Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ostree-ext: Update parser to honor composefs=verity #1175

Merged
merged 1 commit into from
Mar 6, 2025
Merged

ostree-ext: Update parser to honor composefs=verity #1175

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 24 additions & 6 deletions ostree-ext/src/ostree_prepareroot.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ use std::str::FromStr;
use anyhow::{Context, Result};
use camino::Utf8Path;
use cap_std_ext::dirext::CapStdExtDirExt;
use fn_error_context::context;
use ocidir::cap_std::fs::Dir;
use ostree::glib::object::Cast;
use ostree::prelude::FileExt;
Expand All @@ -21,7 +22,8 @@ use crate::utils::ResultExt;
/// The relative path to ostree-prepare-root's config.
pub const CONF_PATH: &str = "ostree/prepare-root.conf";

pub(crate) fn load_config(root: &ostree::RepoFile) -> Result<Option<glib::KeyFile>> {
/// Load the ostree prepare-root config from the given ostree repository.
pub fn load_config(root: &ostree::RepoFile) -> Result<Option<glib::KeyFile>> {
let cancellable = gio::Cancellable::NONE;
let kf = glib::KeyFile::new();
for path in ["etc", "usr/lib"].into_iter().map(Utf8Path::new) {
Expand Down Expand Up @@ -66,18 +68,22 @@ pub fn require_config_from_root(root: &Dir) -> Result<glib::KeyFile> {

/// Query whether the target root has the `root.transient` key
/// which sets up a transient overlayfs.
pub(crate) fn overlayfs_root_enabled(root: &ostree::RepoFile) -> Result<bool> {
pub fn overlayfs_root_enabled(root: &ostree::RepoFile) -> Result<bool> {
if let Some(config) = load_config(root)? {
overlayfs_enabled_in_config(&config)
} else {
Ok(false)
}
}

#[derive(Debug, PartialEq, Eq)]
enum Tristate {
/// An option which can be enabled, disabled, or possibly enabled.
#[derive(Debug, PartialEq, Eq, Clone)]
pub enum Tristate {
/// Enabled
Enabled,
/// Disabled
Disabled,
/// Maybe
Maybe,
}

Expand Down Expand Up @@ -111,9 +117,14 @@ impl Tristate {
}
}

/// The state of a composefs for ostree
#[derive(Debug, PartialEq, Eq)]
enum ComposefsState {
pub enum ComposefsState {
/// The composefs must be signed and use fsverity
Signed,
/// The composefs must use fsverity
Verity,
/// The composefs may or may not be enabled.
Tristate(Tristate),
}

Expand All @@ -126,9 +137,11 @@ impl Default for ComposefsState {
impl FromStr for ComposefsState {
type Err = anyhow::Error;

#[context("Parsing composefs.enabled value {s}")]
fn from_str(s: &str) -> Result<Self> {
let r = match s {
"signed" => Self::Signed,
"verity" => Self::Verity,
o => Self::Tristate(Tristate::from_str(o)?),
};
Ok(r)
Expand All @@ -138,10 +151,15 @@ impl FromStr for ComposefsState {
impl ComposefsState {
pub(crate) fn maybe_enabled(&self) -> bool {
match self {
ComposefsState::Signed => true,
ComposefsState::Signed | ComposefsState::Verity => true,
ComposefsState::Tristate(t) => t.maybe_enabled(),
}
}

/// This configuration requires fsverity on the target filesystem.
pub fn requires_fsverity(&self) -> bool {
matches!(self, ComposefsState::Signed | ComposefsState::Verity)
}
}

/// Query whether the config uses an overlayfs model (composefs or plain overlayfs).
Expand Down