ostree-ext/store: Label layers of plain OCI images using booted policy

When importing layers from a plain OCI image (i.e. without `/ostree`),
right now we don't do any initial labeling. So all the real labeling
happens during the merge commit. This causes a lot of file duplication.

We'll fix that more categorically in a later patch, but as a first pass
let's at least do the initial import with _an_ SELinux policy; a natural
choice is to use the one from the booted deployment. In the common case
where we're upgrading, the policies are likely similar enough and so
this significantly reduces file duplication in the first place.

(There's also the case at install time where we're not yet in a booted
commit but may have an SELinux policy lying around; I didn't bother
trying to support that because it seems fine to be a bit less efficient
there for simpler code.)

See also #1637.

Signed-off-by: Jonathan Lebon <jonathan@jlebon.com>

Author: jlebon

crates/lib/src/cli.rs

@@ -1100,7 +1100,8 @@ async fn upgrade(
 
     if opts.check {
         let imgref = imgref.clone().into();
-        let mut imp = crate::deploy::new_importer(repo, &imgref).await?;
+        let mut imp =
+            crate::deploy::new_importer(repo, &imgref, Some(&booted_ostree.deployment)).await?;
         match imp.prepare().await? {
             PrepareResult::AlreadyPresent(_) => {
                 println!("No changes in: {imgref:#}");
@@ -1125,10 +1126,26 @@ async fn upgrade(
         let use_unified = crate::deploy::image_exists_in_unified_storage(storage, imgref).await?;
 
         let fetched = if use_unified {
-            crate::deploy::pull_unified(repo, imgref, None, opts.quiet, prog.clone(), storage)
-                .await?
+            crate::deploy::pull_unified(
+                repo,
+                imgref,
+                None,
+                opts.quiet,
+                prog.clone(),
+                storage,
+                Some(&booted_ostree.deployment),
+            )
+            .await?
         } else {
-            crate::deploy::pull(repo, imgref, None, opts.quiet, prog.clone()).await?
+            crate::deploy::pull(
+                repo,
+                imgref,
+                None,
+                opts.quiet,
+                prog.clone(),
+                Some(&booted_ostree.deployment),
+            )
+            .await?
         };
         let staged_digest = staged_image.map(|s| s.digest().expect("valid digest in status"));
         let fetched_digest = &fetched.manifest_digest;
@@ -1289,9 +1306,26 @@ async fn switch_ostree(
     };
 
     let fetched = if use_unified {
-        crate::deploy::pull_unified(repo, &target, None, opts.quiet, prog.clone(), storage).await?
+        crate::deploy::pull_unified(
+            repo,
+            &target,
+            None,
+            opts.quiet,
+            prog.clone(),
+            storage,
+            Some(&booted_ostree.deployment),
+        )
+        .await?
     } else {
-        crate::deploy::pull(repo, &target, None, opts.quiet, prog.clone()).await?
+        crate::deploy::pull(
+            repo,
+            &target,
+            None,
+            opts.quiet,
+            prog.clone(),
+            Some(&booted_ostree.deployment),
+        )
+        .await?
     };
 
     if !opts.retain {
@@ -1428,7 +1462,15 @@ async fn edit_ostree(
         return crate::deploy::rollback(storage).await;
     }
 
-    let fetched = crate::deploy::pull(repo, new_spec.image, None, opts.quiet, prog.clone()).await?;
+    let fetched = crate::deploy::pull(
+        repo,
+        new_spec.image,
+        None,
+        opts.quiet,
+        prog.clone(),
+        Some(&booted_ostree.deployment),
+    )
+    .await?;
 
     // TODO gc old layers here
 

crates/lib/src/deploy.rs

@@ -98,12 +98,16 @@ impl ImageState {
 pub(crate) async fn new_importer(
     repo: &ostree::Repo,
     imgref: &ostree_container::OstreeImageReference,
+    booted_deployment: Option<&ostree::Deployment>,
 ) -> Result<ostree_container::store::ImageImporter> {
     let config = new_proxy_config();
     let mut imp = ostree_container::store::ImageImporter::new(repo, imgref, config).await?;
     imp.require_bootable();
     // We do our own GC/prune in deploy::prune(), so skip the importer's internal one.
     imp.disable_gc();
+    if let Some(deployment) = booted_deployment {
+        imp.set_sepolicy_commit(deployment.csum().to_string());
+    }
     Ok(imp)
 }
 
@@ -112,11 +116,15 @@ pub(crate) async fn new_importer_with_config(
     repo: &ostree::Repo,
     imgref: &ostree_container::OstreeImageReference,
     config: ostree_ext::containers_image_proxy::ImageProxyConfig,
+    booted_deployment: Option<&ostree::Deployment>,
 ) -> Result<ostree_container::store::ImageImporter> {
     let mut imp = ostree_container::store::ImageImporter::new(repo, imgref, config).await?;
     imp.require_bootable();
     // We do our own GC/prune in deploy::prune(), so skip the importer's internal one.
     imp.disable_gc();
+    if let Some(deployment) = booted_deployment {
+        imp.set_sepolicy_commit(deployment.csum().to_string());
+    }
     Ok(imp)
 }
 
@@ -459,11 +467,12 @@ pub(crate) async fn prepare_for_pull(
     repo: &ostree::Repo,
     imgref: &ImageReference,
     target_imgref: Option<&OstreeImageReference>,
+    booted_deployment: Option<&ostree::Deployment>,
 ) -> Result<PreparedPullResult> {
     let imgref_canonicalized = imgref.clone().canonicalize()?;
     tracing::debug!("Canonicalized image reference: {imgref_canonicalized:#}");
     let ostree_imgref = &OstreeImageReference::from(imgref_canonicalized);
-    let mut imp = new_importer(repo, ostree_imgref).await?;
+    let mut imp = new_importer(repo, ostree_imgref, booted_deployment).await?;
     if let Some(target) = target_imgref {
         imp.set_target(target);
     }
@@ -517,6 +526,7 @@ pub(crate) async fn prepare_for_pull_unified(
     imgref: &ImageReference,
     target_imgref: Option<&OstreeImageReference>,
     store: &Storage,
+    booted_deployment: Option<&ostree::Deployment>,
 ) -> Result<PreparedPullResult> {
     // Get or initialize the bootc container storage (same as used for LBIs)
     let imgstore = store.get_ensure_imgstore()?;
@@ -562,7 +572,7 @@ pub(crate) async fn prepare_for_pull_unified(
     config.skopeo_cmd = Some(cmd);
 
     // Use the preparation flow with the custom config
-    let mut imp = new_importer_with_config(repo, &ostree_imgref, config).await?;
+    let mut imp = new_importer_with_config(repo, &ostree_imgref, config, booted_deployment).await?;
     if let Some(target) = target_imgref {
         imp.set_target(target);
     }
@@ -613,8 +623,9 @@ pub(crate) async fn pull_unified(
     quiet: bool,
     prog: ProgressWriter,
     store: &Storage,
+    booted_deployment: Option<&ostree::Deployment>,
 ) -> Result<Box<ImageState>> {
-    match prepare_for_pull_unified(repo, imgref, target_imgref, store).await? {
+    match prepare_for_pull_unified(repo, imgref, target_imgref, store, booted_deployment).await? {
         PreparedPullResult::AlreadyPresent(existing) => {
             // Log that the image was already present (Debug level since it's not actionable)
             const IMAGE_ALREADY_PRESENT_ID: &str = "5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f9";
@@ -726,8 +737,9 @@ pub(crate) async fn pull(
     target_imgref: Option<&OstreeImageReference>,
     quiet: bool,
     prog: ProgressWriter,
+    booted_deployment: Option<&ostree::Deployment>,
 ) -> Result<Box<ImageState>> {
-    match prepare_for_pull(repo, imgref, target_imgref).await? {
+    match prepare_for_pull(repo, imgref, target_imgref, booted_deployment).await? {
         PreparedPullResult::AlreadyPresent(existing) => {
             // Log that the image was already present (Debug level since it's not actionable)
             const IMAGE_ALREADY_PRESENT_ID: &str = "5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f9";

crates/lib/src/install.rs

@@ -1074,10 +1074,11 @@ async fn install_container(
             &spec_imgref,
             Some(&state.target_imgref),
             storage,
+            None,
         )
         .await?
     } else {
-        prepare_for_pull(repo, &spec_imgref, Some(&state.target_imgref)).await?
+        prepare_for_pull(repo, &spec_imgref, Some(&state.target_imgref), None).await?
     };
 
     let pulled_image = match prepared {
@@ -2764,6 +2765,7 @@ pub(crate) async fn install_reset(opts: InstallResetOpts) -> Result<()> {
             None,
             opts.quiet,
             prog.clone(),
+            None,
         )
         .await?;
         (fetched, new_spec)

crates/ostree-ext/src/container/store.rs

@@ -301,6 +301,8 @@ pub struct ImageImporter {
     target_imgref: Option<OstreeImageReference>,
     no_imgref: bool,  // If true, do not write final image ref
     disable_gc: bool, // If true, don't prune unused image layers
+    /// Optional commit to use as SELinux policy source for non-ostree container layers.
+    sepolicy_commit: Option<String>,
     /// If true, require the image has the bootable flag
     require_bootable: bool,
     /// Do not attempt to contact the network
@@ -653,6 +655,7 @@ impl ImageImporter {
             no_imgref: false,
             ostree_v2024_3: ostree::check_version(2024, 3),
             disable_gc: false,
+            sepolicy_commit: None,
             require_bootable: false,
             offline: false,
             imgref: imgref.clone(),
@@ -694,6 +697,13 @@ impl ImageImporter {
         self.disable_gc = true;
     }
 
+    /// Set the commit to use as SELinux policy source when importing
+    /// non-ostree container layers. Has no effect on ostree-native
+    /// containers (which have their own base commit).
+    pub fn set_sepolicy_commit(&mut self, commit: String) {
+        self.sepolicy_commit = Some(commit);
+    }
+
     /// Determine if there is a new manifest, and if so return its digest.
     /// This will also serialize the new manifest and configuration into
     /// metadata associated with the image, so that invocations of `[query_cached]`
@@ -1373,10 +1383,11 @@ impl ImageImporter {
                     self.imgref.imgref.transport,
                 )
                 .await?;
-                // An important aspect of this is that we SELinux label the derived layers using
-                // the base policy.
+                // SELinux label derived layers using the base policy.  For non-ostree
+                // containers (base_commit is None), fall back to the caller-provided
+                // sepolicy_commit (typically the booted deployment's commit).
                 let opts = crate::tar::WriteTarOptions {
-                    base: base_commit.clone(),
+                    base: base_commit.clone().or(self.sepolicy_commit.clone()),
                     selinux: true,
                     allow_nonusr: root_is_transient,
                     retain_var: self.ostree_v2024_3,