From 3fbf7844d5707bde48df663a8c21ef2b498f5a5d Mon Sep 17 00:00:00 2001 From: HuijingHei Date: Fri, 27 Oct 2023 10:12:57 +0800 Subject: [PATCH] sysusers: add a treefile option in rpm-ostree to turn off `nss-altfiles` support and the `passwd / group` files migration to `/usr/lib` --- docs/treefile.md | 5 +++++ rpmostree-cxxrs.cxx | 10 ++++++++++ rpmostree-cxxrs.h | 1 + rust/src/lib.rs | 1 + rust/src/treefile.rs | 7 +++++++ src/libpriv/rpmostree-postprocess.cxx | 19 ++++++++++++------- 6 files changed, 36 insertions(+), 7 deletions(-) diff --git a/docs/treefile.md b/docs/treefile.md index 8a8979410b..719cdc268c 100644 --- a/docs/treefile.md +++ b/docs/treefile.md @@ -36,6 +36,11 @@ It supports the following parameters: * `selinux`: boolean, optional: Defaults to `true`. If `false`, then no SELinux labeling will be performed on the server side. + * `sysusers`: boolean, optional: Defaults to `false`. + Enable generation of systemd `sysusers.d` entries. + If `true`, this turns off `altfiles` and disable the `passwd` / `group` + files migration to `/usr/lib`. + * `ima`: boolean, optional: Defaults to `false`. Propagate any IMA signatures in input RPMs into the final OSTree commit. diff --git a/rpmostree-cxxrs.cxx b/rpmostree-cxxrs.cxx index 4dd46f6923..1e4bb1baa1 100644 --- a/rpmostree-cxxrs.cxx +++ b/rpmostree-cxxrs.cxx @@ -1749,6 +1749,7 @@ struct Treefile final : public ::rust::Opaque bool get_recommends () const noexcept; bool get_selinux () const noexcept; ::std::uint32_t get_selinux_label_version () const noexcept; + bool get_sysusers () const noexcept; ::rust::String get_gpg_key () const noexcept; ::rust::String get_automatic_version_suffix () const noexcept; bool get_container () const noexcept; @@ -2592,6 +2593,9 @@ extern "C" ::std::uint32_t rpmostreecxx$cxxbridge1$Treefile$get_selinux_label_version ( ::rpmostreecxx::Treefile const &self) noexcept; + bool + rpmostreecxx$cxxbridge1$Treefile$get_sysusers (::rpmostreecxx::Treefile const &self) noexcept; + void rpmostreecxx$cxxbridge1$Treefile$get_gpg_key (::rpmostreecxx::Treefile const &self, ::rust::String *return$) noexcept; @@ -5143,6 +5147,12 @@ Treefile::get_selinux_label_version () const noexcept return rpmostreecxx$cxxbridge1$Treefile$get_selinux_label_version (*this); } +bool +Treefile::get_sysusers () const noexcept +{ + return rpmostreecxx$cxxbridge1$Treefile$get_sysusers (*this); +} + ::rust::String Treefile::get_gpg_key () const noexcept { diff --git a/rpmostree-cxxrs.h b/rpmostree-cxxrs.h index ce564475a4..ab3af95e94 100644 --- a/rpmostree-cxxrs.h +++ b/rpmostree-cxxrs.h @@ -1531,6 +1531,7 @@ struct Treefile final : public ::rust::Opaque bool get_recommends () const noexcept; bool get_selinux () const noexcept; ::std::uint32_t get_selinux_label_version () const noexcept; + bool get_sysusers () const noexcept; ::rust::String get_gpg_key () const noexcept; ::rust::String get_automatic_version_suffix () const noexcept; bool get_container () const noexcept; diff --git a/rust/src/lib.rs b/rust/src/lib.rs index b18cd89122..55b552e110 100644 --- a/rust/src/lib.rs +++ b/rust/src/lib.rs @@ -608,6 +608,7 @@ pub mod ffi { fn get_recommends(&self) -> bool; fn get_selinux(&self) -> bool; fn get_selinux_label_version(&self) -> u32; + fn get_sysusers(&self) -> bool; fn get_gpg_key(&self) -> String; fn get_automatic_version_suffix(&self) -> String; fn get_container(&self) -> bool; diff --git a/rust/src/treefile.rs b/rust/src/treefile.rs index 7528b9b0d3..9113acce5b 100644 --- a/rust/src/treefile.rs +++ b/rust/src/treefile.rs @@ -417,6 +417,7 @@ fn treefile_merge(dest: &mut TreeComposeConfig, src: &mut TreeComposeConfig) { rojig, selinux, selinux_label_version, + sysusers, ima, gpg_key, include, @@ -1337,6 +1338,10 @@ impl Treefile { self.parsed.base.selinux_label_version.unwrap_or_default() } + pub(crate) fn get_sysusers(&self) -> bool { + self.parsed.base.sysusers.unwrap_or(false) + } + pub(crate) fn get_gpg_key(&self) -> String { self.parsed.base.gpg_key.clone().unwrap_or_default() } @@ -2484,6 +2489,8 @@ pub(crate) struct BaseComposeConfigFields { #[serde(skip_serializing_if = "Option::is_none")] pub(crate) selinux_label_version: Option, #[serde(skip_serializing_if = "Option::is_none")] + pub(crate) sysusers: Option, + #[serde(skip_serializing_if = "Option::is_none")] pub(crate) ima: Option, #[serde(skip_serializing_if = "Option::is_none")] pub(crate) gpg_key: Option, diff --git a/src/libpriv/rpmostree-postprocess.cxx b/src/libpriv/rpmostree-postprocess.cxx index 0b0b33d4ce..383921772c 100644 --- a/src/libpriv/rpmostree-postprocess.cxx +++ b/src/libpriv/rpmostree-postprocess.cxx @@ -406,16 +406,21 @@ postprocess_final (int rootfs_dfd, rpmostreecxx::Treefile &treefile, gboolean un auto container = treefile.get_container (); - g_print ("Migrating /usr/etc/passwd to /usr/lib/\n"); - ROSCXX_TRY (migrate_passwd_except_root (rootfs_dfd), error); + bool sysusers = treefile.get_sysusers (); - rust::Vec preserve_groups_set = treefile.get_etc_group_members (); + if (!sysusers) + { + g_print ("Migrating /usr/etc/passwd to /usr/lib/\n"); + ROSCXX_TRY (migrate_passwd_except_root (rootfs_dfd), error); + + rust::Vec preserve_groups_set = treefile.get_etc_group_members (); - g_print ("Migrating /usr/etc/group to /usr/lib/\n"); - ROSCXX_TRY (migrate_group_except_root (rootfs_dfd, preserve_groups_set), error); + g_print ("Migrating /usr/etc/group to /usr/lib/\n"); + ROSCXX_TRY (migrate_group_except_root (rootfs_dfd, preserve_groups_set), error); - /* NSS configuration to look at the new files */ - ROSCXX_TRY (composepost_nsswitch_altfiles (rootfs_dfd), error); + /* NSS configuration to look at the new files */ + ROSCXX_TRY (composepost_nsswitch_altfiles (rootfs_dfd), error); + } if (selinux) {