Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(RHEL-16952) UKI addons - followups #246

Merged
merged 8 commits into from
Mar 15, 2024
Merged

(RHEL-16952) UKI addons - followups #246

merged 8 commits into from
Mar 15, 2024

Conversation

msekletar
Copy link
Member

@msekletar msekletar commented Mar 13, 2024
edited by github-actions bot
Loading

This set of changes reworks how we handle random-seed on ESP and hence should address following SELinux AVC.

time->Wed Mar 13 18:25:53 2024
type=PROCTITLE msg=audit(1710350753.193:1464): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D72616E646F6D2D736565640073617665
type=SYSCALL msg=audit(1710350753.193:1464): arch=c00000b7 syscall=56 success=no exit=-13 a0=6 a1=aaaae7593e10 a2=88102 a3=0 items=0 ppid=1 pid=65277 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-random-" exe="/usr/lib/systemd/systemd-random-seed" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1710350753.193:1464): avc:  denied  { read write } for  pid=65277 comm="systemd-random-" name="random-seed" dev="vda1" ino=124 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=0

@poettering @msekletar
bootctl: rework random seed logic to use open_mkdir_at() and openat()
c68e752 
This doesn't really fix anything, but in general we should put stronger
emphasis on operating via dir fds rather than paths more (in particular
when writing files as opposed to consuming them).

No real change in behaviour.

(cherry picked from commit 6b97b26)

Related: RHEL-16952
@poettering @msekletar
bootctl: properly sync fs before/after moving random seed file into p…
a5c4d8d 
…lace

Let's do a careful, focussed sync at the right places instead of a
blanket sync at the end. After all we want to run this on every boot
soon.

(cherry picked from commit 60315d5)

Related: RHEL-16952
@poettering @msekletar
bootctl: when updating EFI random seed file, hash old seed with new one
dd57ee6 
Let's not regress in entropy in any case.

This does what f913c78 also does.

(cherry picked from commit 114172f)

Related: RHEL-16952
@poettering @msekletar
sha256: add helper than hashes a buffer *and* its size
b19c6d6 
We use this pattern all the time in order to thward extension attacks,
add a helper to make it shorter.

(cherry picked from commit a16c65f)

Related: RHEL-16952
@poettering @msekletar
random-seed: don't refresh EFI random seed from random-seed.c anymore
27758fc 
The ESP is simply not mounted early enough for this. We want that the
regular random seed handling runs as early as we possibly could, but we
don't want to delay this until the ESP is actually mounted.

Hence, let's remove this from random-seed.c here. A follow-up commit
will then add this back in, in a separate service which just calls
"bootctl random-seed".

Effectively reverts: f913c78

Fixes: #25769
(cherry picked from commit 29d487a)

Related: RHEL-16952
@poettering @msekletar
bootctl: downgrade graceful messages to LOG_NOTICE
51c9811 
(cherry picked from commit 5019b0c)

Related: RHEL-16952
@poettering @msekletar
units: rename/rework systemd-boot-system-token.service → systemd-boot…
cac22d5 
…-random-seed.service

This renames systemd-boot-system-token.service to
systemd-boot-random-seed.service and conditions it less strictly.

Previously, the job of the service was to write a "system token" EFI
variable if it was missing. It called "bootctl --graceful random-seed"
for that. With this change we condition it more liberally: instead of
calling it only when the "system token" EFI variable isn't set, we call
it whenever a boot loader interface compatible boot loader is used. This
means, previously it was invoked on the first boot only: now it is
invoked at every boot.

This doesn#t change the command that is invoked. That's because
previously already the "bootctl --graceful random-seed" did two things:
set the system token if not set yet *and* refresh the random seed in the
ESP. Previousy we put the focus on the former, now we shift the focus to
the latter.

With this simple change we can replace the logic
f913c78 added, but from a service that
can run much later and doesn't keep the ESP pinned.

(cherry picked from commit 921fc45)

Related: RHEL-16952
@poettering @msekletar
bootctl: split out setting of system token into function of its own
b906606 
Let's break a huge function in two. No code change, just some
refactoring.

(cherry picked from commit 54978e3)

Related: RHEL-16952
@github-actions github-actions bot added pr/needs-ci Formerly needs-ci pr/needs-review Formerly needs-review labels Mar 13, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 13, 2024
edited
Loading

Commit validation

Tracker - RHEL-16952

The following commits meet all requirements

commit upstream
c68e752 - bootctl: rework random seed logic to use open_mkdir_at() and openat() systemd/systemd@6b97b26
a5c4d8d - bootctl: properly sync fs before/after moving random seed file into pl… systemd/systemd@60315d5
dd57ee6 - bootctl: when updating EFI random seed file, hash old seed with new on… systemd/systemd@114172f
b19c6d6 - sha256: add helper than hashes a buffer and its size systemd/systemd@a16c65f
27758fc - random-seed: don't refresh EFI random seed from random-seed.c anymore systemd/systemd@29d487a
51c9811 - bootctl: downgrade graceful messages to LOG_NOTICE systemd/systemd@5019b0c
cac22d5 - units: rename/rework systemd-boot-system-token.service → systemd-boot-… systemd/systemd@921fc45
b906606 - bootctl: split out setting of system token into function of its own systemd/systemd@54978e3

Tracker validation

Success

🟢 Tracker RHEL-16952 has set desired product: rhel-9.4.0
🟢 Tracker RHEL-16952 has set desired component: systemd
🟢 Tracker RHEL-16952 has been approved

Pull Request validation

Success

🟡 CI - Waived
🟢 Review - Reviewed by a member
🟢 Approval - Changes were approved

Auto Merge

Success

🟢 Pull Request is not marked as draft and it's not blocked by dont-merge label
🟢 Pull Request meet requirements, title has correct form
🟢 Pull Request meet requirements, mergeable is true
🟠 Pull Request meet requirements, mergeable_state is unstable
🟢 Pull Request has correct target branch main
🟢 Pull Request was merged

@jamacku jamacku added this to the RHEL-9.4.0 milestone Mar 13, 2024
@jamacku
Copy link
Member

jamacku commented Mar 14, 2024
edited
Loading

@mrc0mmand Any ideas why CI is failing? Thank you

systemd:fuzz+san / fuzz-link-parser_99-default.link_address,undefined time out (After 60 seconds)
1090/1409 systemd:fuzz+san / fuzz-link-parser_99-default.link_address,undefined                   TIMEOUT         60.28s   killed by signal 15 SIGTERM
>>> UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 MALLOC_PERTURB_=161 /usr/bin/env /home/runner/work/systemd-rhel9/systemd-rhel9/build/fuzz-link-parser:address,undefined /home/runner/work/systemd-rhel9/systemd-rhel9/test/fuzz/fuzz-link-parser/99-default.link
――――――――――――――――――――――――――――――――――――― ✀  ―――――――――――――――――――――――――――――――――――――
Listing only the last 100 lines from a long log.

――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
systemd:fuzz+san / fuzz-netdev-parser_directives.netdev_address,undefined time out (After 60 seconds)
1091/1409 systemd:fuzz+san / fuzz-netdev-parser_directives.netdev_address,undefined               TIMEOUT         61.92s   killed by signal 15 SIGTERM
>>> UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 MALLOC_PERTURB_=20 /usr/bin/env /home/runner/work/systemd-rhel9/systemd-rhel9/build/fuzz-netdev-parser:address,undefined /home/runner/work/systemd-rhel9/systemd-rhel9/build/test/fuzz/fuzz-netdev-parser_directives.netdev
――――――――――――――――――――――――――――――――――――― ✀  ―――――――――――――――――――――――――――――――――――――
Listing only the last 100 lines from a long log.

 ――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
systemd:fuzz+san / fuzz-netdev-parser_21-vlan.netdev_address,undefined time out (After 60 seconds)
1092/1409 systemd:fuzz+san / fuzz-netdev-parser_21-vlan.netdev_address,undefined                  TIMEOUT         63.40s   killed by signal 15 SIGTERM
>>> UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 MALLOC_PERTURB_=193 /usr/bin/env /home/runner/work/systemd-rhel9/systemd-rhel9/build/fuzz-netdev-parser:address,undefined /home/runner/work/systemd-rhel9/systemd-rhel9/test/fuzz/fuzz-netdev-parser/21-vlan.netdev
――――――――――――――――――――――――――――――――――――― ✀  ―――――――――――――――――――――――――――――――――――――
Listing only the last 100 lines from a long log.

Maybe timeout is too short?

@mrc0mmand
Copy link
Member

@mrc0mmand Any ideas why CI is failing? Thank you

systemd:fuzz+san / fuzz-link-parser_99-default.link_address,undefined time out (After 60 seconds)
1090/1409 systemd:fuzz+san / fuzz-link-parser_99-default.link_address,undefined                   TIMEOUT         60.28s   killed by signal 15 SIGTERM
>>> UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 MALLOC_PERTURB_=161 /usr/bin/env /home/runner/work/systemd-rhel9/systemd-rhel9/build/fuzz-link-parser:address,undefined /home/runner/work/systemd-rhel9/systemd-rhel9/test/fuzz/fuzz-link-parser/99-default.link
――――――――――――――――――――――――――――――――――――― ✀  ―――――――――――――――――――――――――――――――――――――
Listing only the last 100 lines from a long log.

――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
systemd:fuzz+san / fuzz-netdev-parser_directives.netdev_address,undefined time out (After 60 seconds)
1091/1409 systemd:fuzz+san / fuzz-netdev-parser_directives.netdev_address,undefined               TIMEOUT         61.92s   killed by signal 15 SIGTERM
>>> UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 MALLOC_PERTURB_=20 /usr/bin/env /home/runner/work/systemd-rhel9/systemd-rhel9/build/fuzz-netdev-parser:address,undefined /home/runner/work/systemd-rhel9/systemd-rhel9/build/test/fuzz/fuzz-netdev-parser_directives.netdev
――――――――――――――――――――――――――――――――――――― ✀  ―――――――――――――――――――――――――――――――――――――
Listing only the last 100 lines from a long log.

 ――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
systemd:fuzz+san / fuzz-netdev-parser_21-vlan.netdev_address,undefined time out (After 60 seconds)
1092/1409 systemd:fuzz+san / fuzz-netdev-parser_21-vlan.netdev_address,undefined                  TIMEOUT         63.40s   killed by signal 15 SIGTERM
>>> UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 MALLOC_PERTURB_=193 /usr/bin/env /home/runner/work/systemd-rhel9/systemd-rhel9/build/fuzz-netdev-parser:address,undefined /home/runner/work/systemd-rhel9/systemd-rhel9/test/fuzz/fuzz-netdev-parser/21-vlan.netdev
――――――――――――――――――――――――――――――――――――― ✀  ―――――――――――――――――――――――――――――――――――――
Listing only the last 100 lines from a long log.

Maybe timeout is too short?

That's actions/runner-images#9491, feel free to ignore it here.

@jamacku jamacku requested a review from dtardon March 14, 2024 13:36
@github-actions github-actions bot removed the pr/needs-ci Formerly needs-ci label Mar 14, 2024
dtardon
dtardon approved these changes Mar 15, 2024
View reviewed changes
Copy link
Member

@dtardon dtardon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@github-actions github-actions bot removed the pr/needs-review Formerly needs-review label Mar 15, 2024
@github-actions github-actions bot merged commit 6fb21c2 into redhat-plumbers:main Mar 15, 2024
27 of 29 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dtardon dtardon dtardon approved these changes

Assignees
No one assigned
Labels
ci-waived released
Projects
None yet
Milestone
RHEL-9.4.0
Development

Successfully merging this pull request may close these issues.
5 participants
@msekletar @jamacku @mrc0mmand @dtardon @poettering