[oe-commits] [openembedded-core] 05/13: externalsrc: place copy of git index into /tmp and do not use copyfile2

[git at git.openembedded.org]

This is an automated email from the git hooks/post-receive script.

rpurdie pushed a commit to branch master
in repository openembedded-core.

commit 3c3c8ecc61dfed68987750d79b5482ab2f6fa02f
Author: Enrico Scholz <enrico.scholz at sigma-chemnitz.de>
AuthorDate: Mon Jul 24 13:14:02 2017 +0200

    externalsrc: place copy of git index into /tmp and do not use copyfile2
    
    Using shutil.copy2() to copy .git/index to a temporary file tries to
    copy SELinux attributes which might fail for confined users in SELinux
    environments.
    
    E.g. our builders are running in docker containers and modification of
    sources (inclusive updated of .git/index) is done outside.  Trying to
    copy .git/index fails with
    
    | $ python3 -c 'import shutil; shutil.copy2("index", "a")'
    | ...
    | PermissionError: [Errno 13] Permission denied: 'a'
    
    and an AVC like
    
    | denied  { relabelto } for  pid=18043 comm="python3" name="a" dev="dm-29" ino=1067553 scontext=system_u:system_r:container_t:s0:c39,c558 tcontext=unconfined_u:object_r:build_file_t:s0 tclass=file permissive=0
    
    is created.  This can not be solved by adapting the SELinux policy because
    this is a very deep constraint violation:
    
    | constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED
    |
    | Possible cause is the source user (system_u) and target user (unconfined_u) are different.
    
    I do not see much sense in using 'shutil.copy2()' here; 'shutil.copyfile()'
    seems to be a better choice (target file is created in a secure way by
    tempfile.NamedTemporaryFile()).
    
    By placing the tempfile into /tmp we avoid potential problems related to
    git's 'core.sharedRepository'.  As a (positive) side effect, the source
    tree will not be modified anymore (at least by this part of code) which
    prevented to mount it read-only from somewhere else.
    
    Signed-off-by: Enrico Scholz <enrico.scholz at sigma-chemnitz.de>
    Signed-off-by: Ross Burton <ross.burton at intel.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
---
 meta/classes/externalsrc.bbclass | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/classes/externalsrc.bbclass b/meta/classes/externalsrc.bbclass
index 529be49..9aabb42 100644
--- a/meta/classes/externalsrc.bbclass
+++ b/meta/classes/externalsrc.bbclass
@@ -189,9 +189,9 @@ def srctree_hash_files(d, srcdir=None):
 
     ret = " "
     if os.path.exists(git_dir):
-        with tempfile.NamedTemporaryFile(dir=git_dir, prefix='oe-devtool-index') as tmp_index:
+        with tempfile.NamedTemporaryFile(prefix='oe-devtool-index') as tmp_index:
             # Clone index
-            shutil.copy2(os.path.join(git_dir, 'index'), tmp_index.name)
+            shutil.copyfile(os.path.join(git_dir, 'index'), tmp_index.name)
             # Update our custom index
             env = os.environ.copy()
             env['GIT_INDEX_FILE'] = tmp_index.name

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.