selinux stuff

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>

Author: krnowak

build_library/board_options.sh

@@ -14,23 +14,6 @@ ARCH=$(get_board_arch ${BOARD})
 # What cross-build are we targeting?
 . "${BOARD_ROOT}/etc/portage/make.conf" || die
 
-# check if any of the given use flags are enabled for a pkg
-pkg_use_enabled() {
-  local pkg="${1}"; shift
-
-  # for every flag argument, turn it into a regexp that matches it as
-  # either '+${flag}' or '(+${flag})'
-  local -a grep_args=()
-  local flag
-  for flag; do
-      grep_args+=( -e '^(\?+'"${flag}"')\?$' )
-  done
-  local -i rv=0
-
-  equery-"${BOARD}" --quiet uses --forced-masked "${pkg}" | grep --quiet "${grep_args[@]}" || rv=$?
-  return ${rv}
-}
-
 # Usage: pkg_version [installed|binary|ebuild] some-pkg/name
 # Prints: some-pkg/name-1.2.3
 # Note: returns 0 even if the package was not found.

build_library/build_image_util.sh

@@ -19,6 +19,7 @@ fi
 BUILD_DIR="${FLAGS_output_root}/${BOARD}/${IMAGE_SUBDIR}"
 OUTSIDE_OUTPUT_DIR="../build/images/${BOARD}/${IMAGE_SUBDIR}"
 
+source "${BUILD_LIBRARY_DIR}/pkg_util.sh" || exit 1
 source "${BUILD_LIBRARY_DIR}/reports_util.sh" || exit 1
 source "${BUILD_LIBRARY_DIR}/sbsign_util.sh" || exit 1
 
@@ -683,7 +684,7 @@ EOF
   fi
 
   # Build the selinux policy
-  if pkg_use_enabled coreos-base/coreos selinux; then
+  if is_selinux_enabled "${BOARD}"; then
     info "Building selinux mcs policy"
     sudo chroot "${root_fs_dir}" bash -s <<'EOF'
 cd /usr/share/selinux/mcs
@@ -723,7 +724,7 @@ EOF
   # SELinux: Label the root filesystem for using 'file_contexts'.
   # The labeling has to be done before moving /etc to /usr/share/flatcar/etc to prevent wrong labels for these files and as
   # the relabeling on boot would cause upcopies in the overlay.
-  if pkg_use_enabled coreos-base/coreos selinux; then
+  if is_selinux_enabled "${BOARD}"; then
     # -D - set or update any directory SHA1 digests
     # -E - treat conflicting specifications as errors
     # -F - force reset of context to match file_context

build_library/pkg_util.sh

@@ -0,0 +1,30 @@
+# Copyright (c) 2025 The Flatcar Maintainers. All rights reserved.
+# Use of this source code is governed by the Apache 2.0 license.
+
+# check if any of the given use flags are enabled for a pkg
+pkg_use_enabled() {
+  local board=${1}; shift
+  local pkg=${1}; shift
+
+  # for every flag argument, turn it into a regexp that matches it as
+  # either '+${flag}' or '(+${flag})'
+  local -a grep_args=()
+  local flag
+  for flag; do
+    grep_args+=( -e '^(\?+'"${flag}"')\?$' )
+  done
+  local -i rv=0
+  local equery='equery'
+  if [[ -n ${board} ]]; then
+    equery+="-${board}"
+  fi
+
+  "${equery}" --quiet uses --forced-masked "${pkg}" | grep --quiet "${grep_args[@]}" || rv=$?
+  return ${rv}
+}
+
+is_selinux_enabled() {
+  local board=${1}; shift
+
+  pkg_use_enabled "${board}" coreos-base/coreos selinux
+}

build_library/prod_image_util.sh

@@ -3,6 +3,8 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
+source "${BUILD_LIBRARY_DIR}/pkg_util.sh" || exit 1
+
 # Lookup the current version of a binary package, downloading it if needed.
 # Usage: get_binary_pkg some-pkg/name
 # Prints: some-pkg/name-1.2.3
@@ -214,6 +216,14 @@ create_prod_tar() {
 create_prod_sysexts() {
   local image_name="$1"
   local image_sysext_base="${image_name%.bin}_sysext.squashfs"
+  local -a extra_args
+
+  local selinux=''
+  if is_selinux_enabled "${BOARD}"; then
+    selinux=x
+  fi
+
+  local sysext
   for sysext in "${EXTRA_SYSEXTS[@]}"; do
     local name pkgs useflags arches
     IFS="|" read -r name pkgs useflags arches <<< "$sysext"
@@ -222,9 +232,13 @@ create_prod_sysexts() {
     local arch_array=(${arches//,/ })
     local useflags_array=(${useflags//,/ })
 
+    extra_args=()
     local mangle_script="${BUILD_LIBRARY_DIR}/sysext_mangle_${name}"
-    if [[ ! -x "${mangle_script}" ]]; then
-      mangle_script=
+    if [[ -x "${mangle_script}" ]]; then
+      extra_args+=( --manglefs_script="${mangle_script}" )
+    fi
+    if [[ -n ${selinux} ]]; then
+      extra_args+=( --selinux )
     fi
 
     if [[ -n "$arches" ]]; then
@@ -240,8 +254,8 @@ create_prod_sysexts() {
     fi
 
     sudo rm -f "${BUILD_DIR}/${name}.raw" \
-	"${BUILD_DIR}/flatcar-test-update-${name}.gz" \
-	"${BUILD_DIR}/${name}_*"
+        "${BUILD_DIR}/flatcar-test-update-${name}.gz" \
+        "${BUILD_DIR}/${name}_*"
     # we use -E to pass the USE flags, but also MODULES_SIGN variables
     #
     # The --install_root_basename="${name}-extra-sysext-rootfs" flag
@@ -252,8 +266,8 @@ create_prod_sysexts() {
         --squashfs_base="${BUILD_DIR}/${image_sysext_base}" \
         --image_builddir="${BUILD_DIR}" \
         --install_root_basename="${name}-extra-sysext-rootfs" \
-        ${mangle_script:+--manglefs_script=${mangle_script}} \
         --forbidden_packages='sec-policy/selinux-.*;selinux policy packages must be in base image' \
+        "${extra_args[@]}" \
         "${name}" "${pkg_array[@]}"
     delta_generator \
       -private_key "/usr/share/update_engine/update-payload-key.key.pem" \

build_library/sysext_prod_builder

@@ -16,6 +16,7 @@ assert_inside_chroot
 switch_to_strict_mode
 
 . "${BUILD_LIBRARY_DIR}/build_image_util.sh" || exit 1
+. "${BUILD_LIBRARY_DIR}/pkg_util.sh" || exit 1
 
 # Create a sysext from a package and install it to the OS image.
 # Conventions:
@@ -54,6 +55,13 @@ create_prod_sysext() {
     msg="${msg}, FS mangle script 'sysext_mangle_${name}'"
   fi
 
+  if is_selinux_enabled "${BOARD}"; then
+    build_sysext_opts+=(
+      --selinux
+      --forbidden_packages='sec-policy/selinux-.*;selinux policy packages must be in base image'
+    )
+  fi
+
   info "${msg}."
 
   # Pass the build ID extracted from root FS to build_sysext. This prevents common.sh
@@ -63,13 +71,20 @@ create_prod_sysext() {
   # The --install_root_basename="${name}-base-sysext-rootfs" flag is
   # important - it sets the name of a rootfs directory, which is used
   # to determine the package target in coreos/base/profile.bashrc
+  echo sudo "FLATCAR_BUILD_ID=$FLATCAR_BUILD_ID" "${SCRIPTS_DIR}/build_sysext" \
+            --board="${BOARD}" \
+            --image_builddir="${workdir}/sysext-build" \
+            --squashfs_base="${base_sysext}" \
+            --generate_pkginfo \
+            --install_root_basename="${name}-base-sysext-rootfs" \
+            "${build_sysext_opts[@]}" \
+            "${name}" "${grp_pkg[@]}"
   sudo "FLATCAR_BUILD_ID=$FLATCAR_BUILD_ID" "${SCRIPTS_DIR}/build_sysext" \
             --board="${BOARD}" \
             --image_builddir="${workdir}/sysext-build" \
             --squashfs_base="${base_sysext}" \
             --generate_pkginfo \
             --install_root_basename="${name}-base-sysext-rootfs" \
-            --forbidden_packages='sec-policy/selinux-.*;selinux policy packages must be in base image' \
             "${build_sysext_opts[@]}" \
             "${name}" "${grp_pkg[@]}"
 

build_library/vm_image_util.sh

@@ -5,6 +5,8 @@
 # Format options. Each variable uses the form IMG_<type>_<opt>.
 # Default values use the format IMG_DEFAULT_<opt>.
 
+. "${BUILD_LIBRARY_DIR}/pkg_util.sh" || exit 1
+
 VALID_IMG_TYPES=(
     akamai
     ami
@@ -582,6 +584,9 @@ install_oem_sysext() {
         --install_root_basename="${VM_IMG_TYPE}-oem-sysext-rootfs"
         --forbidden_packages='sec-policy/selinux-.*;selinux policy packages must be in base image' \
     )
+    if is_selinux_enabled "${BOARD}"; then
+        build_sysext_flags+=( --selinux )
+    fi
     local overlay_path mangle_fs
     overlay_path=$(portageq get_repo_path / coreos-overlay)
     mangle_fs="${overlay_path}/${metapkg}/files/manglefs.sh"

build_sysext

@@ -45,6 +45,8 @@ DEFINE_string install_root_basename "${default_install_root_basename}" \
   "Name of a root directory where packages will be installed. ${default_install_root_basename@Q} by default."
 DEFINE_string forbidden_packages "" \
   "Comma-separated list of pairs describing packages that are forbidden in the sysext. Every pair consist of regexp and message, separated with semicolon. The regexp is for matching a package name (<category>/<name>-<version>::<repo>), and message is printed if the regexp matched a package name. Be careful to not include commas in the regexp or message."
+DEFINE_boolean selinux "${FLAGS_FALSE}" \
+  "Relabel the files in sysext using policies installed in the base squashfs image."
 
 FLAGS_HELP="USAGE: build_sysext [flags] <sysext_name> <binary_package> [<binary_package> ...]
 
@@ -154,6 +156,8 @@ cleanup() {
     "${THE_INSTALL_ROOT}"
     "${BUILD_DIR}/workdir"
     "${BUILD_DIR}/img-rootfs"
+    "${BUILD_DIR}/selinux-root"
+    "${BUILD_DIR}/selinux-root-workdir"
   )
   umount "${dirs[@]}" 2>/dev/null || true
   rm -rf "${dirs[@]}" || true
@@ -253,6 +257,13 @@ export SOURCE_DATE_EPOCH=$(stat -c '%Y' "${BUILD_DIR}/fs-root/usr/lib/os-release
 # Unmount in order to get rid of the overlay, but keep fs-root for
 # now, so we can use selinux file contexts.
 umount "${THE_INSTALL_ROOT}"
+if [[ ${FLAGS_selinux} = "${FLAGS_TRUE}" ]]; then
+    mkdir "${BUILD_DIR}/selinux-root"
+    mkdir "${BUILD_DIR}/selinux-root-workdir"
+    mount -t overlay overlay -o lowerdir="${BUILD_DIR}/fs-root${pkginfo_lowerdirs}",upperdir="${BUILD_DIR}/selinux-root",workdir="${BUILD_DIR}/selinux-root-workdir" "${BUILD_DIR}/selinux-root"
+else
+    umount "${BUILD_DIR}/fs-root"
+fi
 
 if [[ "$FLAGS_generate_pkginfo" = "${FLAGS_TRUE}" ]] ; then
   info "  Creating pkginfo squashfs '${BUILD_DIR}/${SYSEXTNAME}_pkginfo.raw'"
@@ -266,27 +277,29 @@ info "Writing ${SYSEXTNAME}_packages.txt"
 ROOT="${THE_INSTALL_ROOT}" PORTAGE_CONFIGROOT="${THE_INSTALL_ROOT}" \
       equery --no-color list --format '$cpv::$repo' '*' > "${BUILD_DIR}/${SYSEXTNAME}_packages.txt"
 
-# Check if there are forbidden packages
-mapfile -t pairs <<<"${FLAGS_forbidden_packages//,/$'\n'}"
-declare -A re_msg_pairs=()
-for pair in "${pairs[@]}"; do
-    re=${pair%%;*}
-    msg=${pair#.;}
-    re_msg_pairs["${re}"]="${msg}"
-done
+if [[ -n ${FLAGS_forbidden_packages} ]]; then
+    # Check if there are forbidden packages
+    mapfile -t pairs <<<"${FLAGS_forbidden_packages//,/$'\n'}"
+    declare -A re_msg_pairs=()
+    for pair in "${pairs[@]}"; do
+        re=${pair%%;*}
+        msg=${pair#.;}
+        re_msg_pairs["${re}"]="${msg}"
+    done
 
-mapfile -t pkgs <"${BUILD_DIR}/${SYSEXTNAME}_packages.txt"
-has_forbidden_pkg=
-for pkg in "${pkgs[@]}"; do
-    for re in "${!re_msg_pairs[@]}"; do
-        if [[ ${pkg} =~ ${re} ]]; then
-            has_forbidden_pkg=x
-            error "Forbidden package ${pkg}: ${msg}"
-        fi
+    mapfile -t pkgs <"${BUILD_DIR}/${SYSEXTNAME}_packages.txt"
+    has_forbidden_pkg=
+    for pkg in "${pkgs[@]}"; do
+        for re in "${!re_msg_pairs[@]}"; do
+            if [[ ${pkg} =~ ${re} ]]; then
+                has_forbidden_pkg=x
+                error "Forbidden package ${pkg}: ${msg}"
+            fi
+        done
     done
-done
-if [[ -n ${has_forbidden_pkg} ]]; then
-    die "Forbidden packages encountered"
+    if [[ -n ${has_forbidden_pkg} ]]; then
+        die "Forbidden packages encountered"
+    fi
 fi
 
 if [[ "${FLAGS_strip_binaries}" = "${FLAGS_TRUE}" ]]; then
@@ -337,9 +350,21 @@ if [[ -n "${invalid_files}" ]]; then
   die "Invalid file ownership: ${invalid_files}"
 fi
 
-info "Relabeling sysext contents"
-setfiles -D -E -F -r "${THE_INSTALL_ROOT}" -v -T 0 "${BUILD_DIR}/fs-root/usr/share/flatcar/etc/selinux/mcs/contexts/files/file_contexts" "${THE_INSTALL_ROOT}"
-umount "${BUILD_DIR}/fs-root"
+if [[ ${FLAGS_selinux} = "${FLAGS_TRUE}" ]]; then
+    info "Build temporary selinux modules"
+    chroot "${BUILD_DIR}/selinux-root" bash -s <<'EOF'
+cd /usr/share/selinux/mcs
+set -x
+semodule -s mcs -n -i *.pp
+EOF
+
+    info "Relabeling sysext contents"
+    spec_file="${BUILD_DIR}/selinux-root/etc/selinux/mcs/contexts/files/file_contexts"
+    setfiles -D -E -F -r "${THE_INSTALL_ROOT}" -v -T 0 "${spec_file}" "${THE_INSTALL_ROOT}"
+    ls -laRZ "${THE_INSTALL_ROOT}"
+    umount "${BUILD_DIR}/selinux-root"
+    umount "${BUILD_DIR}/fs-root"
+fi
 
 info "Creating squashfs image"
 mksquashfs "${THE_INSTALL_ROOT}" "${BUILD_DIR}/${SYSEXTNAME}.raw" \