From 8e41ec58a7e03a0b0ddd4d47ecb74bbd64238bfa Mon Sep 17 00:00:00 2001
From: Achilleas Koutsou <achilleas@koutsou.net>
Date: Wed, 21 Aug 2024 12:38:13 +0200
Subject: [PATCH] stages/update-crypto-policies: use Chroot context

Recently [1], the update-crypto-policies script added a check to verify
that the FIPS policy was automounted by reading the
/proc/self/mountinfo.  The script will fail if the proc filesystem isn't
available.

Use the new Chroot context to set up the environment for the command.

[1] https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/04ceadccfc07e5946b08157d06ca5c0d5a229d92
---
 stages/org.osbuild.update-crypto-policies | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/stages/org.osbuild.update-crypto-policies b/stages/org.osbuild.update-crypto-policies
index 035bb7af..1b786b17 100755
--- a/stages/org.osbuild.update-crypto-policies
+++ b/stages/org.osbuild.update-crypto-policies
@@ -3,15 +3,21 @@ import subprocess
 import sys
 
 from osbuild import api
+from osbuild.util.chroot import Chroot
 
 
 def main(tree, options):
     policy = options["policy"]
 
-    cmd = ["/usr/sbin/chroot", tree,
-           "/usr/bin/update-crypto-policies", "--set", policy]
+    with Chroot(tree):
+        # update-crypto-polciies uses /proc/self/mountinfo to find and verify that fips paths have been mounted to their
+        # expected locations by searching for the following path suffixes:
+        #   /crypto-policies/default-fips-config
+        #   /crypto-policies/back-ends/FIPS
+        cmd = ["/usr/sbin/chroot", tree,
+               "/usr/bin/update-crypto-policies", "--set", policy]
 
-    subprocess.run(cmd, check=True)
+        subprocess.run(cmd, check=True)
 
     return 0