From 18c0709e557f0936b9e9a8fa9af3d6524f95aed7 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Apr 27 2021 18:51:48 +0000 Subject: Backport patch for https://pagure.io/fedora-infrastructure/issue/9909 --- diff --git a/0001-bwrap-Fix-selftest-to-be-truly-immutable.patch b/0001-bwrap-Fix-selftest-to-be-truly-immutable.patch new file mode 100644 index 0000000..c342b1c --- /dev/null +++ b/0001-bwrap-Fix-selftest-to-be-truly-immutable.patch @@ -0,0 +1,39 @@ +From 8758b0faa27420e915e7e9ba815258207e02a82a Mon Sep 17 00:00:00 2001 +From: Colin Walters +Date: Tue, 20 Apr 2021 08:09:57 -0400 +Subject: [PATCH] bwrap: Fix selftest to be truly immutable + +We should never have any effect on the host system, so let's +use the more direct APIs which allow us to use the immutable +flag, don't mount `/var` etc. + +Crucially this also avoids us running through the tempetc +guard which would try to rename `usr/etc` which can trigger +on an ostree based host. + +Closes: https://github.com/coreos/rpm-ostree/issues/2771 +--- + rust/src/bwrap.rs | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/rust/src/bwrap.rs b/rust/src/bwrap.rs +index 939f0525..282b4f1b 100644 +--- a/rust/src/bwrap.rs ++++ b/rust/src/bwrap.rs +@@ -475,7 +475,11 @@ pub(crate) fn bubblewrap_run_sync( + /// Validate that bubblewrap works at all. This will flush out any incorrect + /// setups such being inside an outer container that disallows `CLONE_NEWUSER` etc. + pub(crate) fn bubblewrap_selftest() -> CxxResult<()> { +- let fd = openat::Dir::open("/")?; +- let _ = bubblewrap_run_sync(fd.as_raw_fd(), &vec!["true".to_string()], false, true)?; ++ let fd = &openat::Dir::open("/")?; ++ let mut bwrap = Bubblewrap::new_with_mutability(fd, BubblewrapMutability::Immutable)?; ++ bwrap.append_child_argv(&["true"]); ++ let cancellable = &gio::Cancellable::new(); ++ let cancellable = Some(cancellable); ++ bwrap.run_inner(cancellable)?; + Ok(()) + } +-- +2.30.2 + diff --git a/rpm-ostree.spec b/rpm-ostree.spec index 95e405c..0c012c3 100644 --- a/rpm-ostree.spec +++ b/rpm-ostree.spec @@ -4,12 +4,13 @@ Summary: Hybrid image/package system Name: rpm-ostree Version: 2021.4 -Release: 1%{?dist} +Release: 2%{?dist} License: LGPLv2+ URL: https://github.com/coreos/rpm-ostree # This tarball is generated via "cd packaging && make -f Makefile.dist-packaging dist-snapshot" # in the upstream git. It also contains vendored Rust sources. Source0: https://github.com/coreos/rpm-ostree/releases/download/v%{version}/rpm-ostree-%{version}.tar.xz +Patch0: 0001-bwrap-Fix-selftest-to-be-truly-immutable.patch ExclusiveArch: %{rust_arches} @@ -210,6 +211,9 @@ $PYTHON autofiles.py > files.devel \ %files devel -f files.devel %changelog +* Tue Apr 27 2021 Colin Walters - 2021.4-2 +- Backport patch for https://pagure.io/fedora-infrastructure/issue/9909 + * Mon Apr 12 2021 Jonathan Lebon - 2021.4-1 - https://github.com/coreos/rpm-ostree/releases/tag/v2021.4