-
Notifications
You must be signed in to change notification settings - Fork 293
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
repo: Add an API to init OstreeSePolicy
from commit directly
#2447
Conversation
Using `--selinux-policy-from-base` is very convenient but wrong here because it means that each derived commit also has the whole base filesystem tree, which greatly obscures its logical content. Instead, we get the base when we dynamically union things at the end. As noted the API we really want here is ostreedev/ostree#2447 but it will take a bit for ostree to release with it. And even once it does, we need to do some other changes to switch over to parsing the tarball directly too.
92770f7
to
41a8d6a
Compare
GCancellable *cancellable, | ||
GError **error) | ||
{ | ||
GLNX_AUTO_PREFIX_ERROR ("setting sepolicy from commit", error); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
strjoina
hack to include commit hash?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've been trying to be more careful about adding checksums into error messages, because we now have several codepaths that log the checksum twice just inside ostree, and if the caller does it too the error message can become hard to read.
41a8d6a
to
8907e13
Compare
8907e13
to
88375f7
Compare
Hooray for useful CI coverage, I had missed that we supported passing refs and not just commits into this API. |
Re-surfacing a comment I made somewhere else, I think |
Sure, done |
Came up in review ostreedev#2447 (comment)
88375f7
to
138ae85
Compare
Using `--selinux-policy-from-base` is very convenient but wrong here because it means that each derived commit also has the whole base filesystem tree, which greatly obscures its logical content. Instead, we get the base when we dynamically union things at the end. As noted the API we really want here is ostreedev/ostree#2447 but it will take a bit for ostree to release with it. And even once it does, we need to do some other changes to switch over to parsing the tarball directly too.
src/libostree/ostree-sepolicy.c
Outdated
GLNX_AUTO_PREFIX_ERROR ("setting sepolicy from commit", error); | ||
g_autoptr(GFile) root = NULL; | ||
g_autofree char *commit = NULL; | ||
if (!ostree_repo_read_commit (repo, commit, &root, &commit, cancellable, error)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if (!ostree_repo_read_commit (repo, commit, &root, &commit, cancellable, error)) | |
if (!ostree_repo_read_commit (repo, rev, &root, &commit, cancellable, error)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
This is part of `OstreeCommitModifier`, but I'm not using that in some of the ostree-ext Rust code. It just makes more sense as a direct policy API, where it should have been in the first place. There's already support for setting a policy object on a commit modifier, so that's all the old API needs to do now.
Came up in review ostreedev#2447 (comment)
138ae85
to
ddc0d54
Compare
This is part of
OstreeCommitModifier
, but I'm not usingthat in some of the ostree-ext Rust code.
It just makes more sense as a direct policy API, where it should
have been in the first place. There's already support for
setting a policy object on a commit modifier, so that's all the
old API needs to do now.