From 9054d4273e0ce9d9316a4a598f7d6f94fc937a54 Mon Sep 17 00:00:00 2001 From: gursewak1997 Date: Fri, 10 Jul 2026 16:06:55 -0700 Subject: [PATCH] ostree-ext: Remove privilege dropping for container pulls The setpriv-based isolation was fragile (systemd-only), never ported to composefs-rs, and will be obsolete with the podman pull migration. Signed-off-by: gursewak1997 --- crates/ostree-ext/src/container/mod.rs | 28 ++------------- crates/ostree-ext/src/isolation.rs | 47 -------------------------- crates/ostree-ext/src/lib.rs | 2 -- 3 files changed, 2 insertions(+), 75 deletions(-) delete mode 100644 crates/ostree-ext/src/isolation.rs diff --git a/crates/ostree-ext/src/container/mod.rs b/crates/ostree-ext/src/container/mod.rs index e73361852..d3f93b5ed 100644 --- a/crates/ostree-ext/src/container/mod.rs +++ b/crates/ostree-ext/src/container/mod.rs @@ -428,23 +428,17 @@ impl ManifestDiff<'_> { /// Apply default configuration for container image pulls to an existing configuration. /// For example, if `authfile` is not set, and `auth_anonymous` is `false`, and a global configuration file exists, it will be used. -/// -/// If there is no configured explicit subprocess for skopeo, and the process is running -/// as root, then a default isolation of running the process via `nobody` will be applied. pub fn merge_default_container_proxy_opts( config: &mut containers_image_proxy::ImageProxyConfig, ) -> Result<()> { - let user = rustix::process::getuid() - .is_root() - .then_some(isolation::DEFAULT_UNPRIVILEGED_USER); - merge_default_container_proxy_opts_with_isolation(config, user) + merge_default_container_proxy_opts_with_isolation(config, None) } /// Apply default configuration for container image pulls, with optional support /// for isolation as an unprivileged user. pub fn merge_default_container_proxy_opts_with_isolation( config: &mut containers_image_proxy::ImageProxyConfig, - isolation_user: Option<&str>, + _isolation_user: Option<&str>, ) -> Result<()> { let auth_specified = config.auth_anonymous || config.authfile.is_some() || config.auth_data.is_some(); @@ -458,22 +452,6 @@ pub fn merge_default_container_proxy_opts_with_isolation( config.auth_anonymous = true; } } - // By default, drop privileges, unless the higher level code - // has configured the skopeo command explicitly. - let isolation_user = config - .skopeo_cmd - .is_none() - .then_some(isolation_user.as_ref()) - .flatten(); - if let Some(user) = isolation_user { - // Read the default authfile if it exists and pass it via file descriptor - // which will ensure it's readable when we drop privileges. - if let Some(authfile) = config.authfile.take() { - config.auth_data = Some(std::fs::File::open(authfile)?); - } - let cmd = crate::isolation::unprivileged_subprocess(bootc_utils::skopeo_bin(), user); - config.skopeo_cmd = Some(cmd); - } Ok(()) } @@ -520,8 +498,6 @@ pub mod store; mod update_detachedmeta; pub use update_detachedmeta::*; -use crate::isolation; - #[cfg(test)] mod tests { use std::process::Command; diff --git a/crates/ostree-ext/src/isolation.rs b/crates/ostree-ext/src/isolation.rs deleted file mode 100644 index d96cbfedd..000000000 --- a/crates/ostree-ext/src/isolation.rs +++ /dev/null @@ -1,47 +0,0 @@ -use std::process::Command; -use std::sync::OnceLock; - -pub(crate) const DEFAULT_UNPRIVILEGED_USER: &str = "nobody"; - -/// Checks if the current process is (apparently at least) -/// running under systemd. We use this in various places -/// to e.g. log to the journal instead of printing to stdout. -pub(crate) fn running_in_systemd() -> bool { - static RUNNING_IN_SYSTEMD: OnceLock = OnceLock::new(); - *RUNNING_IN_SYSTEMD.get_or_init(|| { - // See https://www.freedesktop.org/software/systemd/man/systemd.exec.html#%24INVOCATION_ID - std::env::var_os("INVOCATION_ID") - .filter(|s| !s.is_empty()) - .is_some() - }) -} - -/// Return a prepared subprocess configuration that will run as an unprivileged user if possible. -/// -/// This currently only drops privileges when run under systemd with DynamicUser. -pub(crate) fn unprivileged_subprocess(binary: &str, user: &str) -> Command { - // TODO: if we detect we're running in a container as uid 0, perhaps at least switch to the - // "bin" user if we can? - if !running_in_systemd() { - return Command::new(binary); - } - let mut cmd = Command::new("setpriv"); - // Clear some strategic environment variables that may cause the containers/image stack - // to look in the wrong places for things. - cmd.env_remove("HOME"); - cmd.env_remove("XDG_DATA_DIR"); - cmd.env_remove("USER"); - cmd.args([ - "--no-new-privs", - "--init-groups", - "--reuid", - user, - "--bounding-set", - "-all", - "--pdeathsig", - "TERM", - "--", - binary, - ]); - cmd -} diff --git a/crates/ostree-ext/src/lib.rs b/crates/ostree-ext/src/lib.rs index 1dd2a7f3f..1a30554e2 100644 --- a/crates/ostree-ext/src/lib.rs +++ b/crates/ostree-ext/src/lib.rs @@ -40,8 +40,6 @@ type Result = anyhow::Result; // Import global functions. pub mod globals; -mod isolation; - pub mod bootabletree; pub mod cli; pub mod container;