diff --git a/crates/lib/src/bootc_composefs/boot.rs b/crates/lib/src/bootc_composefs/boot.rs index ff443ccb6..ce1ecd576 100644 --- a/crates/lib/src/bootc_composefs/boot.rs +++ b/crates/lib/src/bootc_composefs/boot.rs @@ -25,7 +25,7 @@ use ostree_ext::composefs_boot::{ os_release::OsReleaseInfo, uki, }; use ostree_ext::composefs_oci::image::create_filesystem as create_composefs_filesystem; -use rustix::path::Arg; +use rustix::{mount::MountFlags, path::Arg}; use schemars::JsonSchema; use serde::{Deserialize, Serialize}; @@ -155,6 +155,12 @@ pub fn get_esp_partition(device: &str) -> Result<(String, Option)> { Ok((esp.node.clone(), esp.uuid.clone())) } +/// Mount the ESP from the provided device +pub fn mount_esp(device: &str) -> Result { + let flags = MountFlags::NOEXEC | MountFlags::NOSUID; + TempMount::mount_dev(device, "vfat", flags, Some(c"fmask=0177,dmask=0077")) +} + pub fn get_sysroot_parent_dev() -> Result { let sysroot = Utf8PathBuf::from("/sysroot"); @@ -418,7 +424,7 @@ pub(crate) fn setup_composefs_bls_boot( ), Bootloader::Systemd => { - let efi_mount = TempMount::mount_dev(&esp_device).context("Mounting ESP")?; + let efi_mount = mount_esp(&esp_device).context("Mounting ESP")?; let mounted_efi = Utf8PathBuf::from(efi_mount.dir.path().as_str()?); let efi_linux_dir = mounted_efi.join(EFI_LINUX); @@ -857,7 +863,7 @@ pub(crate) fn setup_composefs_uki_boot( } }; - let esp_mount = TempMount::mount_dev(&esp_device).context("Mounting ESP")?; + let esp_mount = mount_esp(&esp_device).context("Mounting ESP")?; let mut boot_label = String::new(); diff --git a/crates/lib/src/bootc_composefs/finalize.rs b/crates/lib/src/bootc_composefs/finalize.rs index e09e21350..7a0ac6399 100644 --- a/crates/lib/src/bootc_composefs/finalize.rs +++ b/crates/lib/src/bootc_composefs/finalize.rs @@ -1,6 +1,8 @@ use std::path::Path; -use crate::bootc_composefs::boot::{get_esp_partition, get_sysroot_parent_dev, BootType}; +use crate::bootc_composefs::boot::{ + get_esp_partition, get_sysroot_parent_dev, mount_esp, BootType, +}; use crate::bootc_composefs::rollback::{rename_exchange_bls_entries, rename_exchange_user_cfg}; use crate::spec::Bootloader; use crate::{ @@ -85,7 +87,7 @@ pub(crate) async fn composefs_backend_finalize() -> Result<()> { // NOTE: Assumption here that ESP will always be present let (esp_part, ..) = get_esp_partition(&sysroot_parent)?; - let esp_mount = TempMount::mount_dev(&esp_part)?; + let esp_mount = mount_esp(&esp_part)?; let boot_dir = Dir::open_ambient_dir("/sysroot/boot", ambient_authority()) .context("Opening sysroot/boot")?; diff --git a/crates/lib/src/bootc_composefs/status.rs b/crates/lib/src/bootc_composefs/status.rs index cec3667d7..9f9dafd2d 100644 --- a/crates/lib/src/bootc_composefs/status.rs +++ b/crates/lib/src/bootc_composefs/status.rs @@ -2,11 +2,10 @@ use std::{io::Read, sync::OnceLock}; use anyhow::{Context, Result}; use bootc_kernel_cmdline::utf8::Cmdline; -use bootc_mount::tempmount::TempMount; use fn_error_context::context; use crate::{ - bootc_composefs::boot::{get_esp_partition, get_sysroot_parent_dev, BootType}, + bootc_composefs::boot::{get_esp_partition, get_sysroot_parent_dev, mount_esp, BootType}, composefs_consts::{COMPOSEFS_CMDLINE, TYPE1_ENT_PATH, USER_CFG}, parsers::{ bls_config::{parse_bls_config, BLSConfig, BLSConfigType}, @@ -349,7 +348,7 @@ pub(crate) async fn composefs_deployment_status() -> Result { let parent = get_sysroot_parent_dev()?; let (esp_part, ..) = get_esp_partition(&parent)?; - let esp_mount = TempMount::mount_dev(&esp_part)?; + let esp_mount = mount_esp(&esp_part)?; let dir = esp_mount.fd.try_clone().context("Cloning fd")?; let guard = Some(esp_mount); diff --git a/crates/lib/src/bootloader.rs b/crates/lib/src/bootloader.rs index 459289db9..33c8c1a4c 100644 --- a/crates/lib/src/bootloader.rs +++ b/crates/lib/src/bootloader.rs @@ -9,8 +9,7 @@ use bootc_blockdev::{Partition, PartitionTable}; use bootc_mount as mount; #[cfg(any(feature = "composefs-backend", feature = "install-to-disk"))] -use bootc_mount::tempmount::TempMount; - +use crate::bootc_composefs::boot::mount_esp; use crate::utils; /// The name of the mountpoint for efi (as a subdirectory of /boot, or at the toplevel) @@ -90,7 +89,7 @@ pub(crate) fn install_systemd_boot( .find(|p| p.parttype.as_str() == ESP_GUID) .ok_or_else(|| anyhow::anyhow!("ESP partition not found"))?; - let esp_mount = TempMount::mount_dev(&esp_part.node).context("Mounting ESP")?; + let esp_mount = mount_esp(&esp_part.node).context("Mounting ESP")?; let esp_path = Utf8Path::from_path(esp_mount.dir.path()) .ok_or_else(|| anyhow::anyhow!("Failed to convert ESP mount path to UTF-8"))?; diff --git a/crates/mount/src/tempmount.rs b/crates/mount/src/tempmount.rs index 56a3a6493..d8e6d0a1d 100644 --- a/crates/mount/src/tempmount.rs +++ b/crates/mount/src/tempmount.rs @@ -5,7 +5,7 @@ use anyhow::{Context, Result}; use camino::Utf8Path; use cap_std_ext::cap_std::{ambient_authority, fs::Dir}; use fn_error_context::context; -use rustix::mount::{move_mount, unmount, MoveMountFlags, UnmountFlags}; +use rustix::mount::{move_mount, unmount, MountFlags, MoveMountFlags, UnmountFlags}; pub struct TempMount { pub dir: tempfile::TempDir, @@ -15,13 +15,18 @@ pub struct TempMount { impl TempMount { /// Mount device/partition on a tempdir which will be automatically unmounted on drop #[context("Mounting {dev}")] - pub fn mount_dev(dev: &str) -> Result { + pub fn mount_dev( + dev: &str, + fstype: &str, + flags: MountFlags, + data: Option<&std::ffi::CStr>, + ) -> Result { let tempdir = tempfile::TempDir::new()?; let utf8path = Utf8Path::from_path(tempdir.path()) .ok_or(anyhow::anyhow!("Failed to convert path to UTF-8 Path"))?; - crate::mount(dev, utf8path)?; + rustix::mount::mount(dev, utf8path.as_std_path(), fstype, flags, data)?; let fd = Dir::open_ambient_dir(tempdir.path(), ambient_authority()) .with_context(|| format!("Opening {:?}", tempdir.path()));