From 39e1399d4decd855278022b80f1956d9b4c7175b Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 5 Sep 2025 10:21:48 -0400 Subject: [PATCH 1/3] tree-wide: Set argv0 = bootc when doing a re-exec We have multiple places which are re-executing the current binary; one of those writes a temp file. Ensure that `argv0` in the new binary is `bootc` which means it should be used as e.g. a syslog identifier. Signed-off-by: Colin Walters --- crates/lib/src/cli.rs | 5 ++--- crates/lib/src/install.rs | 2 +- crates/lib/src/lsm.rs | 1 + crates/utils/src/lib.rs | 3 +++ crates/utils/src/reexec.rs | 1 + 5 files changed, 8 insertions(+), 4 deletions(-) diff --git a/crates/lib/src/cli.rs b/crates/lib/src/cli.rs index 6d4ab88a5..fade8d5a4 100644 --- a/crates/lib/src/cli.rs +++ b/crates/lib/src/cli.rs @@ -1215,9 +1215,8 @@ async fn usroverlay() -> Result<()> { pub fn global_init() -> Result<()> { // In some cases we re-exec with a temporary binary, // so ensure that the syslog identifier is set. - let name = "bootc"; - ostree::glib::set_prgname(name.into()); - if let Err(e) = rustix::thread::set_name(&CString::new(name).unwrap()) { + ostree::glib::set_prgname(bootc_utils::NAME.into()); + if let Err(e) = rustix::thread::set_name(&CString::new(bootc_utils::NAME).unwrap()) { // This shouldn't ever happen eprintln!("failed to set name: {e}"); } diff --git a/crates/lib/src/install.rs b/crates/lib/src/install.rs index 156270dd2..cdb682ff8 100644 --- a/crates/lib/src/install.rs +++ b/crates/lib/src/install.rs @@ -918,7 +918,7 @@ pub(crate) fn exec_in_host_mountns(args: &[std::ffi::OsString]) -> Result<()> { tracing::debug!("Using supermin workaround"); rustix::process::chroot("/root").context("chroot")?; } - Err(Command::new(cmd).args(args).exec()).context("exec")? + Err(Command::new(cmd).args(args).arg0(bootc_utils::NAME).exec()).context("exec")? } pub(crate) struct RootSetup { diff --git a/crates/lib/src/lsm.rs b/crates/lib/src/lsm.rs index fd5e222f1..817857ad4 100644 --- a/crates/lib/src/lsm.rs +++ b/crates/lib/src/lsm.rs @@ -110,6 +110,7 @@ pub(crate) fn selinux_ensure_install() -> Result { cmd.env(guardenv, tmpf); cmd.env(bootc_utils::reexec::ORIG, srcpath); cmd.args(std::env::args_os().skip(1)); + cmd.arg0(bootc_utils::NAME); cmd.log_debug(); Err(anyhow::Error::msg(cmd.exec()).context("execve")) } diff --git a/crates/utils/src/lib.rs b/crates/utils/src/lib.rs index b6d3adb1a..bd9948daa 100644 --- a/crates/utils/src/lib.rs +++ b/crates/utils/src/lib.rs @@ -17,6 +17,9 @@ pub mod reexec; mod result_ext; pub use result_ext::*; +/// The name of our binary +pub const NAME: &str = "bootc"; + /// Intended for use in `main`, calls an inner function and /// handles errors by printing them. pub fn run_main(f: F) diff --git a/crates/utils/src/reexec.rs b/crates/utils/src/reexec.rs index 033d6caf0..7dd6e5941 100644 --- a/crates/utils/src/reexec.rs +++ b/crates/utils/src/reexec.rs @@ -36,6 +36,7 @@ pub fn reexec_with_guardenv(k: &str, prefix_args: &[&str]) -> Result<()> { }; cmd.env(k, "1"); cmd.args(std::env::args_os().skip(1)); + cmd.arg0(crate::NAME); tracing::debug!("Re-executing current process for {k}"); Err(cmd.exec().into()) } From bbc4be3b737593bbf6a627cf229dd66ae959c3a0 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 5 Sep 2025 10:56:27 -0400 Subject: [PATCH 2/3] cli: Downgrade install_t warning This is expected the *first* time. Signed-off-by: Colin Walters --- crates/lib/src/cli.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/lib/src/cli.rs b/crates/lib/src/cli.rs index fade8d5a4..12b576f05 100644 --- a/crates/lib/src/cli.rs +++ b/crates/lib/src/cli.rs @@ -910,7 +910,7 @@ fn prepare_for_write() -> Result<()> { crate::cli::require_root(false)?; ensure_self_unshared_mount_namespace()?; if crate::lsm::selinux_enabled()? && !crate::lsm::selinux_ensure_install()? { - tracing::warn!("Do not have install_t capabilities"); + tracing::debug!("Do not have install_t capabilities"); } ENTERED.store(true, Ordering::SeqCst); Ok(()) From 8768d70d37eed8901aa2db346fbd586e06618784 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 5 Sep 2025 10:21:01 -0400 Subject: [PATCH 3/3] tracing: Log to journal if root The intention was to always log to the systemd journal, even if we're spawned directly on the CLI outside of a unit. Signed-off-by: Colin Walters --- crates/utils/src/tracing_util.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crates/utils/src/tracing_util.rs b/crates/utils/src/tracing_util.rs index 38fd561ad..0f9f4ed94 100644 --- a/crates/utils/src/tracing_util.rs +++ b/crates/utils/src/tracing_util.rs @@ -4,9 +4,9 @@ use tracing_subscriber::prelude::*; /// Initialize tracing with the default configuration. pub fn initialize_tracing() { - // Always try to use journald subscriber if we're running under systemd + // Always try to use journald subscriber if we're running as root; // This ensures key messages (info, warn, error) go to the journal - let journald_layer = if let Ok(()) = std::env::var("JOURNAL_STREAM").map(|_| ()) { + let journald_layer = if rustix::process::getuid().is_root() { tracing_journald::layer() .ok() .map(|layer| layer.with_filter(tracing_subscriber::filter::LevelFilter::INFO))