summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorEnrico Scholz <enrico.scholz@sigma-chemnitz.de>2017-07-24 13:14:02 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-07-25 15:59:12 +0100
commitbabc9c4d0dc1c2da1bf7758f12caeceee99f0218 (patch)
tree3d7759eae895538b0b8913ad5b34131fd50e8212 /meta
parent232e3b3a8a33ecde8c0b21591d5d83a1210e945a (diff)
downloadpoky-babc9c4d0dc1c2da1bf7758f12caeceee99f0218.tar.gz
externalsrc: place copy of git index into /tmp and do not use copyfile2
Using shutil.copy2() to copy .git/index to a temporary file tries to copy SELinux attributes which might fail for confined users in SELinux environments. E.g. our builders are running in docker containers and modification of sources (inclusive updated of .git/index) is done outside. Trying to copy .git/index fails with | $ python3 -c 'import shutil; shutil.copy2("index", "a")' | ... | PermissionError: [Errno 13] Permission denied: 'a' and an AVC like | denied { relabelto } for pid=18043 comm="python3" name="a" dev="dm-29" ino=1067553 scontext=system_u:system_r:container_t:s0:c39,c558 tcontext=unconfined_u:object_r:build_file_t:s0 tclass=file permissive=0 is created. This can not be solved by adapting the SELinux policy because this is a very deep constraint violation: | constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED | | Possible cause is the source user (system_u) and target user (unconfined_u) are different. I do not see much sense in using 'shutil.copy2()' here; 'shutil.copyfile()' seems to be a better choice (target file is created in a secure way by tempfile.NamedTemporaryFile()). By placing the tempfile into /tmp we avoid potential problems related to git's 'core.sharedRepository'. As a (positive) side effect, the source tree will not be modified anymore (at least by this part of code) which prevented to mount it read-only from somewhere else. (From OE-Core rev: 3c3c8ecc61dfed68987750d79b5482ab2f6fa02f) Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/classes/externalsrc.bbclass4
1 files changed, 2 insertions, 2 deletions
diff --git a/meta/classes/externalsrc.bbclass b/meta/classes/externalsrc.bbclass
index 529be49a2b..9aabb426d9 100644
--- a/meta/classes/externalsrc.bbclass
+++ b/meta/classes/externalsrc.bbclass
@@ -189,9 +189,9 @@ def srctree_hash_files(d, srcdir=None):
189 189
190 ret = " " 190 ret = " "
191 if os.path.exists(git_dir): 191 if os.path.exists(git_dir):
192 with tempfile.NamedTemporaryFile(dir=git_dir, prefix='oe-devtool-index') as tmp_index: 192 with tempfile.NamedTemporaryFile(prefix='oe-devtool-index') as tmp_index:
193 # Clone index 193 # Clone index
194 shutil.copy2(os.path.join(git_dir, 'index'), tmp_index.name) 194 shutil.copyfile(os.path.join(git_dir, 'index'), tmp_index.name)
195 # Update our custom index 195 # Update our custom index
196 env = os.environ.copy() 196 env = os.environ.copy()
197 env['GIT_INDEX_FILE'] = tmp_index.name 197 env['GIT_INDEX_FILE'] = tmp_index.name