particle-os/debian-forge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

stages/update-crypto-policies: use Chroot context

Browse source 
Recently [1], the update-crypto-policies script added a check to verify
that the FIPS policy was automounted by reading the
/proc/self/mountinfo.  The script will fail if the proc filesystem isn't
available.

Use the new Chroot context to set up the environment for the command.

[1] 04ceadccfc
This commit is contained in:
Achilleas Koutsou 2024-08-21 12:38:13 +02:00 committed by Tomáš Hozza
parent 9edda1d163
commit 8e41ec58a7
1 changed files with 9 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

12
stages/org.osbuild.update-crypto-policies
View file

@ -3,15 +3,21 @@ import subprocess
import sys import sys
from osbuild import api from osbuild import api
from osbuild.util.chroot import Chroot
def main(tree, options): def main(tree, options):
policy = options["policy"] policy = options["policy"]
cmd = ["/usr/sbin/chroot", tree, with Chroot(tree):
"/usr/bin/update-crypto-policies", "--set", policy] # update-crypto-polciies uses /proc/self/mountinfo to find and verify that fips paths have been mounted to their
# expected locations by searching for the following path suffixes:
# /crypto-policies/default-fips-config
# /crypto-policies/back-ends/FIPS
cmd = ["/usr/sbin/chroot", tree,
"/usr/bin/update-crypto-policies", "--set", policy]
subprocess.run(cmd, check=True) subprocess.run(cmd, check=True)
return 0 return 0