image: add new ContainerBuildable flag to OSTreeDiskImage

One objective for bifrost images is that it should be possible to run osbuild inside a container. This can interfere with the selinux policies of the buildroot. Inside the container everything is labeled `system_u:object_r:container_files_t`. Labeling /usr/bin/osbuild as `osbuild_exec_t` is not possible in the general case because the host may not have `osbuild-selinux` installed that contains this type. The workaround is that the container labels osbuild itself as `install_exec_t`. This works fine however there is a selinux denial warning when the `{,u}mount` binary is called because the transition from `install_t`->`mount_t` is not allowed. The warning is "harmless" because `install_t` has enough privs to allow the `{,u}mount` binaries to work. To silence this warning we can label `{,u}mount` in the buildroot as `install_exec_t` directly. This commit allows to control this now via the `ContainerBuildable` flag that can be set on `manifest.Build` to enable this behavior.
osbuild · Dec 7, 2023 · dea1af4 · dea1af4
1 parent 4362ad0
commit dea1af4
Show file tree

Hide file tree

Showing 5 changed files with 176 additions and 1 deletion.
diff --git a/pkg/image/export_test.go b/pkg/image/export_test.go
@@ -0,0 +1,15 @@
+package image
+
+import (
+	"github.com/osbuild/images/pkg/manifest"
+	"github.com/osbuild/images/pkg/rpmmd"
+	"github.com/osbuild/images/pkg/runner"
+)
+
+func MockManifestNewBuild(new func(m *manifest.Manifest, runner runner.Runner, repos []rpmmd.RepoConfig) *manifest.Build) (restore func()) {
+	saved := manifestNewBuild
+	manifestNewBuild = new
+	return func() {
+		manifestNewBuild = saved
+	}
+}
diff --git a/pkg/image/ostree_disk.go b/pkg/image/ostree_disk.go
@@ -53,6 +53,10 @@ type OSTreeDiskImage struct {
 	// Lock the root account in the deployment unless the user defined root
 	// user options in the build configuration.
 	LockRoot bool
+
+	// Container buildable tweaks the buildroot to be container friendly,
+	// i.e. to not rely on an installed osbuild-selinux
+	ContainerBuildable bool
 }
 
 func NewOSTreeDiskImageFromCommit(commit ostree.SourceSpec) *OSTreeDiskImage {
@@ -102,11 +106,15 @@ func baseRawOstreeImage(img *OSTreeDiskImage, m *manifest.Manifest, buildPipelin
 	return manifest.NewRawOStreeImage(buildPipeline, osPipeline, img.Platform)
 }
 
+// replaced in testing
+var manifestNewBuild = manifest.NewBuild
+
 func (img *OSTreeDiskImage) InstantiateManifest(m *manifest.Manifest,
 	repos []rpmmd.RepoConfig,
 	runner runner.Runner,
 	rng *rand.Rand) (*artifact.Artifact, error) {
-	buildPipeline := manifest.NewBuild(m, runner, repos)
+	buildPipeline := manifestNewBuild(m, runner, repos)
+	buildPipeline.ContainerBuildable = img.ContainerBuildable
 	buildPipeline.Checkpoint()
 
 	// don't support compressing non-raw images

diff --git a/pkg/image/ostree_disk_test.go b/pkg/image/ostree_disk_test.go
@@ -0,0 +1,59 @@
+package image_test
+
+import (
+	"math/rand"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/osbuild/images/internal/workload"
+	"github.com/osbuild/images/pkg/container"
+	"github.com/osbuild/images/pkg/image"
+	"github.com/osbuild/images/pkg/manifest"
+	"github.com/osbuild/images/pkg/platform"
+	"github.com/osbuild/images/pkg/rpmmd"
+	"github.com/osbuild/images/pkg/runner"
+)
+
+func TestOSTreeDiskImageManifestSetsContainerBuildable(t *testing.T) {
+	rng := rand.New(rand.NewSource(0)) // nolint:gosec
+
+	repos := []rpmmd.RepoConfig{}
+	r := &runner.Fedora{Version: 39}
+
+	ref := "ostree/1/1/0"
+	containerSource := container.SourceSpec{
+		Source: "source-spec",
+		Name:   "name",
+	}
+
+	var buildPipeline *manifest.Build
+	restore := image.MockManifestNewBuild(func(m *manifest.Manifest, r runner.Runner, repos []rpmmd.RepoConfig) *manifest.Build {
+		buildPipeline = manifest.NewBuild(m, r, repos)
+		return buildPipeline
+	})
+	defer restore()
+
+	for _, containerBuildable := range []bool{true, false} {
+		mf := manifest.New()
+		img := image.NewOSTreeDiskImageFromContainer(containerSource, ref)
+		require.NotNil(t, img)
+		img.Platform = &platform.X86{
+			BasePlatform: platform.BasePlatform{
+				ImageFormat: platform.FORMAT_QCOW2,
+			},
+			BIOS:       true,
+			UEFIVendor: "fedora",
+		}
+		img.Workload = &workload.BaseWorkload{}
+		img.OSName = "osname"
+		img.ContainerBuildable = containerBuildable
+
+		_, err := img.InstantiateManifest(&mf, repos, r, rng)
+		require.Nil(t, err)
+		require.NotNil(t, img)
+		require.NotNil(t, buildPipeline)
+
+		require.Equal(t, buildPipeline.ContainerBuildable, containerBuildable)
+	}
+}
diff --git a/pkg/manifest/build.go b/pkg/manifest/build.go
@@ -22,6 +22,11 @@ type Build struct {
 	dependents   []Pipeline
 	repos        []rpmmd.RepoConfig
 	packageSpecs []rpmmd.PackageSpec
+
+	// TODO: make private?
+	// Container buildable tweaks the buildroot to be container friendly,
+	// i.e. to not rely on an installed osbuild-selinux
+	ContainerBuildable bool
 }
 
 // NewBuild creates a new build pipeline from the repositories in repos
@@ -109,6 +114,10 @@ func (p *Build) getSELinuxLabels() map[string]string {
 		switch pkg.Name {
 		case "coreutils":
 			labels["/usr/bin/cp"] = "system_u:object_r:install_exec_t:s0"
+			if p.ContainerBuildable {
+				labels["/usr/bin/mount"] = "system_u:object_r:install_exec_t:s0"
+				labels["/usr/bin/umount"] = "system_u:object_r:install_exec_t:s0"
+			}
 		case "tar":
 			labels["/usr/bin/tar"] = "system_u:object_r:install_exec_t:s0"
 		}

diff --git a/pkg/manifest/build_test.go b/pkg/manifest/build_test.go
@@ -0,0 +1,84 @@
+package manifest
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/osbuild/images/pkg/rpmmd"
+	"github.com/osbuild/images/pkg/runner"
+)
+
+func TestBuildContainerBuildableNo(t *testing.T) {
+	repos := []rpmmd.RepoConfig{}
+	mf := New()
+	runner := &runner.Fedora{Version: 39}
+
+	build := NewBuild(&mf, runner, repos)
+	require.NotNil(t, build)
+
+	for _, tc := range []struct {
+		packageSpec           []rpmmd.PackageSpec
+		containerBuildable    bool
+		expectedSELinuxLabels map[string]string
+	}{
+		// no pkgs means no selinux labels (container build or not)
+		{
+			[]rpmmd.PackageSpec{},
+			false,
+			map[string]string{},
+		},
+		{
+			[]rpmmd.PackageSpec{},
+			true,
+			map[string]string{},
+		},
+		{
+			[]rpmmd.PackageSpec{{Name: "coreutils"}},
+			false,
+			map[string]string{
+				"/usr/bin/cp": "system_u:object_r:install_exec_t:s0",
+			},
+		},
+		{
+			[]rpmmd.PackageSpec{{Name: "tar"}},
+			false,
+			map[string]string{
+				"/usr/bin/tar": "system_u:object_r:install_exec_t:s0",
+			},
+		},
+		{
+			[]rpmmd.PackageSpec{{Name: "coreutils"}, {Name: "tar"}},
+			false,
+			map[string]string{
+				"/usr/bin/cp":  "system_u:object_r:install_exec_t:s0",
+				"/usr/bin/tar": "system_u:object_r:install_exec_t:s0",
+			},
+		},
+		{
+			[]rpmmd.PackageSpec{{Name: "coreutils"}},
+			true,
+			map[string]string{
+				"/usr/bin/cp":     "system_u:object_r:install_exec_t:s0",
+				"/usr/bin/mount":  "system_u:object_r:install_exec_t:s0",
+				"/usr/bin/umount": "system_u:object_r:install_exec_t:s0",
+			},
+		},
+		{
+			[]rpmmd.PackageSpec{{Name: "coreutils"}, {Name: "tar"}},
+			true,
+			map[string]string{
+				"/usr/bin/cp":     "system_u:object_r:install_exec_t:s0",
+				"/usr/bin/mount":  "system_u:object_r:install_exec_t:s0",
+				"/usr/bin/umount": "system_u:object_r:install_exec_t:s0",
+				"/usr/bin/tar":    "system_u:object_r:install_exec_t:s0",
+			},
+		},
+	} {
+		build.packageSpecs = tc.packageSpec
+		build.ContainerBuildable = tc.containerBuildable
+
+		labels := build.getSELinuxLabels()
+		require.Equal(t, labels, tc.expectedSELinuxLabels)
+	}
+}