From 05c5daaee85008f09e06368f33ac9b3e612eea4b Mon Sep 17 00:00:00 2001 From: xumia Date: Wed, 13 May 2020 00:52:42 +0000 Subject: [PATCH 1/9] Support rw files whitelist for Sonic Secure Boot --- build_image.sh | 1 + files/Aboot/boot0.j2 | 3 ++ files/image_config/secureboot/whitelist | 32 ++++++++++++++++++++ files/initramfs-tools/union-mount.j2 | 39 +++++++++++++++++++++++++ 4 files changed, 75 insertions(+) create mode 100644 files/image_config/secureboot/whitelist diff --git a/build_image.sh b/build_image.sh index cd8c26da1225..9af7616158aa 100755 --- a/build_image.sh +++ b/build_image.sh @@ -133,6 +133,7 @@ elif [ "$IMAGE_TYPE" = "aboot" ]; then sed -i -e "s/%%IMAGE_VERSION%%/$IMAGE_VERSION/g" files/Aboot/boot0 pushd files/Aboot && zip -g $OLDPWD/$OUTPUT_ABOOT_IMAGE boot0; popd pushd files/Aboot && zip -g $OLDPWD/$ABOOT_BOOT_IMAGE boot0; popd + pushd files/image_config/secureboot && zip -g $OLDPWD/$OUTPUT_ABOOT_IMAGE whitelist; popd echo "$IMAGE_VERSION" >> .imagehash zip -g $OUTPUT_ABOOT_IMAGE .imagehash zip -g $ABOOT_BOOT_IMAGE .imagehash diff --git a/files/Aboot/boot0.j2 b/files/Aboot/boot0.j2 index 6460db61c8e3..3103983c8b8b 100644 --- a/files/Aboot/boot0.j2 +++ b/files/Aboot/boot0.j2 @@ -395,6 +395,9 @@ write_boot_configs() { fi fi + # setting secure_boot_enable=true when secure boot enabled + [ -f /bin/securebootctl ] && securebootctl secureboot -display | grep -i "Secure Boot enable" -q && echo "secure_boot_enable=true" >> /tmp/append + mkdir -p "$image_path" cat /tmp/append > $cmdline_image [ -s ${target_path}/machine.conf ] || write_machine_config diff --git a/files/image_config/secureboot/whitelist b/files/image_config/secureboot/whitelist new file mode 100644 index 000000000000..198aa9400fde --- /dev/null +++ b/files/image_config/secureboot/whitelist @@ -0,0 +1,32 @@ +# It is the patterns of the relative paths in /host/image-{hash}/rw folder. +# The patterns will not be used if the Sonic Secure Boot feature is not enabled. +# The files that are not in the whitelist will be removed when the Sonic System cold reboot. + +home/.* +var/core/.* +var/log/.* +etc/group +etc/gshadow +etc/hostname +etc/hosts +etc/machine-id +etc/network/interfaces +etc/nsswitch.conf +etc/pam.d/common-auth-sonic +etc/pam.d/sshd +etc/pam.d/login +etc/passwd +etc/rsyslog.conf +etc/shadow +etc/sonic/acl.json +etc/sonic/config_db.json +etc/sonic/minigraph.xml +etc/sonic/snmp.yml +etc/sonic/updategraph.conf +etc/ssh/ssh_host_rsa_key.pub +etc/ssh/ssh_host_rsa_key +etc/subgid +etc/subuid +etc/tacplus_nss.conf +etc/tacplus_user +lib/systemd/system/serial-getty@.service diff --git a/files/initramfs-tools/union-mount.j2 b/files/initramfs-tools/union-mount.j2 index 5e33e1760874..78c5ce2f36c9 100644 --- a/files/initramfs-tools/union-mount.j2 +++ b/files/initramfs-tools/union-mount.j2 @@ -39,10 +39,49 @@ set_tmpfs_log_partition_size() [ $maxsize -le $varlogsize ] && varlogsize=$maxsize } +whitelist_rw_folder() +{ + image_dir=$1 + whitelist_file=${rootmnt}/host/$image_dir/whitelist + + # Return if the whitelist file does not exist + if ! test -f "${whitelist_file}"; then + return + fi + + # Return if the secure_boot_enable option is not set + if cat /proc/cmdline | grep -v -q "secure_boot_enable=true"; then + return + fi + + whitelist_log=${rootmnt}/host/$image_dir/whitelist.log + rw_dir=${rootmnt}/host/$image_dir/rw + whitelist=$(cat ${rootmnt}/host/$image_dir/whitelist | grep -v "^\s*#" | awk '{$1=$1};1') + set -o noglob + find ${rw_dir} -type f | + while IFS= read -r file; do + found="false" + for line in $whitelist; do + pattern="^${rw_dir}/${line}\$" + if echo "$file" | grep -q "$pattern"; then + found="true" + break + fi + done + if [ $found = "false" ]; then + echo $file >> ${whitelist_log} + rm -f $file + fi + done + set +o noglob +} + ## Mount the overlay file system: rw layer over squashfs image_dir=$(cat /proc/cmdline | sed -e 's/.*loop=\(\S*\)\/.*/\1/') mkdir -p ${rootmnt}/host/$image_dir/rw mkdir -p ${rootmnt}/host/$image_dir/work +## Whitelist rw folder +whitelist_rw_folder "$image_dir" mount -n -o lowerdir=${rootmnt},upperdir=${rootmnt}/host/$image_dir/rw,workdir=${rootmnt}/host/$image_dir/work -t overlay root-overlay ${rootmnt} ## Check if the root block device is still there [ -b ${ROOT} ] || mdev -s From 09f568a44b67c52b9464fec02a3c3bc63349e2d5 Mon Sep 17 00:00:00 2001 From: xumia Date: Wed, 13 May 2020 06:17:44 +0000 Subject: [PATCH 2/9] Improve the performance --- build_image.sh | 2 +- files/Aboot/boot0.j2 | 2 +- .../{whitelist => whitelist_paths.conf} | 0 files/initramfs-tools/union-mount.j2 | 35 +++++++------------ 4 files changed, 14 insertions(+), 25 deletions(-) rename files/image_config/secureboot/{whitelist => whitelist_paths.conf} (100%) diff --git a/build_image.sh b/build_image.sh index 9af7616158aa..6807c7917562 100755 --- a/build_image.sh +++ b/build_image.sh @@ -133,7 +133,7 @@ elif [ "$IMAGE_TYPE" = "aboot" ]; then sed -i -e "s/%%IMAGE_VERSION%%/$IMAGE_VERSION/g" files/Aboot/boot0 pushd files/Aboot && zip -g $OLDPWD/$OUTPUT_ABOOT_IMAGE boot0; popd pushd files/Aboot && zip -g $OLDPWD/$ABOOT_BOOT_IMAGE boot0; popd - pushd files/image_config/secureboot && zip -g $OLDPWD/$OUTPUT_ABOOT_IMAGE whitelist; popd + pushd files/image_config/secureboot && zip -g $OLDPWD/$OUTPUT_ABOOT_IMAGE whitelist_paths.conf; popd echo "$IMAGE_VERSION" >> .imagehash zip -g $OUTPUT_ABOOT_IMAGE .imagehash zip -g $ABOOT_BOOT_IMAGE .imagehash diff --git a/files/Aboot/boot0.j2 b/files/Aboot/boot0.j2 index 3103983c8b8b..22c507cd912c 100644 --- a/files/Aboot/boot0.j2 +++ b/files/Aboot/boot0.j2 @@ -396,7 +396,7 @@ write_boot_configs() { fi # setting secure_boot_enable=true when secure boot enabled - [ -f /bin/securebootctl ] && securebootctl secureboot -display | grep -i "Secure Boot enable" -q && echo "secure_boot_enable=true" >> /tmp/append + [ -f /bin/securebootctl ] && securebootctl secureboot -display | grep -i "Secure Boot enable" -q && echo "secure_boot_enable=y" >> /tmp/append mkdir -p "$image_path" cat /tmp/append > $cmdline_image diff --git a/files/image_config/secureboot/whitelist b/files/image_config/secureboot/whitelist_paths.conf similarity index 100% rename from files/image_config/secureboot/whitelist rename to files/image_config/secureboot/whitelist_paths.conf diff --git a/files/initramfs-tools/union-mount.j2 b/files/initramfs-tools/union-mount.j2 index 78c5ce2f36c9..3488196cce5b 100644 --- a/files/initramfs-tools/union-mount.j2 +++ b/files/initramfs-tools/union-mount.j2 @@ -42,38 +42,27 @@ set_tmpfs_log_partition_size() whitelist_rw_folder() { image_dir=$1 - whitelist_file=${rootmnt}/host/$image_dir/whitelist - + whitelist_file=${rootmnt}/host/$image_dir/whitelist_paths.conf + # Return if the whitelist file does not exist if ! test -f "${whitelist_file}"; then return fi - + # Return if the secure_boot_enable option is not set if cat /proc/cmdline | grep -v -q "secure_boot_enable=true"; then return fi - - whitelist_log=${rootmnt}/host/$image_dir/whitelist.log + rw_dir=${rootmnt}/host/$image_dir/rw - whitelist=$(cat ${rootmnt}/host/$image_dir/whitelist | grep -v "^\s*#" | awk '{$1=$1};1') - set -o noglob - find ${rw_dir} -type f | - while IFS= read -r file; do - found="false" - for line in $whitelist; do - pattern="^${rw_dir}/${line}\$" - if echo "$file" | grep -q "$pattern"; then - found="true" - break - fi - done - if [ $found = "false" ]; then - echo $file >> ${whitelist_log} - rm -f $file - fi - done - set +o noglob + + # Set the grep pattern file + whitelist_pattern_file=${rootmnt}/host/$image_dir/whitelist_paths.pattern + grep -v "^\s*#" ${whitelist_file} | awk -v rw_dir="$rw_dir" '{print rw_dir"/"$0"$"}' > $whitelist_pattern_file + + # Find the files in the rw folder, and remove the files not in the whitelist + find ${rw_dir} -type f | grep -v -f $whitelist_pattern_file | xargs /bin/rm -f + rm -f $whitelist_pattern_file } ## Mount the overlay file system: rw layer over squashfs From 1619d51840d8884ba8c3fb0e6b7d8b6e249bd4f2 Mon Sep 17 00:00:00 2001 From: xumia Date: Wed, 13 May 2020 06:29:10 +0000 Subject: [PATCH 3/9] fix bug --- files/initramfs-tools/union-mount.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/initramfs-tools/union-mount.j2 b/files/initramfs-tools/union-mount.j2 index 3488196cce5b..1d0b09d064b7 100644 --- a/files/initramfs-tools/union-mount.j2 +++ b/files/initramfs-tools/union-mount.j2 @@ -50,7 +50,7 @@ whitelist_rw_folder() fi # Return if the secure_boot_enable option is not set - if cat /proc/cmdline | grep -v -q "secure_boot_enable=true"; then + if ! (cat /proc/cmdline | grep -i -q "secure_boot_enable=[y1]"); then return fi From 38aef30778110f6b6776d3408a02a6f5d250a55b Mon Sep 17 00:00:00 2001 From: xumia Date: Tue, 19 May 2020 03:40:48 +0000 Subject: [PATCH 4/9] Move the config description into a md file --- files/image_config/secureboot/whitelist_paths.conf | 4 ---- files/image_config/secureboot/whitelist_paths.md | 11 +++++++++++ files/initramfs-tools/union-mount.j2 | 2 +- 3 files changed, 12 insertions(+), 5 deletions(-) create mode 100644 files/image_config/secureboot/whitelist_paths.md diff --git a/files/image_config/secureboot/whitelist_paths.conf b/files/image_config/secureboot/whitelist_paths.conf index 198aa9400fde..6887dcb17650 100644 --- a/files/image_config/secureboot/whitelist_paths.conf +++ b/files/image_config/secureboot/whitelist_paths.conf @@ -1,7 +1,3 @@ -# It is the patterns of the relative paths in /host/image-{hash}/rw folder. -# The patterns will not be used if the Sonic Secure Boot feature is not enabled. -# The files that are not in the whitelist will be removed when the Sonic System cold reboot. - home/.* var/core/.* var/log/.* diff --git a/files/image_config/secureboot/whitelist_paths.md b/files/image_config/secureboot/whitelist_paths.md new file mode 100644 index 000000000000..b4cd74adce44 --- /dev/null +++ b/files/image_config/secureboot/whitelist_paths.md @@ -0,0 +1,11 @@ +# Configuration Guide +It is the patterns of the relative paths in /host/image-{{hash}}/rw folder. +The patterns will not be used if the Sonic Secure Boot feature is not enabled. +The files that are not in the whitelist will be removed when the Sonic System cold reboot. + +### Example to whitelist all the files in a folder +home/.* + +### Example to whitelist a file +etc/nsswitch.conf + diff --git a/files/initramfs-tools/union-mount.j2 b/files/initramfs-tools/union-mount.j2 index 1d0b09d064b7..4c35ca8df05a 100644 --- a/files/initramfs-tools/union-mount.j2 +++ b/files/initramfs-tools/union-mount.j2 @@ -58,7 +58,7 @@ whitelist_rw_folder() # Set the grep pattern file whitelist_pattern_file=${rootmnt}/host/$image_dir/whitelist_paths.pattern - grep -v "^\s*#" ${whitelist_file} | awk -v rw_dir="$rw_dir" '{print rw_dir"/"$0"$"}' > $whitelist_pattern_file + grep -v "^\s*$" ${whitelist_file} | awk -v rw_dir="$rw_dir" '{print rw_dir"/"$0"$"}' > $whitelist_pattern_file # Find the files in the rw folder, and remove the files not in the whitelist find ${rw_dir} -type f | grep -v -f $whitelist_pattern_file | xargs /bin/rm -f From 90c05df725fc53272a85c9f1269f297f3fcb4b75 Mon Sep 17 00:00:00 2001 From: xumia Date: Sun, 31 May 2020 14:31:58 +0000 Subject: [PATCH 5/9] Change to use a simple way to remove the blank line --- files/initramfs-tools/union-mount.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/files/initramfs-tools/union-mount.j2 b/files/initramfs-tools/union-mount.j2 index 4c35ca8df05a..ea64c3b41c36 100644 --- a/files/initramfs-tools/union-mount.j2 +++ b/files/initramfs-tools/union-mount.j2 @@ -56,9 +56,9 @@ whitelist_rw_folder() rw_dir=${rootmnt}/host/$image_dir/rw - # Set the grep pattern file + # Set the grep pattern file, remove the blank line in config file whitelist_pattern_file=${rootmnt}/host/$image_dir/whitelist_paths.pattern - grep -v "^\s*$" ${whitelist_file} | awk -v rw_dir="$rw_dir" '{print rw_dir"/"$0"$"}' > $whitelist_pattern_file + awk -v rw_dir="$rw_dir" 'NF {print rw_dir"/"$0"$"}' ${whitelist_file} > $whitelist_pattern_file # Find the files in the rw folder, and remove the files not in the whitelist find ${rw_dir} -type f | grep -v -f $whitelist_pattern_file | xargs /bin/rm -f From 528953bfc75b4c5b63bf7a6b0cd8fd82bc3bf9c3 Mon Sep 17 00:00:00 2001 From: xumia Date: Mon, 8 Jun 2020 10:32:53 +0000 Subject: [PATCH 6/9] Support chmod a-x in rw folder --- files/Aboot/boot0.j2 | 2 +- .../secureboot/whitelist_paths.conf | 7 +++ files/initramfs-tools/union-mount.j2 | 48 +++++++++++-------- 3 files changed, 35 insertions(+), 22 deletions(-) diff --git a/files/Aboot/boot0.j2 b/files/Aboot/boot0.j2 index 22c507cd912c..49d6a96594d9 100644 --- a/files/Aboot/boot0.j2 +++ b/files/Aboot/boot0.j2 @@ -395,7 +395,7 @@ write_boot_configs() { fi fi - # setting secure_boot_enable=true when secure boot enabled + # setting secure_boot_enable=y when secure boot enabled [ -f /bin/securebootctl ] && securebootctl secureboot -display | grep -i "Secure Boot enable" -q && echo "secure_boot_enable=y" >> /tmp/append mkdir -p "$image_path" diff --git a/files/image_config/secureboot/whitelist_paths.conf b/files/image_config/secureboot/whitelist_paths.conf index 6887dcb17650..fe5b890e0678 100644 --- a/files/image_config/secureboot/whitelist_paths.conf +++ b/files/image_config/secureboot/whitelist_paths.conf @@ -1,6 +1,10 @@ home/.* var/core/.* var/log/.* +etc/adjtime +etc/default/ntp +etc/dhcp/dhclient.conf +etc/ebtables.filter etc/group etc/gshadow etc/hostname @@ -8,15 +12,18 @@ etc/hosts etc/machine-id etc/network/interfaces etc/nsswitch.conf +etc/ntp.conf etc/pam.d/common-auth-sonic etc/pam.d/sshd etc/pam.d/login +etc/pam.d/sshd.old etc/passwd etc/rsyslog.conf etc/shadow etc/sonic/acl.json etc/sonic/config_db.json etc/sonic/minigraph.xml +etc/sonic/old_config/.* etc/sonic/snmp.yml etc/sonic/updategraph.conf etc/ssh/ssh_host_rsa_key.pub diff --git a/files/initramfs-tools/union-mount.j2 b/files/initramfs-tools/union-mount.j2 index ea64c3b41c36..ca124d696347 100644 --- a/files/initramfs-tools/union-mount.j2 +++ b/files/initramfs-tools/union-mount.j2 @@ -41,28 +41,29 @@ set_tmpfs_log_partition_size() whitelist_rw_folder() { - image_dir=$1 - whitelist_file=${rootmnt}/host/$image_dir/whitelist_paths.conf + image_dir=$1 + whitelist_file=${rootmnt}/host/$image_dir/whitelist_paths.conf - # Return if the whitelist file does not exist - if ! test -f "${whitelist_file}"; then - return - fi - - # Return if the secure_boot_enable option is not set - if ! (cat /proc/cmdline | grep -i -q "secure_boot_enable=[y1]"); then - return - fi - - rw_dir=${rootmnt}/host/$image_dir/rw - - # Set the grep pattern file, remove the blank line in config file - whitelist_pattern_file=${rootmnt}/host/$image_dir/whitelist_paths.pattern - awk -v rw_dir="$rw_dir" 'NF {print rw_dir"/"$0"$"}' ${whitelist_file} > $whitelist_pattern_file - - # Find the files in the rw folder, and remove the files not in the whitelist - find ${rw_dir} -type f | grep -v -f $whitelist_pattern_file | xargs /bin/rm -f - rm -f $whitelist_pattern_file + # Return if the secure_boot_enable option is not set + if ! (cat /proc/cmdline | grep -i -q "secure_boot_enable=[y1]"); then + return + fi + + # Return if the whitelist file does not exist + if ! test -f "${whitelist_file}"; then + echo "The file ${whitelist_file} is missing, failed to mount rw folder." 1>&2 + exit 1 + fi + + rw_dir=${rootmnt}/host/$image_dir/rw + + # Set the grep pattern file, remove the blank line in config file + whitelist_pattern_file=${rootmnt}/host/$image_dir/whitelist_paths.pattern + awk -v rw_dir="$rw_dir" 'NF {print rw_dir"/"$0"$"}' ${whitelist_file} > $whitelist_pattern_file + + # Find the files in the rw folder, and remove the files not in the whitelist + find ${rw_dir} -type f | grep -v -f $whitelist_pattern_file | xargs /bin/rm -f + rm -f $whitelist_pattern_file } ## Mount the overlay file system: rw layer over squashfs @@ -71,6 +72,11 @@ mkdir -p ${rootmnt}/host/$image_dir/rw mkdir -p ${rootmnt}/host/$image_dir/work ## Whitelist rw folder whitelist_rw_folder "$image_dir" + +## Remove the executable permission for all the files in rw folder except home folder +rw_dir=${rootmnt}/host/$image_dir/rw +find ${rw_dir} -type f -not -path ${rw_dir}/home -exec chmod a-x {} + + mount -n -o lowerdir=${rootmnt},upperdir=${rootmnt}/host/$image_dir/rw,workdir=${rootmnt}/host/$image_dir/work -t overlay root-overlay ${rootmnt} ## Check if the root block device is still there [ -b ${ROOT} ] || mdev -s From 355e1d0822b7dee4c4e23425528578fe92c5bc3b Mon Sep 17 00:00:00 2001 From: xumia Date: Mon, 8 Jun 2020 10:46:44 +0000 Subject: [PATCH 7/9] Change function name --- files/initramfs-tools/union-mount.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/files/initramfs-tools/union-mount.j2 b/files/initramfs-tools/union-mount.j2 index ca124d696347..66f8ceefda93 100644 --- a/files/initramfs-tools/union-mount.j2 +++ b/files/initramfs-tools/union-mount.j2 @@ -39,7 +39,7 @@ set_tmpfs_log_partition_size() [ $maxsize -le $varlogsize ] && varlogsize=$maxsize } -whitelist_rw_folder() +remove_not_whitelist_files() { image_dir=$1 whitelist_file=${rootmnt}/host/$image_dir/whitelist_paths.conf @@ -70,8 +70,8 @@ whitelist_rw_folder() image_dir=$(cat /proc/cmdline | sed -e 's/.*loop=\(\S*\)\/.*/\1/') mkdir -p ${rootmnt}/host/$image_dir/rw mkdir -p ${rootmnt}/host/$image_dir/work -## Whitelist rw folder -whitelist_rw_folder "$image_dir" +## Remove the files not in whitelist in the rw folder +remove_not_whitelist_files "$image_dir" ## Remove the executable permission for all the files in rw folder except home folder rw_dir=${rootmnt}/host/$image_dir/rw From 4bdaf292da6ca62d6256c76eb2d40039818120c7 Mon Sep 17 00:00:00 2001 From: xumia Date: Tue, 9 Jun 2020 01:23:25 +0000 Subject: [PATCH 8/9] Change some unnecessary words --- build_image.sh | 2 +- .../{whitelist_paths.conf => allowlist_paths.conf} | 0 .../secureboot/{whitelist_paths.md => allowlist_paths.md} | 6 +++--- 3 files changed, 4 insertions(+), 4 deletions(-) rename files/image_config/secureboot/{whitelist_paths.conf => allowlist_paths.conf} (100%) rename files/image_config/secureboot/{whitelist_paths.md => allowlist_paths.md} (57%) diff --git a/build_image.sh b/build_image.sh index 6807c7917562..5c5407b6a725 100755 --- a/build_image.sh +++ b/build_image.sh @@ -133,7 +133,7 @@ elif [ "$IMAGE_TYPE" = "aboot" ]; then sed -i -e "s/%%IMAGE_VERSION%%/$IMAGE_VERSION/g" files/Aboot/boot0 pushd files/Aboot && zip -g $OLDPWD/$OUTPUT_ABOOT_IMAGE boot0; popd pushd files/Aboot && zip -g $OLDPWD/$ABOOT_BOOT_IMAGE boot0; popd - pushd files/image_config/secureboot && zip -g $OLDPWD/$OUTPUT_ABOOT_IMAGE whitelist_paths.conf; popd + pushd files/image_config/secureboot && zip -g $OLDPWD/$OUTPUT_ABOOT_IMAGE allowlist_paths.conf; popd echo "$IMAGE_VERSION" >> .imagehash zip -g $OUTPUT_ABOOT_IMAGE .imagehash zip -g $ABOOT_BOOT_IMAGE .imagehash diff --git a/files/image_config/secureboot/whitelist_paths.conf b/files/image_config/secureboot/allowlist_paths.conf similarity index 100% rename from files/image_config/secureboot/whitelist_paths.conf rename to files/image_config/secureboot/allowlist_paths.conf diff --git a/files/image_config/secureboot/whitelist_paths.md b/files/image_config/secureboot/allowlist_paths.md similarity index 57% rename from files/image_config/secureboot/whitelist_paths.md rename to files/image_config/secureboot/allowlist_paths.md index b4cd74adce44..7ce86b9bc90c 100644 --- a/files/image_config/secureboot/whitelist_paths.md +++ b/files/image_config/secureboot/allowlist_paths.md @@ -1,11 +1,11 @@ # Configuration Guide It is the patterns of the relative paths in /host/image-{{hash}}/rw folder. The patterns will not be used if the Sonic Secure Boot feature is not enabled. -The files that are not in the whitelist will be removed when the Sonic System cold reboot. +The files that are not in the allowlist will be removed when the Sonic System cold reboot. -### Example to whitelist all the files in a folder +### Example config to add all the files in a folder to allowlist home/.* -### Example to whitelist a file +### Example config to add a file to allowlist etc/nsswitch.conf From c8f7fde043ddb26bd3f0fe6736c3372b7a15bf11 Mon Sep 17 00:00:00 2001 From: xumia Date: Sat, 13 Jun 2020 00:08:20 +0000 Subject: [PATCH 9/9] Change some unnecessary words --- files/initramfs-tools/union-mount.j2 | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/files/initramfs-tools/union-mount.j2 b/files/initramfs-tools/union-mount.j2 index 66f8ceefda93..8c8bb926444d 100644 --- a/files/initramfs-tools/union-mount.j2 +++ b/files/initramfs-tools/union-mount.j2 @@ -39,40 +39,39 @@ set_tmpfs_log_partition_size() [ $maxsize -le $varlogsize ] && varlogsize=$maxsize } -remove_not_whitelist_files() +remove_not_in_allowlist_files() { image_dir=$1 - whitelist_file=${rootmnt}/host/$image_dir/whitelist_paths.conf + allowlist_file=${rootmnt}/host/$image_dir/allowlist_paths.conf # Return if the secure_boot_enable option is not set if ! (cat /proc/cmdline | grep -i -q "secure_boot_enable=[y1]"); then return fi - # Return if the whitelist file does not exist - if ! test -f "${whitelist_file}"; then - echo "The file ${whitelist_file} is missing, failed to mount rw folder." 1>&2 + # Return if the allowlist file does not exist + if ! test -f "${allowlist_file}"; then + echo "The file ${allowlist_file} is missing, failed to mount rw folder." 1>&2 exit 1 fi rw_dir=${rootmnt}/host/$image_dir/rw # Set the grep pattern file, remove the blank line in config file - whitelist_pattern_file=${rootmnt}/host/$image_dir/whitelist_paths.pattern - awk -v rw_dir="$rw_dir" 'NF {print rw_dir"/"$0"$"}' ${whitelist_file} > $whitelist_pattern_file + allowlist_pattern_file=${rootmnt}/host/$image_dir/allowlist_paths.pattern + awk -v rw_dir="$rw_dir" 'NF {print rw_dir"/"$0"$"}' ${allowlist_file} > $allowlist_pattern_file - # Find the files in the rw folder, and remove the files not in the whitelist - find ${rw_dir} -type f | grep -v -f $whitelist_pattern_file | xargs /bin/rm -f - rm -f $whitelist_pattern_file + # Find the files in the rw folder, and remove the files not in the allowlist + find ${rw_dir} -type f | grep -v -f $allowlist_pattern_file | xargs /bin/rm -f + rm -f $allowlist_pattern_file } ## Mount the overlay file system: rw layer over squashfs image_dir=$(cat /proc/cmdline | sed -e 's/.*loop=\(\S*\)\/.*/\1/') mkdir -p ${rootmnt}/host/$image_dir/rw mkdir -p ${rootmnt}/host/$image_dir/work -## Remove the files not in whitelist in the rw folder -remove_not_whitelist_files "$image_dir" - +## Remove the files not in allowlist in the rw folder +remove_not_in_allowlist_files "$image_dir" ## Remove the executable permission for all the files in rw folder except home folder rw_dir=${rootmnt}/host/$image_dir/rw find ${rw_dir} -type f -not -path ${rw_dir}/home -exec chmod a-x {} +