Merge pull request #38 from cgwalters/install-fixes

Install fixes

Author: cgwalters

lib/src/cli.rs

@@ -113,18 +113,21 @@ pub(crate) enum Opt {
 pub(crate) async fn ensure_self_unshared_mount_namespace() -> Result<()> {
     let uid = cap_std_ext::rustix::process::getuid();
     if !uid.is_root() {
+        tracing::debug!("Not root, assuming no need to unshare");
         return Ok(());
     }
     let recurse_env = "_ostree_unshared";
     let ns_pid1 = std::fs::read_link("/proc/1/ns/mnt").context("Reading /proc/1/ns/mnt")?;
     let ns_self = std::fs::read_link("/proc/self/ns/mnt").context("Reading /proc/self/ns/mnt")?;
     // If we already appear to be in a mount namespace, or we're already pid1, we're done
     if ns_pid1 != ns_self {
+        tracing::debug!("Already in a mount namespace");
         return Ok(());
     }
     if std::env::var_os(recurse_env).is_some() {
         let am_pid1 = cap_std_ext::rustix::process::getpid().is_init();
         if am_pid1 {
+            tracing::debug!("We are pid 1");
             return Ok(());
         } else {
             anyhow::bail!("Failed to unshare mount namespace");

lib/src/install.rs

@@ -642,10 +642,12 @@ pub(crate) async fn install(opts: InstallOpts) -> Result<()> {
 
     // Let's ensure we have a tmpfs on /tmp, because we need that to write the SELinux label
     // (it won't work on the default overlayfs)
-    Task::new("Creating tmpfs on /tmp", "mount")
-        .quiet()
-        .args(["-t", "tmpfs", "tmpfs", "/tmp"])
-        .run()?;
+    if nix::sys::statfs::statfs("/tmp")?.filesystem_type() != nix::sys::statfs::TMPFS_MAGIC {
+        Task::new("Creating tmpfs on /tmp", "mount")
+            .quiet()
+            .args(["-t", "tmpfs", "tmpfs", "/tmp"])
+            .run()?;
+    }
 
     // Now, deal with SELinux state.
     let srcdata = gather_source_data()?;
@@ -655,6 +657,13 @@ pub(crate) async fn install(opts: InstallOpts) -> Result<()> {
         let host_selinux = crate::lsm::selinux_enabled()?;
         tracing::debug!("Target has SELinux, host={host_selinux}");
         if host_selinux {
+            // /sys/fs/selinuxfs is not normally mounted, so we do that now.
+            // Because SELinux enablement status is cached process-wide and was very likely
+            // already queried by something else (e.g. glib's constructor), we would also need
+            // to re-exec.  But, selinux_ensure_install does that unconditionally right now too,
+            // so let's just fall through to that.
+            crate::lsm::container_setup_selinux()?;
+            // This will re-execute the current process (once).
             crate::lsm::selinux_ensure_install()?;
         } else if opts.disable_selinux {
             override_disable_selinux = true;
@@ -668,13 +677,6 @@ pub(crate) async fn install(opts: InstallOpts) -> Result<()> {
         tracing::debug!("Target does not enable SELinux");
     }
 
-    // Because SELinux enablement status is cached process-wide and was very likely
-    // already queried by something else (e.g. glib's constructor), we need to mount
-    // selinuxfs now if needed, then re-exec *again*.
-    if srcdata.selinux && !override_disable_selinux {
-        crate::lsm::container_setup_selinux()?;
-    }
-
     // Create our global (read-only) state which gets wrapped in an Arc
     // so we can pass it to worker threads too. Right now this just
     // combines our command line options along with some bind mounts from the host.

lib/src/lsm.rs

@@ -29,6 +29,8 @@ pub(crate) fn selinux_ensure_install() -> Result<()> {
         if p.exists() {
             tracing::debug!("Removing temporary file");
             std::fs::remove_file(p).context("Removing {p:?}")?;
+        } else {
+            tracing::debug!("Assuming we now have a privileged (e.g. install_t) label");
         }
         return Ok(());
     }
@@ -50,6 +52,7 @@ pub(crate) fn selinux_ensure_install() -> Result<()> {
     let mut cmd = Command::new(&tmpf);
     cmd.env(guardenv, tmpf);
     cmd.args(std::env::args_os().skip(1));
+    tracing::debug!("Re-executing");
     Err(anyhow::Error::msg(cmd.exec()).context("execve"))
 }
 
@@ -60,14 +63,14 @@ pub(crate) fn container_setup_selinux() -> Result<()> {
     let path = Utf8Path::new(SELINUXFS);
     if !path.join("enforce").exists() {
         if !path.exists() {
+            tracing::debug!("Creating {path}");
             std::fs::create_dir(path)?;
         }
         Task::new("Mounting selinuxfs", "mount")
             .args(["selinuxfs", "-t", "selinuxfs", path.as_str()])
             .run()?;
     }
-
-    selinux_ensure_install()
+    Ok(())
 }
 
 fn selinux_label_for_path(target: &str) -> Result<String> {

lib/src/reexec.rs

@@ -8,6 +8,7 @@ use fn_error_context::context;
 #[context("Reexec self")]
 pub(crate) fn reexec_with_guardenv(k: &str, prefix_args: &[&str]) -> Result<()> {
     if std::env::var_os(k).is_some() {
+        tracing::trace!("Skipping re-exec due to env var {k}");
         return Ok(());
     }
     let self_exe = std::fs::read_link("/proc/self/exe")?;
@@ -22,5 +23,6 @@ pub(crate) fn reexec_with_guardenv(k: &str, prefix_args: &[&str]) -> Result<()>
     };
     cmd.env(k, "1");
     cmd.args(std::env::args_os().skip(1));
+    tracing::debug!("Re-executing current process for {k}");
     Err(cmd.exec().into())
 }