Use chroot to label previously binded mountpoints

This prevents errors with non chrooted setfiles calls
in which fail due to policy divergences between host and
target.

For that purpose a new option to chroot utility has
been included to allow chroot without setting the default
bind mounts for /dev/, /sys and /proc.

Signed-off-by: David Cassany <[email protected]>

Author: davidcassany

pkg/elemental/elemental.go

@@ -670,7 +670,6 @@ func SelinuxRelabel(c types.Config, rootDir string, extraPaths ...string) error
 // ApplySELinuxLabels relables with setfiles the given root in a chroot env. Additionaly after the first
 // chrooted call it runs a non chrooted call to relabel any mountpoint used within the chroot.
 func ApplySELinuxLabels(c types.Config, rootDir string, bind map[string]string) (err error) {
-	var out []byte
 	extraPaths := []string{}
 
 	for _, v := range bind {
@@ -685,14 +684,32 @@ func ApplySELinuxLabels(c types.Config, rootDir string, bind map[string]string)
 	contextsFile := filepath.Join(rootDir, cnst.SELinuxTargetedContextFile)
 	existsCon, _ := utils.Exists(c.Fs, contextsFile)
 
-	if existsCon && c.Runner.CommandExists("setfiles") {
-		args := []string{"-r", rootDir, "-i", "-F", contextsFile}
-		for _, path := range append([]string{"/dev", "/proc", "/sys"}, extraPaths...) {
-			args = append(args, filepath.Join(rootDir, path))
+	if !existsCon || !c.Runner.CommandExists("setfiles") {
+		return nil
+	}
+
+	// Now we call setfiles to label the directories and mountpoints that were bind mounted
+	// inside the previous chrooted call. Since /dev is likely to be an empty folder in that context
+	// we create a /dev/null device as setfiles will complain without it.
+	devnull := filepath.Join(rootDir, "/dev/null")
+	if ok, _ := utils.Exists(c.Fs, devnull); !ok {
+		_, err = c.Runner.Run("mknod", "-m", "666", devnull, "c", "1", "3")
+		if err != nil {
+			return err
 		}
-		out, err = c.Runner.Run("setfiles", args...)
-		c.Logger.Debugf("SELinux setfiles output: %s", string(out))
+		defer func() {
+			_ = c.Fs.RemoveAll(devnull)
+		}()
+	}
+
+	var restoreOut []byte
+	args := append([]string{"-i", "-F", cnst.SELinuxTargetedContextFile, "/dev", "/proc", "/sys"}, extraPaths...)
+	restoreLabels := func() error {
+		restoreOut, err = c.Runner.Run("setfiles", args...)
+		return err
 	}
+	err = utils.ChrootedCallback(&c, rootDir, map[string]string{}, restoreLabels, utils.NoDefaultBinds())
+	c.Logger.Debugf("SELinux setfiles output: %s", string(restoreOut))
 
 	return err
 }

pkg/utils/chroot.go

@@ -28,6 +28,14 @@ import (
 	"github.com/rancher/elemental-toolkit/v2/pkg/types"
 )
 
+type ChrootOpt func(ch *Chroot)
+
+func NoDefaultBinds() ChrootOpt {
+	return func(ch *Chroot) {
+		ch.defaultMounts = []string{}
+	}
+}
+
 // Chroot represents the struct that will allow us to run commands inside a given chroot
 type Chroot struct {
 	path          string
@@ -37,19 +45,23 @@ type Chroot struct {
 	config        *types.Config
 }
 
-func NewChroot(path string, config *types.Config) *Chroot {
-	return &Chroot{
+func NewChroot(path string, config *types.Config, opts ...ChrootOpt) *Chroot {
+	ch := &Chroot{
 		path:          path,
 		defaultMounts: []string{"/dev", "/dev/pts", "/proc", "/sys"},
 		extraMounts:   map[string]string{},
 		activeMounts:  []string{},
 		config:        config,
 	}
+	for _, opt := range opts {
+		opt(ch)
+	}
+	return ch
 }
 
 // ChrootedCallback runs the given callback in a chroot environment
-func ChrootedCallback(cfg *types.Config, path string, bindMounts map[string]string, callback func() error) error {
-	chroot := NewChroot(path, cfg)
+func ChrootedCallback(cfg *types.Config, path string, bindMounts map[string]string, callback func() error, opts ...ChrootOpt) error {
+	chroot := NewChroot(path, cfg, opts...)
 	if bindMounts == nil {
 		bindMounts = map[string]string{}
 	}