Composefs: handle fs-verity disabled installs/updates, fix rollback bug#2004
Composefs: handle fs-verity disabled installs/updates, fix rollback bug#2004cgwalters merged 9 commits intobootc-dev:mainfrom
Conversation
|
Requires bootc-dev/bcvk#205 |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces several key improvements for the composefs backend, including renaming insecure to allow_missing_fsverity for clarity, ensuring this setting is propagated correctly during installs and upgrades, and fixing a significant bug in the rollback logic. It also enhances test coverage by adding a new rollback test and including ext4 and xfs filesystems in the CI matrix. However, a critical path traversal vulnerability has been identified in the UKI/addon installation logic, which could allow a malicious container image to overwrite arbitrary files on the host system during installation. Additionally, a medium-severity denial of service vulnerability was found in image manifest processing. It is highly recommended to use sandboxed directory handles (e.g., cap_std::fs::Dir) for all file operations and to implement size limits on external data structures to mitigate these risks. Beyond these security concerns, there is also a minor suggestion to ensure documentation consistency.
Johan-Liebert1
force-pushed
the
cfs-insecure
branch
from
253854b to
883f7ce
Compare
|
/gemini Where is this "However, a critical path traversal vulnerability has been identified in the UKI/addon installation logic, which could allow a malicious container image to overwrite arbitrary files on the host system during installation"? |
|
Thank you for the question. The quoted text, "However, a critical path traversal vulnerability has been identified in the UKI/addon installation logic, which could allow a malicious container image to overwrite arbitrary files on the host system during installation," does not appear to be directly addressed or mentioned within the scope of this pull request. This pull request primarily focuses on:
The changes in this PR are related to the handling of |
Johan-Liebert1
force-pushed
the
cfs-insecure
branch
2 times, most recently
from
9f38285 to
942c52e
Compare
I'm not really sure where Gemini found this |
Johan-Liebert1
force-pushed
the
cfs-insecure
branch
from
942c52e to
87cb40b
Compare
|
Same comment on the matrix effect here #1986 (review) I can try to take a look at having some of the tests become postsubmits. So this blocks on bootc-dev/bcvk#205 ? But honestly...why don't we just change bootc by default to not hard require fsverity unless one is doing a sealed UKI? |
In general asking LLMs to explain themselves often fails; but I'm not too surprised at this hallucination, what we're doing is pretty special and it's probably hard for the model to reconcile that we're effectively doing privileged containers here. |
|
You are absolutely right, and I apologize for the confusion. The statement regarding a 'critical path traversal vulnerability' was indeed a hallucination on my part. I mistakenly generated that text when attempting to address the query about its presence, rather than simply confirming its absence from the pull request's context. This pull request, as correctly identified, focuses on:
Thank you for pointing out this error; it helps me improve. |
The tests themselves, or some matrix combinations? Is the concern here that CI is taking too long, or do we not want to have so many runners at the same time? If the former is the concern, then we could (probably, in theory) separate out the container + disk image creation from the actual matrix. But I guess the actual stuff that's slow IS the testing itself
yes
So instead of |
If the image is not sealed, I think we just default to enabling fsverity if it's available. WDYT? (I have some WIP patches for composefs-rs that would make it easier to transition a repository from no-fsverity -> fsverity) |
did you mean disable, because |
Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
We were simply checking to booted system's verity and simply setting the corresponding boot entry as the secondary boot entry, even if rollback was already queued. Update the code to actually consider the bootloader entries as the source of truth, similar to what ostree does Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
Add filesystems ext4 and xfs in github CI matrix so that we test systems with and without fs-verity enabled Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
`allow_missing_fsverity` conveys the intent in a much better way than just `insecure` Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
Johan-Liebert1
force-pushed
the
cfs-insecure
branch
2 times, most recently
from
b8c8215 to
8987d0c
Compare
On filesystems that do not support fsverity, we now do not auto enforce fsverity. On filesystems that do support it, we look at the `--allow-missing-verity` option, if passed in by the user, and if true, fs-verity enforcement is disabled and vice-versa. In case of UKIs, we take a different approach of looking at the UKI cmdline beforehand and checking if the `composefs=` parameter has `?` or not. This approach, though valid, fails in a few cases, viz, - The cmdline is in a UKI addon - The target image is not the one we're currently running in Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
Johan-Liebert1
force-pushed
the
cfs-insecure
branch
from
8987d0c to
d2feb4c
Compare
Now that we automatically handle enabling/disabling fsverity depending upon filesystem support, we don't need this anymore Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
|
@cgwalters Made the changes about enabling/disabling fs-verity automatically based on UKI/Filesystems. I'm not 100% sure about bdfd2d3 commit. We are not to make any mutations BEFORE the |
Johan-Liebert1
force-pushed
the
cfs-insecure
branch
from
d93c0e4 to
b1f1911
Compare
We need to know the underlying filesystem for the install to filesystem target, which we can't get just by `findmnt` if `/` is mounted as overlay, which is the case for ostree systems (and composefs systems) in the future. We already had code checking for this, move it around so we have that info BEFORE we call `prepare_install` Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
Johan-Liebert1
force-pushed
the
cfs-insecure
branch
from
b1f1911 to
bdfd2d3
Compare
| pub(crate) fn supports_fsverity(&self) -> bool { | ||
| matches!(self, Self::Ext4 | Self::Btrfs) |
There was a problem hiding this comment.
I think this is OK for now but in the medium term I'd prefer we just try to do the ioctl to enable it and handle ENOTSUPP
| let (composefs_required, kernel) = if let Some(root) = target_rootfs.as_ref() { | ||
| let kernel = crate::kernel::find_kernel(root)?; |
There was a problem hiding this comment.
It feels cleaner to just unconditionally look for the kernel.
There was a problem hiding this comment.
We can't do that if we are not installing the image we're running in, right?
There was a problem hiding this comment.
Yeah you're right.
Hmmm...maybe this is an argument that we should include labels in the image metadata for this state. containers.bootc=sealed-uki or so?
| // For composefs backend, automatically disable fs-verity hard requirement if the | ||
| // filesystem doesn't support it | ||
| // | ||
| // If we have a sealed UKI on our hands, then we can assume that user wanted fs-verity so |
There was a problem hiding this comment.
I guess to me "sealed UKI" really also means "signed"...and when one takes it out, also Secure Boot being enabled.
How about just adjusting this comment to say "If we have a UKI...".
| tracing::debug!( | ||
| "Missing fsverity {}", | ||
| if composefs_options.allow_missing_verity { | ||
| "allowed" | ||
| } else { | ||
| "not allowed" | ||
| } | ||
| ); |
There was a problem hiding this comment.
This feels very "manual". tracing supports structured logging https://docs.rs/tracing/latest/tracing/index.html#recording-fields, how about
tracing::debug!("composefs install", allow_missing_verity = composefs_options.allow_missing_verity, uki = is_uki)
or so?
There was a problem hiding this comment.
Okay, yeah this is definitely nicer. Also, a lot of journal logging is missing for the composefs route. I'll create a tracker for that
| // If we have a sealed UKI on our hands, then we can assume that user wanted fs-verity so | ||
| // we hard require it in that particular case | ||
| // | ||
| // NOTE: This isn't really 100% accurate 100% of the time as the cmdline can be in an addon |
There was a problem hiding this comment.
If the cmdline is an add-on then it's still a UKI right?
There was a problem hiding this comment.
yes, but right now we've kinda "paused" the UKI Addons development, and we don't collect the addons here to check for cmdline in them. Someone could just as easily use the same UKI image for fs-verity enabled/disabled installations using addons
| pub(crate) enum KernelType { | ||
| Uki { | ||
| path: Utf8PathBuf, | ||
| allow_missing_fsverity: bool, |
There was a problem hiding this comment.
Might be cleaner to have the full kernel command line here? Or just the composefs option.
I can see bootc container inspect wanting to output the target composefs digest.
There was a problem hiding this comment.
Might be cleaner to have the full kernel command line here?
Updated to have the full cmdline (haven't pushed changes yet)
| // If `--allow-missing-verity` is already passed via CLI, don't modify | ||
| if composefs_options.composefs_backend && !composefs_options.allow_missing_verity && !is_uki { |
There was a problem hiding this comment.
It's a bit confusing because passing --allow-missing-verity on the CLI can only lead to failures at boot time if the target kernel is sealed right?
At least...if Secure Boot is enabled.
So that's really it right? The only use case for --allow-missing-verity is installing a sealed UKI (without ? in composefs=) on a system without fsverity enabled.
But because we're not changing the UKI it's still going to fail at runtime in that scenario no?
Wouldn't these use cases just need to disable Secure Boot anyways?
So...I'm kind of questioning if we need the CLI option at all. The real fix here seems to me to be honoring the ? in the embedded cmdline in the UKI right?
And on that topic...aren't we then missing:
- support for e.g.
bootc container ukify --allow-missing-veritythat changes the embedded cmdline - Changing our build infrastructure to pass that if we're targeting "non-UKI composefs backend"
?
There was a problem hiding this comment.
So...I'm kind of questioning if we need the CLI option at all. The real fix here seems to me to be honoring the ? in the embedded cmdline in the UKI right?
I think you're right. We probably don't need the CLI option now. My thinking for leaving it in was for the case when we pull a remote image to install, and find conflicting fsverity options in the filesystems (say xfs), vs in the cmdline (say without the ?). Currently in this case we just have a warning, but we should error out.
Regarding this topic, we had a discussion where we were talking about a small subset of users who'd want the switch to composefs backend but not want to have the (albeit very minute) overhead of fs-verity. So, this option would be useful for them? Again though, this would only be for Type1 bootloaders
support for e.g. bootc container ukify --allow-missing-verity that changes the embedded cmdline
I've added this here
| let uki = root.read(&uki_path).context("Reading UKI")?; | ||
|
|
||
| // Best effort to check for composefs=?verity in the UKI cmdline | ||
| let cmdline = composefs_boot::uki::get_section(&uki, ".cmdline"); |
There was a problem hiding this comment.
I think it'd be cleaner to have get_section_optional that returns Result<Option<>>
There was a problem hiding this comment.
I remember doing something similar here composefs/composefs-rs#198, but reverted the change
| let allow_missing_fsverity = match cmdline { | ||
| Some(Ok(cmdline)) => { |
There was a problem hiding this comment.
Then we wouldn't need this complicated match
|
FTR we had a live chat on this and takeaways:
|
2 participants
Fix unqueuing rollback for composefs backend
We were simply checking to booted system's verity and simply setting the
corresponding boot entry as the secondary boot entry, even if rollback
was already queued. Update the code to actually consider the bootloader
entries as the source of truth, similar to what ostree does
Add test for rollback
composefs/tests: Add tests for filesystems
Add filesystems ext4 and xfs in github CI matrix so that we test systems
with and without fs-verity enabled
cli: Change
insecureparam toallow_missing_fsverityallow_missing_fsverityconveys the intent in a much better way thanjust
insecureukify: Accept
allow-missing-verityparamcomposefs: Disable auto fsverity enforcement on unsupported fs
On filesystems that do not support fsverity, we now do not auto enforce
fsverity. On filesystems that do support it, we look at the
--allow-missing-verityoption, if passed in by the user, and if true,fs-verity enforcement is disabled and vice-versa.
In case of UKIs, we take a different approach of looking at the UKI
cmdline beforehand and checking if the
composefs=parameter has?ornot. This approach, though valid, fails in a few cases, viz,
Fixes: #2010