Merge 73128be into e85be49

mkosi.images/minimal-0/mkosi.conf

@@ -0,0 +1,24 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Config]
+Dependencies=minimal-base
+
+[Distribution]
+CacheOnly=always
+
+[Output]
+Format=portable
+SplitArtifacts=yes
+
+[Content]
+BaseTrees=%O/minimal-base
+Environment=SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs
+Bootable=no
+
+BuildSources=
+Packages=
+BuildPackages=
+VolatilePackages=
+
+[Host]
+Incremental=no

mkosi.images/minimal-0/mkosi.extra/opt/some_file

@@ -0,0 +1 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later

mkosi.images/minimal-0/mkosi.extra/usr/lib/systemd/system/minimal-app0.service

@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Service]
+ExecStartPre=cat /usr/lib/os-release
+ExecStart=sleep 120

mkosi.images/minimal-0/mkosi.postinst

@@ -0,0 +1,11 @@
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+
+mkdir -p "$BUILDROOT/var/lib/app1"
+
+cat >>"$BUILDROOT/usr/lib/os-release" <<EOF
+MARKER=1
+PORTABLE_PREFIXES=app0 minimal minimal-app0
+EOF
+cp "$BUILDROOT/usr/lib/systemd/system/minimal-app0.service" "$BUILDROOT/usr/lib/systemd/system/minimal-app0-foo.service"

mkosi.images/minimal-1/mkosi.conf

@@ -0,0 +1,24 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Config]
+Dependencies=minimal-base
+
+[Distribution]
+CacheOnly=always
+
+[Output]
+Format=portable
+SplitArtifacts=yes
+
+[Content]
+BaseTrees=%O/minimal-base
+Environment=SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs
+Bootable=no
+
+BuildSources=
+Packages=
+BuildPackages=
+VolatilePackages=
+
+[Host]
+Incremental=no

mkosi.images/minimal-1/mkosi.extra/opt/some_file

@@ -0,0 +1 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later

mkosi.images/minimal-1/mkosi.extra/usr/lib/systemd/system/minimal-app0.service

@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Service]
+ExecStartPre=cat /usr/lib/os-release
+ExecStart=sleep 120

mkosi.images/minimal-1/mkosi.postinst

@@ -0,0 +1,11 @@
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+
+mkdir -p "$BUILDROOT/var/lib/app1"
+
+cat >>"$BUILDROOT/usr/lib/os-release" <<EOF
+MARKER=2
+PORTABLE_PREFIXES=app0 minimal minimal-app0
+EOF
+cp "$BUILDROOT/usr/lib/systemd/system/minimal-app0.service" "$BUILDROOT/usr/lib/systemd/system/minimal-app0-bar.service"

mkosi.images/minimal-base/mkosi.conf

@@ -0,0 +1,22 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Output]
+ImageId=minimal-base
+Format=directory
+ImageId=minimal-base
+
+[Content]
+Bootable=no
+@Locale=C.UTF-8
+WithDocs=no
+
+BuildSources=
+Packages=
+BuildPackages=
+VolatilePackages=
+
+Packages=
+        bash
+        coreutils
+        grep
+        util-linux

mkosi.images/minimal-base/mkosi.conf.d/10-arch.conf

@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=arch
+
+[Content]
+Packages=
+        inetutils
+        iproute
+        openbsd-netcat

mkosi.images/minimal-base/mkosi.conf.d/10-centos-fedora.conf

@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|centos
+Distribution=|fedora
+
+[Content]
+Packages=
+        hostname
+        iproute
+        iproute-tc
+        netcat

mkosi.images/minimal-base/mkosi.conf.d/10-debian-ubuntu-opensuse.conf

@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|debian
+Distribution=|ubuntu
+
+[Content]
+Packages=
+        hostname
+        iproute2
+        mount
+        netcat-openbsd

mkosi.images/minimal-base/mkosi.conf.d/10-opensuse.conf

@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=opensuse
+
+[Content]
+Packages=
+        hostname
+        iproute2
+        netcat-openbsd
+        patterns-base-minimal_base

mkosi.images/minimal-base/mkosi.extra/etc/os-release

@@ -0,0 +1 @@
+../usr/lib/os-release

mkosi.images/minimal-base/mkosi.extra/etc/resolv.conf

@@ -0,0 +1,3 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# This is a stub resolv.conf intended as a mountpoint for the host's resolv.conf

mkosi.images/system/mkosi.conf

@@ -1,12 +1,23 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
+[Config]
+Dependencies=
+        minimal-0
+        minimal-1
+
 [Output]
 @Format=directory
 
 [Content]
 Autologin=yes
 ExtraTrees=
         %D/mkosi.crt:/usr/lib/verity.d/mkosi.crt # sysext verification key
+        %O/minimal-0.root-%a.raw:/usr/share/minimal_0.raw
+        %O/minimal-0.root-%a-verity.raw:/usr/share/minimal_0.verity
+        %O/minimal-0.root-%a-verity-sig.raw:/usr/share/minimal_0.verity.sig
+        %O/minimal-1.root-%a.raw:/usr/share/minimal_1.raw
+        %O/minimal-1.root-%a-verity.raw:/usr/share/minimal_1.verity
+        %O/minimal-1.root-%a-verity-sig.raw:/usr/share/minimal_1.verity.sig
 
 Packages=
         acl

mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf

@@ -6,3 +6,4 @@ Distribution=centos
 [Content]
 Packages=
         rpmautospec-rpm-macros
+        kernel-modules # For squashfs

mkosi.images/system/mkosi.postinst.chroot

@@ -73,3 +73,7 @@ if command -v sbsign &>/dev/null; then
     ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi"
     ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi"
 fi
+
+for f in "$BUILDROOT"/usr/share/*.verity.sig; do
+    jq --join-output '.rootHash' "$f" >"${f%.verity.sig}.roothash"
+done

test/meson.build

@@ -338,6 +338,9 @@ integration_test_wrapper = find_program('integration-test-wrapper.py')
 integration_tests = {
         '01': 'TEST-01-BASIC',
         '02': 'TEST-02-UNITTESTS',
+        '29': 'TEST-29-PORTABLE',
+        '43': 'TEST-43-PRIVATEUSER-UNPRIV',
+        '50': 'TEST-50-DISSECT',
 }
 foreach test_number, dirname : integration_tests
         test_params = {

test/test-functions

@@ -783,109 +783,6 @@ EOF
         mksquashfs "$initdir" "$oldinitdir/usr/share/minimal_1.raw" -noappend
         veritysetup format "$oldinitdir/usr/share/minimal_1.raw" "$oldinitdir/usr/share/minimal_1.verity" | \
             grep '^Root hash:' | cut -f2 | tr -d '\n' >"$oldinitdir/usr/share/minimal_1.roothash"
-
-        # Rolling distros like Arch do not set VERSION_ID
-        local version_id=""
-        if grep -q "^VERSION_ID=" "$os_release"; then
-            version_id="$(grep "^VERSION_ID=" "$os_release")"
-        fi
-
-        export initdir="$TESTDIR/app0"
-        mkdir -p "$initdir/usr/lib/extension-release.d" "$initdir/usr/lib/systemd/system" "$initdir/opt"
-        grep "^ID=" "$os_release" >"$initdir/usr/lib/extension-release.d/extension-release.app0"
-        echo "${version_id}" >>"$initdir/usr/lib/extension-release.d/extension-release.app0"
-        ( echo "${version_id}"
-          echo "SYSEXT_IMAGE_ID=app" ) >>"$initdir/usr/lib/extension-release.d/extension-release.app0"
-        cat >"$initdir/usr/lib/systemd/system/app0.service" <<EOF
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/opt/script0.sh
-TemporaryFileSystem=/var/lib
-StateDirectory=app0
-RuntimeDirectory=app0
-EOF
-        cat >"$initdir/opt/script0.sh" <<EOF
-#!/bin/bash
-set -e
-test -e /usr/lib/os-release
-echo bar >\${STATE_DIRECTORY}/foo
-cat /usr/lib/extension-release.d/extension-release.app0
-EOF
-        chmod +x "$initdir/opt/script0.sh"
-        echo MARKER=1 >"$initdir/usr/lib/systemd/system/some_file"
-        mksquashfs "$initdir" "$oldinitdir/usr/share/app0.raw" -noappend
-
-        export initdir="$TESTDIR/conf0"
-        mkdir -p "$initdir/etc/extension-release.d" "$initdir/etc/systemd/system" "$initdir/opt"
-        grep "^ID=" "$os_release" >"$initdir/etc/extension-release.d/extension-release.conf0"
-        echo "${version_id}" >>"$initdir/etc/extension-release.d/extension-release.conf0"
-        ( echo "${version_id}"
-          echo "CONFEXT_IMAGE_ID=app" ) >>"$initdir/etc/extension-release.d/extension-release.conf0"
-        echo MARKER_1 >"$initdir/etc/systemd/system/some_file"
-        mksquashfs "$initdir" "$oldinitdir/usr/share/conf0.raw" -noappend
-
-        export initdir="$TESTDIR/app1"
-        mkdir -p "$initdir/usr/lib/extension-release.d" "$initdir/usr/lib/systemd/system" "$initdir/opt"
-        grep "^ID=" "$os_release" >"$initdir/usr/lib/extension-release.d/extension-release.app2"
-        ( echo "${version_id}"
-          echo "SYSEXT_SCOPE=portable"
-          echo "SYSEXT_IMAGE_ID=app"
-          echo "SYSEXT_IMAGE_VERSION=1"
-          echo "PORTABLE_PREFIXES=app1" ) >>"$initdir/usr/lib/extension-release.d/extension-release.app2"
-        setfattr -n user.extension-release.strict -v false "$initdir/usr/lib/extension-release.d/extension-release.app2"
-        cat >"$initdir/usr/lib/systemd/system/app1.service" <<EOF
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/opt/script1.sh
-StateDirectory=app1
-RuntimeDirectory=app1
-EOF
-        cat >"$initdir/opt/script1.sh" <<EOF
-#!/bin/bash
-set -e
-test -e /usr/lib/os-release
-echo baz >\${STATE_DIRECTORY}/foo
-cat /usr/lib/extension-release.d/extension-release.app2
-EOF
-        chmod +x "$initdir/opt/script1.sh"
-        echo MARKER=1 >"$initdir/usr/lib/systemd/system/other_file"
-        mksquashfs "$initdir" "$oldinitdir/usr/share/app1.raw" -noappend
-
-        export initdir="$TESTDIR/app-nodistro"
-        mkdir -p "$initdir/usr/lib/extension-release.d" "$initdir/usr/lib/systemd/system"
-        ( echo "ID=_any"
-          echo "ARCHITECTURE=_any" ) >"$initdir/usr/lib/extension-release.d/extension-release.app-nodistro"
-        echo MARKER=1 >"$initdir/usr/lib/systemd/system/some_file"
-        mksquashfs "$initdir" "$oldinitdir/usr/share/app-nodistro.raw" -noappend
-
-        export initdir="$TESTDIR/service-scoped-test"
-        mkdir -p "$initdir/etc/extension-release.d" "$initdir/etc/systemd/system"
-        ( echo "ID=_any"
-          echo "ARCHITECTURE=_any" ) >"$initdir/etc/extension-release.d/extension-release.service-scoped-test"
-        echo MARKER_CONFEXT_123 >"$initdir/etc/systemd/system/some_file"
-        mksquashfs "$initdir" "$oldinitdir/etc/service-scoped-test.raw" -noappend
-
-        # We need to create a dedicated sysext image to test the reload mechanism. If we share an image to install the
-        # 'foo.service' it will be loaded from another test run, which will impact the targeted test.
-        export initdir="$TESTDIR/app-reload"
-        mkdir -p "$initdir/usr/lib/extension-release.d" "$initdir/usr/lib/systemd/system"
-        ( echo "ID=_any"
-          echo "ARCHITECTURE=_any"
-          echo "EXTENSION_RELOAD_MANAGER=1" ) >"$initdir/usr/lib/extension-release.d/extension-release.app-reload"
-        mkdir -p "$initdir/usr/lib/systemd/system/multi-user.target.d"
-        cat >"${initdir}/usr/lib/systemd/system/foo.service" <<EOF
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=echo foo
-
-[Install]
-WantedBy=multi-user.target
-EOF
-        { echo "[Unit]"; echo "Upholds=foo.service"; } > "$initdir/usr/lib/systemd/system/multi-user.target.d/10-foo-service.conf"
-        mksquashfs "$initdir" "$oldinitdir/usr/share/app-reload.raw" -noappend
     )
 }