build_image: correctly label var for rootfs.
${rootfs}/var is a bind-mount from stateful/var_overlay. setfiles
will skip directories on a different device.
This change umounts ${rootfs}/var so setfiles can correctly label
var in rootfs, instead of skipping var.
During boot-time, /var is mounted as encrypted stateful partition,
and labelled as cros_var. But besides the var in encrypted stateful
partition, we also need origional var in rootfs to be correctly
labelled.
BUG=b:116072767
TEST=boot, umount /var; ls -Zd /var
Change-Id: If54e441ac786e5c3c648833ea76bf20211151f8f
Reviewed-on: https://chromium-review.googlesource.com/1270324
Commit-Ready: Qijiang Fan <fqj@google.com>
Tested-by: Qijiang Fan <fqj@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
diff --git a/build_library/base_image_util.sh b/build_library/base_image_util.sh
index c326148..f61677c 100755
--- a/build_library/base_image_util.sh
+++ b/build_library/base_image_util.sh
@@ -402,7 +402,7 @@
create_dev_install_lists "${root_fs_dir}"
fi
- restore_fs_contexts "${BOARD_ROOT}" "${root_fs_dir}"
+ restore_fs_contexts "${BOARD_ROOT}" "${root_fs_dir}" "${stateful_fs_dir}"
# Zero rootfs free space to make it more compressible so auto-update
# payloads become smaller.
diff --git a/build_library/dev_image_util.sh b/build_library/dev_image_util.sh
index 90535db..e6ade66 100755
--- a/build_library/dev_image_util.sh
+++ b/build_library/dev_image_util.sh
@@ -129,7 +129,7 @@
setup_etc_shadow "${root_fs_dir}"
- restore_fs_contexts "${BOARD_ROOT}" "${root_fs_dir}"
+ restore_fs_contexts "${BOARD_ROOT}" "${root_fs_dir}" "${stateful_fs_dir}"
info "Developer image built and stored at ${image_name}"
diff --git a/build_library/selinux_util.sh b/build_library/selinux_util.sh
index 1201914..2a0d85c 100644
--- a/build_library/selinux_util.sh
+++ b/build_library/selinux_util.sh
@@ -5,19 +5,25 @@
restore_fs_contexts() {
local board_root="$1"
local rootfs="$2"
+ local stateful="$3"
# Restore the extended attributes of necessary files.
local selinux_config="${board_root}/etc/selinux/config"
- if [[ -e "${selinux_config}" ]]; then
- info "Restoring SELinux file context."
- local selinux_type="$(source "${selinux_config}" && echo "${SELINUXTYPE}")"
- local file_contexts="${board_root}/etc/selinux/${selinux_type}/contexts/files/file_contexts"
- # If the selinux_config file exists, file_contexts must also.
- if ! [[ -e "${file_contexts}" ]]; then
- local err_msg="The SELinux config file exists at ${selinux_config}, "
- err_msg+="but an SELinux context file not found at ${file_contexts}."
- die_notrace "${err_msg}"
- fi
- sudo /sbin/setfiles -m -r "${rootfs}" "${file_contexts}" "${rootfs}"
+ if [[ ! -e "${selinux_config}" ]]; then
+ return
fi
+ info "Restoring SELinux file context."
+ local selinux_type="$(source "${selinux_config}" && echo "${SELINUXTYPE}")"
+ local file_contexts="${board_root}/etc/selinux/${selinux_type}/contexts/files/file_contexts"
+ # If the selinux_config file exists, file_contexts must also.
+ if [[ ! -e "${file_contexts}" ]]; then
+ local err_msg="The SELinux config file exists at ${selinux_config}, "
+ err_msg+="but an SELinux context file not found at ${file_contexts}."
+ die_notrace "${err_msg}"
+ fi
+ # Umount var so setfiles can write xattr for real var under rootfs instead
+ # of skipping it.
+ sudo umount "${rootfs}/var"
+ sudo /sbin/setfiles -m -r "${rootfs}" "${file_contexts}" "${rootfs}"
+ sudo mount --bind "${stateful}/var_overlay" "${rootfs}/var"
}
diff --git a/build_library/test_image_util.sh b/build_library/test_image_util.sh
index babfef3..de8344c 100755
--- a/build_library/test_image_util.sh
+++ b/build_library/test_image_util.sh
@@ -40,7 +40,7 @@
# Re-run ldconfig to fix /etc/ld.so.cache.
run_ldconfig "${root_fs_dir}"
- restore_fs_contexts "${BOARD_ROOT}" "${root_fs_dir}"
+ restore_fs_contexts "${BOARD_ROOT}" "${root_fs_dir}" "${stateful_fs_dir}"
unmount_image
trap - EXIT
