install: Only switch to loopback after re-exec

I noticed we were leaking a loopback device, and the reason is
because the "re-exec self for selinux" dance.

We should really try to move that re-exec way earlier because
it's a big hazard for stuff like this right now.

This is a simple fix though that just moves the switch to
allocating the loopback device until after we've done the install
prep (including that re-exec).

Signed-off-by: Colin Walters <[email protected]>

Author: cgwalters

lib/src/install.rs

@@ -1088,27 +1088,35 @@ pub(crate) async fn install_to_disk(opts: InstallToDiskOpts) -> Result<()> {
         .device
         .metadata()
         .with_context(|| format!("Querying {}", &block_opts.device))?;
-    let mut loopback = None;
     if opts.via_loopback {
         if !target_blockdev_meta.file_type().is_file() {
             anyhow::bail!(
                 "Not a regular file (to be used via loopback): {}",
                 block_opts.device
             );
         }
-        let loopback_dev = crate::blockdev::LoopbackDevice::new(block_opts.device.as_std_path())?;
-        block_opts.device = loopback_dev.path().into();
-        loopback = Some(loopback_dev);
     } else if !target_blockdev_meta.file_type().is_block_device() {
         anyhow::bail!("Not a block device: {}", block_opts.device);
     }
     let state = prepare_install(opts.config_opts, opts.source_opts, opts.target_opts).await?;
 
     // This is all blocking stuff
-    let mut rootfs = {
+    let (mut rootfs, loopback) = {
+        let loopback_dev = if opts.via_loopback {
+            let loopback_dev =
+                crate::blockdev::LoopbackDevice::new(block_opts.device.as_std_path())?;
+            block_opts.device = loopback_dev.path().into();
+            Some(loopback_dev)
+        } else {
+            None
+        };
+
         let state = state.clone();
-        tokio::task::spawn_blocking(move || baseline::install_create_rootfs(&state, block_opts))
-            .await??
+        let rootfs = tokio::task::spawn_blocking(move || {
+            baseline::install_create_rootfs(&state, block_opts)
+        })
+        .await??;
+        (rootfs, loopback_dev)
     };
 
     install_to_filesystem_impl(&state, &mut rootfs).await?;