No description

Find a file

Christian Kellner 3c556c3386 selinux: allow nnp and nosuid transitions Allow osbuild_t to no_new_privs (nnp) and nosuid domain transition into setfiles_mac_t and install_t. nnp is a inheritable per-thread flag (PR_SET_NO_NEW_PRIVS, see prctl(2)), whereby a promise is made by execve(2) to not grant any new privileges that could not have been done without the execv call. This is on contrast to what can be done via SELinux rules, i.e. in our case `setfiles_mac_t` and `install_t` can set arbitrary SELinux labels, but `osbuild_t` itself can not; but `osbuild_t` enables the transitioning of `setfiles_mac_t` for the `setfiles` binary via execve(2) from a process with `osbuild_t`. Related, the nosuid mount flag, prevents the suid, sgid bits to be interpreted and thus are in the same spirit as nnp, i.e. no new privs during execve(2). Thus SELinux domain transitions stand in contrast with nnp and nosuid transitions, and have therefore been de-coupled. See also the corresponding kernel patch at [1] for more information. bubblewrap (bwrap) in contrast to `systemd-nspawn` always sets the nnp flag, as well as the nosuid option for all bind-mounts. Since we no use bwrap to contain processes we need to allow the nnp and nosuid transitions from `osbuild_t` to `setfiles_mac_t` and `install_t`. [1] https://patchwork.kernel.org/patch/9841441/		2020-08-10 14:05:24 +02:00
.github/workflows	ci: schedule coverity only for osbuild/osbuild	2020-07-07 08:26:53 +02:00
assemblers	assemblers: add btrfs support to qemu and rawfs	2020-08-04 10:49:37 +02:00
docs	cli: drop --build-env argument	2020-05-07 19:52:33 +02:00
osbuild	osbuild: require output_directory	2020-08-07 20:39:14 +02:00
runners	runners: use osbuild.api.setup_stdio	2020-07-27 12:50:38 +01:00
samples	stages/noop: fix the schema to allow any props	2020-07-16 19:02:25 +02:00
schemas	schema/osbuild1.json: convert to draft4 standard	2020-05-12 22:00:38 +02:00
schutzbot	🤖 schutzbot: Bring over updates from o-c	2020-08-06 00:16:39 +02:00
selinux	selinux: allow nnp and nosuid transitions	2020-08-10 14:05:24 +02:00
sources	sources/files: do not pass floats to --max-time	2020-06-25 21:25:17 +02:00
stages	stages: drop script stage	2020-07-24 18:06:39 +02:00
test	test: bump filesystem size to 1G	2020-08-04 10:49:37 +02:00
tools	tools/mpp-depsolve: support excluding packages	2020-06-15 13:44:01 +02:00
.editorconfig	editorconfig: add one matching current style	2019-12-13 18:15:08 +01:00
.gitignore	test: add coverity targets to the Makefile	2020-06-24 10:01:24 +02:00
.pylintrc	pylint: increase max attributes to 10	2020-07-21 13:25:04 +02:00
.travis.yml	ci: move test_boot to github-actions	2020-05-13 22:00:27 +02:00
LICENSE	Revert "Fill in the license template"	2019-11-18 12:23:10 +01:00
Makefile	test: use a dummy pipeline when testing assemblers	2020-07-21 10:25:47 +02:00
NEWS.md	NEWS.md: update for osbuild version 19	2020-07-30 22:17:32 +02:00
osbuild.spec	19	2020-07-30 22:17:32 +02:00
README.md	buildroot: use `bwrap` to contain stages	2020-07-21 14:20:32 +02:00
requirements.txt	osbuild: add meta module for metadata information	2020-05-06 15:42:23 +02:00
setup.py	19	2020-07-30 22:17:32 +02:00

README.md

OSBuild

Build-Pipelines for Operating System Artifacts

OSBuild is a pipeline-based build system for operating system artifacts. It defines a universal pipeline description and a build system to execute them, producing artifacts like operating system images, working towards an image build pipeline that is more comprehensible, reproducible, and extendable.

See the osbuild(1) man-page for details on how to run osbuild, the definition of the pipeline description, and more.

Project

Website: https://www.osbuild.org
Bug Tracker: https://github.com/osbuild/osbuild/issues

Requirements

The requirements for this project are:

bubblewrap >= 0.4.0
python >= 3.7

Additionally, the built-in stages require:

bash >= 5.0
coreutils >= 8.31
curl >= 7.68
qemu-img >= 4.2.0
rpm >= 4.15
tar >= 1.32
util-linux >= 235

At build-time, the following software is required:

python-docutils >= 0.13
pkg-config >= 0.29

Build

The standard python package system is used. Consult upstream documentation for detailed help. In most situations the following commands are sufficient to build and install from source:

python setup.py build
python setup.py install --skip-build --root=/

The man-pages require python-docutils and can be built via:

rst2man docs/<input-file>.rst <output-file>

Repository:

web: https://github.com/osbuild/osbuild
https: https://github.com/osbuild/osbuild.git
ssh: git@github.com:osbuild/osbuild.git

License:

Apache-2.0
See LICENSE file for details.