[PATCH] meta: ext4-img: copy and keep attributes, always copy with sudo

[PATCH] meta: ext4-img: copy and keep attributes, always copy with sudo

[Henning Schild]

Some security enhancing packages can cause our initrd to be not readable
by a normal user. So we need to copy with sudo.
Also regular cp would destroy ownership and other attributes of files,
possibly creating problems in the future.

Signed-off-by: Henning Schild <henning.schild@siemens.com>
---
 meta/classes/ext4-img.bbclass | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/classes/ext4-img.bbclass b/meta/classes/ext4-img.bbclass
index 5652757..7492f96 100644
--- a/meta/classes/ext4-img.bbclass
+++ b/meta/classes/ext4-img.bbclass
@@ -21,16 +21,16 @@ do_ext4_image() {
 
     mkdir -p ${WORKDIR}/mnt
     sudo mount -o loop ${EXT4_IMAGE_FILE} ${WORKDIR}/mnt
-    sudo cp -r ${S}/* ${WORKDIR}/mnt
+    sudo cp -a ${S}/* ${WORKDIR}/mnt
     sudo umount ${WORKDIR}/mnt
     rm -r ${WORKDIR}/mnt
 
     if [ -n "${KERNEL_IMAGE}" ]; then
-        cp ${S}/boot/${KERNEL_IMAGE} ${DEPLOY_DIR_IMAGE}
+        sudo cp -a ${S}/boot/${KERNEL_IMAGE} ${DEPLOY_DIR_IMAGE}
     fi
 
     if [ -n "${INITRD_IMAGE}" ]; then
-        cp ${S}/boot/${INITRD_IMAGE} ${DEPLOY_DIR_IMAGE}
+        sudo cp -a ${S}/boot/${INITRD_IMAGE} ${DEPLOY_DIR_IMAGE}
     fi
 }
 
-- 
2.13.0

Re: [PATCH] meta: ext4-img: copy and keep attributes, always copy with sudo

[Baurzhan Ismagulov]

On Tue, Jul 18, 2017 at 04:30:56PM +0200, Henning Schild wrote:
> Some security enhancing packages can cause our initrd to be not readable
> by a normal user.

Could you describe which packages cause it?

With kind regards,
Baurzhan.

Re: [PATCH] meta: ext4-img: copy and keep attributes, always copy with sudo

[Henning Schild]

Am Sun, 23 Jul 2017 00:17:39 +0200
schrieb Baurzhan Ismagulov <ibr@radix50.net>:

> On Tue, Jul 18, 2017 at 04:30:56PM +0200, Henning Schild wrote:
> > Some security enhancing packages can cause our initrd to be not
> > readable by a normal user.  
> 
> Could you describe which packages cause it?

I have got a long list of packages that someone installed, the list
contains apparmor and cryptsetup. They might be the ones to blame the
others do not look suspicious, but i did investigate further.

Henning

> With kind regards,
> Baurzhan.
> 

Re: [PATCH] meta: ext4-img: copy and keep attributes, always copy with sudo

[Baurzhan Ismagulov]

On Mon, Jul 24, 2017 at 09:46:33AM +0200, Henning Schild wrote:
> I have got a long list of packages that someone installed, the list
> contains apparmor and cryptsetup.

Could you please forward me the list? If that is the default configuration of
those packages, we might add them to the test.

With kind regards,
Baurzhan.

Re: [PATCH] meta: ext4-img: copy and keep attributes, always copy with sudo

[Henning Schild]

Am Mon, 24 Jul 2017 23:48:17 +0200
schrieb Baurzhan Ismagulov <ibr@radix50.net>:

> On Mon, Jul 24, 2017 at 09:46:33AM +0200, Henning Schild wrote:
> > I have got a long list of packages that someone installed, the list
> > contains apparmor and cryptsetup.  
>
> Could you please forward me the list? If that is the default
> configuration of those packages, we might add them to the test.

This list triggers the problem.

IMAGE_PREINSTALL += "acl adduser apparmor apt attr babeltrace
base-files base-passwd bash bridge-utils busybox bzip2 cdebconf
console-setup coreutils cpio cron cryptsetup dash dbus debconf
debian-archive-keyring debianutils debootstrap dh-python dhcpcd5
diffutils dns-root-data dnsmasq dpkg dropbear e2fsprogs ebtables
elfutils ethtool expat file findutils fuse gcc-6 gdb gettext gnupg2
grep grub2 gzip hostname init-system-helpers initramfs-tools iproute2
iptables kbd keyutils kmod less libcap2 libgcrypt20
liblocale-gettext-perl libtasn1-6 libtext-charwidth-perl
libtext-iconv-perl libtext-wrapi18n-perl libxml2 linux-base lsb lsof
ltrace lvm2 mawk mime-support netbase netcat openssl os-prober p11-kit
parted patch pciutils perl procps python2.7 python3.5 rename rsync sed
sensible-utils setserial sgml-base shared-mime-info sqlite3
squashfs-tools strace systemd tar tcpdump trace-cmd tzdata ucf usbutils
util-linux vim wget xauth xdg-user-dirs xml-core xz-utils"

I tried to shrink it to blame a single packet. So far i have tried
apparmor, cryptsetup and linux-base. But they all do not trigger it if
installed individually.
At least you can reproduce the problem now.

Henning
 
> With kind regards,
> Baurzhan.
>