[gnome-continuous-yocto/gnomeostree-3.28-rocko: 6947/8267] externalsrc: place copy of git index into /tmp and do not use copyfile2

From: Emmanuele Bassi <ebassi src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-continuous-yocto/gnomeostree-3.28-rocko: 6947/8267] externalsrc: place copy of git index into /tmp and do not use copyfile2
Date: Sun, 17 Dec 2017 05:33:34 +0000 (UTC)

commit babc9c4d0dc1c2da1bf7758f12caeceee99f0218
Author: Enrico Scholz <enrico scholz sigma-chemnitz de>
Date:   Mon Jul 24 13:14:02 2017 +0200

    externalsrc: place copy of git index into /tmp and do not use copyfile2
    
    Using shutil.copy2() to copy .git/index to a temporary file tries to
    copy SELinux attributes which might fail for confined users in SELinux
    environments.
    
    E.g. our builders are running in docker containers and modification of
    sources (inclusive updated of .git/index) is done outside.  Trying to
    copy .git/index fails with
    
    | $ python3 -c 'import shutil; shutil.copy2("index", "a")'
    | ...
    | PermissionError: [Errno 13] Permission denied: 'a'
    
    and an AVC like
    
    | denied  { relabelto } for  pid=18043 comm="python3" name="a" dev="dm-29" ino=1067553 
scontext=system_u:system_r:container_t:s0:c39,c558 tcontext=unconfined_u:object_r:build_file_t:s0 tclass=file 
permissive=0
    
    is created.  This can not be solved by adapting the SELinux policy because
    this is a very deep constraint violation:
    
    | constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == 
can_change_object_identity -Fail-) ); Constraint DENIED
    |
    | Possible cause is the source user (system_u) and target user (unconfined_u) are different.
    
    I do not see much sense in using 'shutil.copy2()' here; 'shutil.copyfile()'
    seems to be a better choice (target file is created in a secure way by
    tempfile.NamedTemporaryFile()).
    
    By placing the tempfile into /tmp we avoid potential problems related to
    git's 'core.sharedRepository'.  As a (positive) side effect, the source
    tree will not be modified anymore (at least by this part of code) which
    prevented to mount it read-only from somewhere else.
    
    (From OE-Core rev: 3c3c8ecc61dfed68987750d79b5482ab2f6fa02f)
    
    Signed-off-by: Enrico Scholz <enrico scholz sigma-chemnitz de>
    Signed-off-by: Ross Burton <ross burton intel com>
    Signed-off-by: Richard Purdie <richard purdie linuxfoundation org>

 meta/classes/externalsrc.bbclass |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)
---
diff --git a/meta/classes/externalsrc.bbclass b/meta/classes/externalsrc.bbclass
index 529be49..9aabb42 100644
--- a/meta/classes/externalsrc.bbclass
+++ b/meta/classes/externalsrc.bbclass
@@ -189,9 +189,9 @@ def srctree_hash_files(d, srcdir=None):
 
     ret = " "
     if os.path.exists(git_dir):
-        with tempfile.NamedTemporaryFile(dir=git_dir, prefix='oe-devtool-index') as tmp_index:
+        with tempfile.NamedTemporaryFile(prefix='oe-devtool-index') as tmp_index:
             # Clone index
-            shutil.copy2(os.path.join(git_dir, 'index'), tmp_index.name)
+            shutil.copyfile(os.path.join(git_dir, 'index'), tmp_index.name)
             # Update our custom index
             env = os.environ.copy()
             env['GIT_INDEX_FILE'] = tmp_index.name

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]