebfe1..7db837fa428 100644 --- a/toolkit/tools/pkg/osmodifierlib/modifierutils.go +++ b/toolkit/tools/pkg/osmodifierlib/modifierutils.go @@ -175,5 +175,6 @@ func handleSELinux(selinuxMode imagecustomizerapi.SELinuxMode, bootCustomizer *i return err } + // No need to set SELinux labels here as in trident there is reset labels at the end return nil } From b0208045c6c172fd4c0204d7aed028544fb18cb7 Mon Sep 17 00:00:00 2001 From: Elaine Zhao Date: Wed, 13 Nov 2024 21:50:28 +0000 Subject: [PATCH 10/10] fix --- toolkit/tools/internal/safechroot/safechroot.go | 6 +++--- toolkit/tools/osmodifierapi/os.go | 5 +++++ toolkit/tools/pkg/imagecustomizerlib/customizeselinux.go | 2 +- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/toolkit/tools/internal/safechroot/safechroot.go b/toolkit/tools/internal/safechroot/safechroot.go index 5d7e117586e..72c409df33e 100644 --- a/toolkit/tools/internal/safechroot/safechroot.go +++ b/toolkit/tools/internal/safechroot/safechroot.go @@ -764,9 +764,9 @@ func extractWorkerTar(chroot string, workerTar string) (err error) { // GetMountPoints gets a copy of the list of mounts the Chroot was initialized with. func (c *Chroot) GetMountPoints() []*MountPoint { - // Create a copy of the list so that the caller can't mess with the list. - mountPoints := append([]*MountPoint(nil), c.mountPoints...) - return mountPoints + // Create a copy of the list so that the caller can't mess with the list. + mountPoints := append([]*MountPoint(nil), c.mountPoints...) + return mountPoints } // stopGPGComponents stops gpg-agent and keyboxd if they are running inside the chroot. diff --git a/toolkit/tools/osmodifierapi/os.go b/toolkit/tools/osmodifierapi/os.go index d164d140d76..9e19b5c1967 100644 --- a/toolkit/tools/osmodifierapi/os.go +++ b/toolkit/tools/osmodifierapi/os.go @@ -67,5 +67,10 @@ func (s *OS) IsValid() error { } } + err = s.Verity.IsValid() + if err != nil { + return fmt.Errorf("invalid verity:\n%w", err) + } + return nil } diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeselinux.go b/toolkit/tools/pkg/imagecustomizerlib/customizeselinux.go index 5c0fa488707..69a175cec94 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/customizeselinux.go +++ b/toolkit/tools/pkg/imagecustomizerlib/customizeselinux.go @@ -117,4 +117,4 @@ func selinuxSetFiles(selinuxMode imagecustomizerapi.SELinuxMode, imageChroot *sa } return nil -} \ No newline at end of file +}