Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

meta-lxatac-software: distro: tacos: make /srv on the rootfs read-only #208

Merged
merged 1 commit into from
Nov 18, 2024
Merged

meta-lxatac-software: distro: tacos: make /srv on the rootfs read-only #208

merged 1 commit into from
Nov 18, 2024

Conversation

hnez
Copy link
Member

@hnez hnez commented Nov 12, 2024
edited
Loading

We do not want any service to write to /srv (in the root filesystem) before the /srv partition is set up and mounted.
Because if /srv is not empty systemd-gpt-auto-generator will not generate a mount unit for it.

Every now and then however some service changes and writes to /srv/ before the partition is set up by the first boot.
Most recently podman (see #206 for the fix).

This is why we have added the following to the task that lead to tracking down #206:

050.600 First boot somtimes writes to /srv

[ ] lgo: Mark /srv as not-writeable in the root-fs, so that it can only be written once the /srv-partition has been mounted.

This PR implements that.

TODO before merging:

  • Make sure the permissions are actually applied

@hnez
Copy link
Member Author

hnez commented Nov 12, 2024
edited
Loading

This PR does indeed make /srv readonly

root@lxatac-00011:~# mount --mkdir /dev/mmcblk1p1 /tmp/other
root@lxatac-00011:~# cd /tmp/other/
root@lxatac-00011:/tmp/other# ls -ahl | grep srv
dr-xr-xr-x  2 root root 4.0K Nov 12 14:27 srv

But that does not stop software running as root from creating files there, as they have CAP_DAC_OVERRIDE:

CAP_DAC_OVERRIDE
Bypass file read, write, and execute permission checks.
(DAC is an abbreviation of "discretionary access control".)

root@lxatac-00011:/tmp/other# touch srv/dac
root@lxatac-00011:/tmp/other# ls srv/dac
srv/dac

Having /srv read-only on paper is still a nice gesture though.

@hnez hnez marked this pull request as ready for review November 12, 2024 14:35
@jluebbe
Copy link
Member

jluebbe commented Nov 12, 2024
edited
Loading

Why not use the immutable attribute (chattr -i /srv) instead? You could call it from a ROOTFS_POSTPROCESS_COMMAND. Hopefully pseudo supports it. :)

@hnez
Copy link
Member Author

hnez commented Nov 13, 2024

Why not use the immutable attribute (chattr -i /srv) instead? You could call it from a ROOTFS_POSTPROCESS_COMMAND. Hopefully pseudo supports it. :)

Hm … I would prefer if meta-lxatac became less complex and less "special" over time. Fiddling with filesystem attributes is quite special in my opinion (I would not suspect them when something were to behave strangely on a system and look somewhere else first).

We do have a labgrid tests that triggers when the /srv partition is not mounted in the fully booted system, so it is not like we will not notice the issue occurring when it comes back.

@hnez
Copy link
Member Author

hnez commented Nov 15, 2024

Perhaps use 0000 to make it clearer that nobody is supposed to use this directory (except as a mount point)?

It looks like 0000 triggers some special behavior that results in the permissions not being applied at all:

leonard@fulladder /tmp> wget "https://github-runner.pengutronix.de/artifacts/forrest-build-18HnwViPU6t38cwc/lxatac-core-bundle-base-lxatac.raucb"
leonard@fulladder /tmp> sudo mount --mkdir lxatac-core-bundle-base-lxatac.raucb /tmp/sqfs
leonard@fulladder /tmp> sudo mount --mkdir /tmp/sqfs/lxatac-core-image-base-lxatac.rootfs.ext4 /tmp/ext4
leonard@fulladder /tmp> ls -ahl /tmp/ext4/
…
drwxr-xr-x  3 root root 4,0K  9. Mär 2018  opt/
dr-xr-xr-x  2 root root 4,0K  9. Mär 2018  proc/
drwx------  2 root root 4,0K  9. Mär 2018  root/
drwxr-xr-x  2 root root 4,0K  9. Mär 2018  run/
lrwxrwxrwx  1 root root    8  9. Mär 2018  sbin -> usr/sbin/
drwxr-xr-x  2 root root 4,0K  9. Mär 2018  srv/
dr-xr-xr-x  2 root root 4,0K  9. Mär 2018  sys/
-rw-r--r--  1 root root    0  9. Mär 2018  system-update
…

@hnez
Copy link
Member Author

hnez commented Nov 15, 2024

It looks like 0000 triggers some special behavior that results in the permissions not being applied at all

I think I found the cause.

The mode field is parsed as octal number:

https://github.com/yoctoproject/poky/blob/ddfb5cd61911c58a3188c91385c7c60e6aa43ed5/meta/lib/oe/package.py#L379-L383

(Returning the integer 0 in our case)

And whenever it is used it is first checked if it is true-ish:

https://github.com/yoctoproject/poky/blob/ddfb5cd61911c58a3188c91385c7c60e6aa43ed5/meta/lib/oe/package.py#L425-L429

(Which it is not in our case)

The intent behind the check is to allow a mode of - (in that case mode is None) that keeps the permissions as-is, but duck typing makes the actual behavior more interesting once again.

@hnez
meta-lxatac-software: distro: tacos: reduce permissions on rootfs /srv
d9b2755 
We do not want any service to write to /srv (in the root filesystem)
before the /srv partition is set up and mounted.

Indicate this intent by reducing permissions for the directory.

This will however not stop processes running as root from writing there
anyways due to CAP_DAC_OVERRIDE.

Signed-off-by: Leonard Göhrs <l.goehrs@pengutronix.de>
@hnez
Copy link
Member Author

hnez commented Nov 18, 2024

I've set the mode to 0500 now as a workaround. Since root does not care anyways this should not make a difference in practice.

@hnez hnez merged commit be482c6 into linux-automation:scarthgap Nov 18, 2024
3 of 4 checks passed
@hnez hnez deleted the srv-ro branch November 18, 2024 08:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jluebbe jluebbe jluebbe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hnez @jluebbe