Merge remote-tracking branch 'origin/pr/437'

* origin/pr/437: Clean up network/network-manager-prepare-conf-dir Set correct SELinux contexts on /rw Avoid reinitializing /home if a transient I/O error happens
QubesOS · Aug 7, 2023 · d416b29 · d416b29
2 parents 7909ba2 + 3f0cabb
commit d416b29
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 15 deletions.
diff --git a/init/functions b/init/functions
@@ -178,19 +178,29 @@ initialize_home() {
     home_root="$1"
     mode="$2"
 
-    if [ -z "$home_root" ] ; then
+    case $home_root in
+    (/*)
+        ;;
+    ('')
         echo "initialize_home() needs a target home root directory, such as /rw/home, as first parameter" >&2
         return 64
-    fi
+        ;;
+    (*)
+        echo 'initialize_home target root home directory must be an absolute path' >&2
+        return 64
+        ;;
+    esac
 
     if [ "$mode" != "unconditionally" ] && [ "$mode" != "ifneeded" ] ; then
         echo "initialize_home() second parameter must be 'unconditionally' or 'ifneeded'" >&2
         return 64
     fi
 
+    if test -d /sys/fs/selinux; then enable_selinux="Z"; else enable_selinux=''; fi
+
     if ! [ -d "$home_root" ] ; then
         echo "initialize_home: populating $home_root" >&2
-        mkdir -p "$home_root"
+        mkdir "-${enable_selinux}m0755" -- "$home_root" || return 73
     fi
 
     # Chown home if users' UIDs have changed - can be the case on template switch.
@@ -202,8 +212,14 @@ initialize_home() {
         homedirwithouthome=${homedir#/home/}
         if ! test -d "$home_root/$homedirwithouthome" || [ "$mode" = "unconditionally" ] ; then
             echo "initialize_home: populating $mode $home_root/$homedirwithouthome from /etc/skel" >&2
-            mkdir -p "$home_root/$homedirwithouthome"
-            if test -d /sys/fs/selinux; then enable_selinux="Z"; else enable_selinux=''; fi
+            if [ "$mode" = unconditionally ]; then
+                mkdir "-p${enable_selinux}" -- "$home_root/$homedirwithouthome" || return 73
+            else
+                case $homedirwithouthome in
+                (*/*) mkdir "-p${enable_selinux}" -- "$home_root/${homedirwithouthome%/*}";;
+                esac
+                mkdir "${enable_selinux+-Z}" -- "$home_root/$homedirwithouthome" || return 73
+            fi
             cp "-af$enable_selinux" -T /etc/skel "$home_root/$homedirwithouthome"
             echo "initialize_home: adjusting permissions $mode on $home_root/$homedirwithouthome" >&2
             chown -R "$uid" "$home_root/$homedirwithouthome" &

diff --git a/init/setup-rw.sh b/init/setup-rw.sh
@@ -13,11 +13,17 @@ if mountpoint -q /rw ; then
         echo "Private device size management: resize2fs $dev failed:" >&2
         echo "$content" >&2
     fi
+    if [ -d /sys/fs/selinux ]; then
+        enable_selinux=-Z
+        chcon -t system_u:object_r:root_t:s0 /rw
+    else
+        enable_selinux=
+    fi
 
     if ! [ -d /rw/config ] ; then
         echo "Virgin boot of the VM: populating /rw/config" >&2
 
-        mkdir -p /rw/config
+        mkdir /rw/config || exit
         touch /rw/config/rc.local
         cat > /rw/config/rc.local <<EOF
 #!/bin/sh
@@ -55,15 +61,19 @@ EOF
 # file is used only if the VM has any PCI device assigned. Modules will be
 # automatically re-loaded after resume.
 EOF
+        if [ -n "$enable_selinux" ] && [ -d /rw/usrlocal ]; then
+            restorecon -RF /rw/config
+        fi
     fi
 
     if ! [ -d /rw/usrlocal ] ; then
+        if [ -n "$enable_selinux" ]; then restorecon -RF /rw; touch /rw/.autorelabel; fi
         if [ -d /usr/local.orig ] ; then
             echo "Virgin boot of the VM: populating /rw/usrlocal from /usr/local.orig" >&2
-            cp -af /usr/local.orig /rw/usrlocal
+            cp ${enable_selinux:+-Z} -af -- /usr/local.orig /rw/usrlocal
         else
             echo "Virgin boot of the VM: creating /rw/usrlocal" >&2
-            mkdir -p /rw/usrlocal
+            mkdir ${enable_selinux:+-Z} -- /rw/usrlocal
         fi
     fi
 

diff --git a/network/network-manager-prepare-conf-dir b/network/network-manager-prepare-conf-dir
@@ -4,20 +4,21 @@
 # shellcheck source=init/functions
 . /usr/lib/qubes/init/functions
 
+if test -d /sys/fs/selinux; then enable_selinux=Z; else enable_selinux=''; fi
 NM_CONFIG_DIR=/etc/NetworkManager/system-connections
-if [ -d $NM_CONFIG_DIR ] && [ ! -h $NM_CONFIG_DIR ]; then
-    mkdir -p /rw/config/NM-system-connections
-    mv $NM_CONFIG_DIR/* /rw/config/NM-system-connections/ 2> /dev/null || true
-    rmdir $NM_CONFIG_DIR
-    ln -s /rw/config/NM-system-connections $NM_CONFIG_DIR
+if [ -d "$NM_CONFIG_DIR" ] && [ ! -h "$NM_CONFIG_DIR" ]; then
+    mkdir "-p$enable_selinux" /rw/config/NM-system-connections
+    mv ${enable_selinux:+-Z} "$NM_CONFIG_DIR"/* /rw/config/NM-system-connections/ 2> /dev/null || true
+    rmdir "$NM_CONFIG_DIR"
+    ln -s /rw/config/NM-system-connections "$NM_CONFIG_DIR"
 fi
 
 # Do not manage xen-provided network devices
 unmanaged_devices=mac:fe:ff:ff:ff:ff:ff
 #for mac in `xenstore-ls device/vif | grep mac | cut -d= -f2 | tr -d '" '`; do
 #    unmanaged_devices="$unmanaged_devices;mac:$mac"
 #done
-sed -r -i -e "s/^#?unmanaged-devices=.*/unmanaged-devices=$unmanaged_devices/" /etc/NetworkManager/NetworkManager.conf
-sed -r -i -e "s/^#?plugins=.*/plugins=keyfile/" /etc/NetworkManager/NetworkManager.conf
+sed -E -i -e "s/^#?unmanaged-devices=.*/unmanaged-devices=$unmanaged_devices/
+s/^#?plugins=.*/plugins=keyfile/" /etc/NetworkManager/NetworkManager.conf
 
 exit 0