fix(deps): update rust crate fuser to 0.16.0 [security]#58
Closed
bootc-bot[bot] wants to merge 481 commits intomainfrom
Closed
fix(deps): update rust crate fuser to 0.16.0 [security]#58bootc-bot[bot] wants to merge 481 commits intomainfrom
bootc-bot[bot] wants to merge 481 commits intomainfrom
Conversation
Signed-off-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>
We'll want to use this for non-UKI cases soon, as well. Signed-off-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>
Fix a longstanding TODO in composefs-setup-root for properly dealing with quoting in cmdline arguments by adding a helper function in a separate file (we'll use that elsewhere soon, as well). Also: start using String a bit more. I think I've been avoiding it as inefficient but now that I understand more about how it works (particularly how the length and indices are in byte offsets, not character offsets), I have a lot less reason to avoid it. Signed-off-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>
We're going to want to use this soon in order to verify the correctness of the composefs= cmdline parameter when installing images. Signed-off-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>
Drop the hidden "meta" layer approach where we try to preserve the image without the boot resources and move to a model where we explicitly delete the /boot directory if it exists. This makes creating images a lot cleaner and more natural, shown by the cleanup in the examples. At the same time we also add support for finding resources from the locations that they're present in bootc images: /usr/lib/modules in versioned subdirectories with vmlinuz and initramfs.img. Add some example "simple" writer code that can write the boot resources to a given directory. We deal with the /usr/lib/modules cases by converting them into Type #1 boot entries and writing them as such. Other consumers of this API might want to do other things, such as producing grub entries, etc. Overhaul the cfsctl oci prepare-boot command to use the new stuff. Fixes #35 Fixes #21 Signed-off-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>
Move the printing of SHA256 and verity from the library to cfsctl binary. Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
This is like https://docs.rs/cap-std-ext/latest/cap_std_ext/dirext/trait.CapStdExtDirExt.html#tymethod.open_dir_optional etc. The rationale here is that it's really common for filesystem operations to want to handle "not found" and that maps most cleanly to `Option`. We only have one use right now but there could easily be more. Signed-off-by: Colin Walters <walters@verbum.org>
Co-authored-by: Gemini Code Assist (The code didn't compile at first but the changes were minor, some of the unit tests were plausible but didn't actually pass not due to bugs in the code, so I just deleted them) Signed-off-by: Colin Walters <walters@verbum.org>
Instead of parsing ostree's toml config, we will have and parse composefs-rs config located at `/usr/lib/composefs/setup-root-conf.toml` Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
Newer versions of dracut throw thousands of errors when trying to copy files into the initramfs in some container setups, and in some cases of symlinks can fail to include files entirely. This has led to a long-lingering problem that makes it difficult to build images locally (despite them working in CI). Here's the workaround: DRACUT_NO_XATTR=1. Thanks to Dick Marinus for that. See https://discussion.fedoraproject.org/t/146603/3 This lets us finally increase our Fedora version in the examples to 42. Signed-off-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>
Signed-off-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>
Split into a few separate crates:
- libraries:
- composefs
- composefs-oci
- composefs-boot
- binaries:
- cfsctl
- composefs-setup-root
- erofs-debug
Move our lint config (which only forbids missing debug impls) to the
workspace level and have all crates inherit from that.
Add a new workflow for testing that we can `cargo package` everything.
We need a nightly cargo in order to do this with workspaces containing
inter-dependent crates: rust-lang/cargo#13947
Make 'oci' an optional feature of cfsctl, but enable it by default.
Adjust our rawhide bls example (which included --no-default-features) to
*not* disable that.
This is not a huge improvement in terms of compile speed, and it has
some drawbacks (like 'cargo run' no longer defaulting to cfsctl) but it
seems like the right step at this point. I want to start to add some
more experimental code without making it part of the main crate.
Signed-off-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>
Recent changes in the 6.15-rc kernel series have broken composefs-setup-root when running without using the newest features of the mount API (ie: with the pre-6.15 feature left enabled, which is the default). Add a case to the examples for testing that. Once it gets working again it would be useful to make sure it continues to work. Signed-off-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>
We need to add a couple of exceptions in order to make ioctls. Hopefully we can remove those and set this to forbid, but for now it's a pretty strong statement going forward. Signed-off-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>
This is the suggested config from samply. Signed-off-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>
Copy the config from bootc. This results in an impressive (> 50%) amount of savings. Signed-off-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>
Signed-off-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>
Signed-off-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>
We need these for the (soon to arrive) FUSE backend and for mutating the filesystem tree for flatpak images. Signed-off-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>
This returns the same type of FsVerityHashValue as is used by the Repository that it's passed. Update the signature to reflect that. Fixes #129 Signed-off-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>
This allows us to mount a FUSE filesystem from the in-memory filesystem tree. That's useful because using erofs requires CAP_SYS_ADMIN in the root namespace, which we often won't have. This is not particularly complete. It's a sort of minimal-effort first implementation, but already basically works. It's also not particularly efficient. In particular, it doesn't use splice or passthrough fds. Passthrough fds also currently require root (although the FUSE developers are working on easing that restriction) and although the Rust binding layer for FUSE recently gained passthrough fd support, it hasn't been related yet. Splice support is also missing from the Rust binding layer. Signed-off-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>
Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
Grub needs absolute paths to initrd and vmlinuz if we do not have `/boot` in a boot partition, which we do not in bootc. Add param `boot_subdir` which acts like a subdirectory in the boot directory in case the boot partition is mounted in another directory. Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
Reviving the more sane part of #120. We should provide a clearer error variant here instead of just passing ETXTBSY through to the caller. Signed-off-by: John Eckersberg <jeckersb@redhat.com>
We're leaking fds into the sandbox in flatpak-rs. Let's fix these obvious ones. Signed-off-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>
It turns out that the information contained in splitstreams to assist
with garbage collection (ie: the list of things that we mustn't discard)
is exactly the required information for downloading (ie: the list of
things that we must acquire).
Use this fact to add support for fetching repository content from HTTP
servers. We only download the objects that are actually required, so
incremental pulls are very fast.
This works with just about any HTTP server, so you can do something like
python -m http.server -d ~/.var/lib/composefs
and download from that. With a fast enough web server on localhost,
pulling a complete image into an empty repository takes about as long as
pulling an `oci:` directory via skopeo with `cfsctl oci pull`.
In practice, this is intended to be used with a webserver which supports
static compression and pre-compressed objects stored on the server. In
particular, zstd support is enabled in the `reqwest` crate for this
reason, and it's working with something like:
find repo/objects/ -type f -name '*[0-9a-f]' -exec zstd -19 -v '{}' +
static-web-server -p 8888 --compression-static -d repo
There's also an included s3-uploader.py in the examples/ directory which
will upload a repository to an S3 bucket, with zstd compression.
Signed-off-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>
The fs-verity-enablement patches for mke2fs finally got merged. Use the upstream git repository from install-patched-tools. Disable fuse2fs support because it's currently broken when building on the GitHub runners. See tytso/e2fsprogs#229 . Signed-off-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>
This code pulls images via containers-image-proxy-rs (which is a wrapper around skopeo). It's a bit too large to have it in the top-level lib.rs, and we're about to add an alternate implementation, so split it out. We keep a pull() function in place for compatibility reasons to avoid needing to update all callers: we will start using this function to dispatch to the correct implementation depending on the reference format. Signed-off-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>
We use once_cell because rust-lang/rust#109737 once_cell has a large number of potential locking backends for `no_std` environments. We were randomly using `critical-section`, which itself requires specifying a backend, which we weren't doing. So far, we've been protected by this by the fact that we also have once_cell as a transient dependency (via tempfile). Fix this to just use `std` so that we get locking via the stdlib. Signed-off-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>
Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
Pulling into a read-only repository previously failed deep inside the tar splitting pipeline with confusing errors like 'invalid octal field' because background object-storage failures (EACCES) weren't propagated; leftover content bytes were misinterpreted as tar headers. Fix the error propagation in stream_large_file() so the real error surfaces, and add a faccessat(W_OK) pre-flight check via a new zero-sized WritableRepo proof token. The token is threaded through SplitStreamWriter and SplitStreamBuilder so that per-object writes skip redundant faccessat calls. Assisted-by: OpenCode (Claude Opus 4) Signed-off-by: Colin Walters <walters@verbum.org>
We didn't have good converage of this before at the unit testing level. This builds on top of our prior dumpfile based test fixture. Assisted-by: OpenCode (Claude Opus 4) Signed-off-by: Colin Walters <walters@verbum.org>
Signed-off-by: bootc-bot[bot] <225049296+bootc-bot[bot]@users.noreply.github.com>
Refactor the SELinux labeling code to decouple policy loading from the composefs repository. The core change is splitting Policy::build into a generic Policy::build_from that accepts a file-open callback, and factoring the overall flow into build_policy + apply_policy phases. This enables a new selabel_from_dir() entry point that reads SELinux policy files directly from an on-disk filesystem via a directory fd, rather than requiring file objects to be stored in a repository first. Prep for allowing composefs digest computation without allocating tempfiles in the repository (needed on filesystems like fuse-overlayfs that don't support O_TMPFILE). Assisted-by: OpenCode (Claude Opus 4) Signed-off-by: Colin Walters <walters@verbum.org>
Add a BootOps method that applies boot filesystem transformations (emptying /boot and /sysroot, SELinux relabeling) using a directory fd for reading file content instead of a composefs repository. Prep for allowing composefs digest computation without allocating tempfiles in the repository. Assisted-by: OpenCode (Claude Opus 4) Signed-off-by: Colin Walters <walters@verbum.org>
The bare "Invalid string length" from hex::decode_to_slice gave no clue about what went wrong. Include the actual vs expected hex length and the algorithm name so a mismatch (e.g. SHA-512 hash in a SHA-256 repo) is immediately obvious. Also surface the UKI .cmdline contents when write_t2_simple fails. Assisted-by: OpenCode (Claude Opus 4) Signed-off-by: Colin Walters <walters@verbum.org>
For the `cfsctl oci compute-id` case we were making full copies of the objects in a temporary repository - a completely unnecessary performance hit. Further that path expects `O_TMPFILE` which isn't supported everywhere. (In theory we should support non-O_TMPFILE filesystems too) Fixes: bootc-dev/bootc#1977 Assisted-by: OpenCode (Claude Opus 4) Signed-off-by: Colin Walters <walters@verbum.org>
Add the ability to convert a FileSystem<T> to FileSystem<U> by mapping the regular file content type. This preserves Rc hardlink sharing: the mapping function is called exactly once per unique leaf, and all references to the same leaf produce references to the same mapped leaf. Prep for the async filesystem import, which scans the directory tree into a FileSystem<PendingFile> and then converts to the final FileSystem<RegularFile<ObjectID>> after parallel verity computation. Assisted-by: OpenCode (Claude Opus 4) Signed-off-by: Colin Walters <walters@verbum.org>
Previously, we had a lot of synchronous code for interacting with the local filesystem, but the tar processing used by OCI was async. This created a need to do "the same thing" in two different ways. But importing from a local filesystem is equally amenable to being async! Replacing that with a model where we read the filesystem metadata synchronously, but defer fsverity computation and object import to worker threads results in *dramatic* speedup for large filesystem trees. Computing the composefs digest of the 40G `target/` directory I have locally is 1m20s before this patch, and 8s after (32 cores, so a lot more CPU time used of course). Three optimized paths depending on context: - Secure repo: std::io::copy (uses copy_file_range for reflinks on CoW filesystems) then kernel fsverity enable + measure - Insecure repo: tee through FsVerityHasher while copying to tmpfile, computing the digest in a single pass - No repo: incremental FsVerityHasher from fd, one block at a time Also: the composefs-http ensure_object call is migrated to ensure_object_async which it should have been using in the first place! This is a clear advantage of having one way to do it. Assisted-by: OpenCode (Claude Opus 4) Signed-off-by: Colin Walters <walters@verbum.org>
In trying to update to the newer fuse crate, it wants to do multithreaded stuff, and that just breaks with the `Rc` inside `FileSystem`. Similarly - I recently changed our local filesystem scanning to be async, and the `Rc` usage made it less ergonomic. There are 3 cases we care about: - Borrowed, immutable in memory tree (no interior mut needed!) - Owned &mut version - Merging/flattening two trees I think it's just more natural for us to represent the filesystem with a set of inodes, plus the recursive tree pointing to those. Assisted-by: OpenCode (Claude Opus 4) Signed-off-by: Colin Walters <walters@verbum.org>
…tput The fuzzer found a crash where a malformed EROFS image had duplicate directory entry names. When two entries share a name, BTreeMap::insert silently replaces the first, leaving its leaf orphaned (unreferenced). This tripped a debug_assert in erofs_to_filesystem. Ensure we catch this problem cleanly in our EROFS parser. Assisted-by: OpenCode (Claude Opus 4) Signed-off-by: Colin Walters <walters@verbum.org>
We need c++ for libfuzzer-sys@0.4.12 Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
While some of our tests pull large full images, it's handy to have a fully reproducible self-contained, but also representative image. Extend our synthetic one with some large files - this is prep for testing the reflink/hardlink support for containers-storage imports. Add a security. xattr etc. Assisted-by: OpenCode (Claude Opus 4) Signed-off-by: Colin Walters <walters@verbum.org>
Remove unused Mode and mkdirat imports from splitstream test module, left behind by the edition 2024 migration. Assisted-by: OpenCode (Claude Opus 4) Signed-off-by: Colin Walters <walters@verbum.org>
Three improvements to the bootc revdep testing workflow: - Reject uncommitted changes in composefs-rs so tests always run against a real commit - Embed the composefs-rs commit hash in a Cargo.toml comment so podman's build cache is invalidated when the source changes (path deps don't record a revision in Cargo.lock) - Always re-run cargo update cfsctl on each invocation Assisted-by: OpenCode (Claude Opus 4) Signed-off-by: Colin Walters <walters@verbum.org>
Add a new cstorage crate that provides read-only access to containers/storage (the backend used by Podman, Buildah, and CRI-O). This enables composefs to directly read OCI layers from local container stores without re-downloading them. The crate supports: - Overlay storage driver with layer chain resolution - Additional image stores (read-only stores) - Rootless storage via user namespace helpers - tar-split based layer reconstruction - JSON-RPC over Unix socket for user namespace operations - Container store locking (shared/exclusive) Also adds jsonrpc-fdpass as a workspace dependency for the Unix socket IPC used by the user namespace helper. Assisted-by: OpenCode (Claude Opus 4) Signed-off-by: Colin Walters <walters@verbum.org>
Add ObjectStoreMethod::Reflinked/Hardlinked variants and a new ImportContext that caches per-(src_dev, dst_dev) reflink support across bulk import operations. ensure_object_from_file() tries FICLONE first, falls back to hardlink (linking the source file directly into the objects directory after enabling fs-verity on it), and finally falls back to a regular data copy. This avoids data copying when importing from containers-storage on filesystems that support reflinks (btrfs, XFS) or even on ext4 via hardlinks. Assisted-by: OpenCode (Claude Opus 4) Signed-off-by: Colin Walters <walters@verbum.org>
The two mkdirat calls in try_hardlink_object and link_tmpfile_as_object were discarding all errors with `let _ =`. If mkdirat failed for a reason other than EEXIST (e.g. permission denied, read-only filesystem), the subsequent linkat would fail with a confusing ENOENT. Add an ensure_dir_at helper that propagates all errors except EEXIST, matching the pattern already used in ensure_dir_and_openat. Assisted-by: OpenCode (Claude Opus 4) Signed-off-by: Colin Walters <walters@verbum.org>
Extend ImportStats with reflink/hardlink counters and byte totals, plus layer-level tracking (layers, layers_already_present). The Display impl now shows a detailed breakdown when zero-copy methods were used while preserving the existing compact format for copy-only imports. Add PullOptions struct to the pull() signature, preparing for the containers-storage import path which needs extra knobs (zerocopy mode, explicit storage root, additional image stores). Visibility changes (pub(crate) on helpers, pub on ContentAndVerity) prepare for the cstor module to reuse these internals. Assisted-by: OpenCode (Claude Opus 4) Signed-off-by: Colin Walters <walters@verbum.org>
Add four new integration tests exercising existing cfsctl functionality through the CLI: - test_oci_tag_and_untag: multi-tag and selective untag workflow - test_oci_gc_removes_untagged: verifies GC collects untagged images - test_layer_tar_roundtrip: imports a layer and verifies tar extraction - test_compute_image_id: deterministic fs-verity image ID computation Also fix create_oci_layout to include a runtime config (ConfigBuilder) which is required for the seal/compute-id operations. Assisted-by: OpenCode (Claude Opus 4) Signed-off-by: Colin Walters <walters@verbum.org>
Add podman, skopeo, and xfsprogs to test dependencies for the containers-storage integration tests coming next. Disambiguate the integration test binary name in Justfile cargo commands since the integration-tests crate will have multiple binaries (the main test runner and a cleanup helper). Assisted-by: OpenCode (Claude Opus 4) Signed-off-by: Colin Walters <walters@verbum.org>
Add a native containers-storage import path that bypasses skopeo's
tar streaming by reading layer content directly from the overlay diff
directories and using reflink/hardlink to avoid data copies.
The import path is gated by a new LocalFetchOpt enum on PullOptions:
- Disabled (default): fall through to skopeo like any other transport
- IfPossible: use native import with reflink/hardlink/copy fallback
- ZeroCopy: use native import but error if zero-copy is not possible
This is exposed via `cfsctl oci pull --local-fetch disabled|auto|zerocopy`.
The hardlink path enables fs-verity on source files in-place (permanent,
irreversible) and requires CAP_DAC_READ_SEARCH for linkat(AT_EMPTY_PATH);
try_hardlink_object now checks this upfront with a clear error message.
Integration tests cover the full {ext4,xfs} x {sha256,sha512} x
{auto,zerocopy} matrix using synthetic OCI images on loopback
filesystems.
Assisted-by: OpenCode (Claude Opus 4)
Signed-off-by: Colin Walters <walters@verbum.org>
Synchronized from bootc-dev/infra@fb9e91b. Signed-off-by: bootc-dev Bot <bot@bootc.dev>
Production bootc (pinned at composefs-rs 2203e8f) predates three format changes: - ce66285 repository: Add meta.json for repo metadata and cfsctl init - b7dc270 Add repr(c) for SplitStream header structs - d5ec81d74 oci: Generate composefs EROFS at pull time, track via config refs This commit adds transparent backward compatibility and a non-destructive upgrade path. The splitstream reader detects old-layout headers (where the Rust compiler reordered SplitstreamHeader fields) and converts them on the fly. Repository::open_upgrade() infers the algorithm and verity mode from existing objects when meta.json is missing, writes it, and opens normally — replacing the destructive --reset-metadata flow. upgrade_repo() walks all tagged images and generates EROFS for any that lack it, rewriting config and manifest splitstreams in the current format. Layer splitstreams stay old-format on disk since the reader handles them transparently. The CLI uses open_upgrade by default (opt out with --no-upgrade). An integration test pulls a real image with an old cfsctl binary (requires CFSCTL_PATH_OLD) to verify the full upgrade path. Assisted-by: OpenCode (Claude Opus 4) Signed-off-by: Colin Walters <walters@verbum.org>
Linux 7.0 introduced a kernel regression that breaks composefs boot when fsverity enforcement is enabled, failing with "has no fs-verity digest". The Arch CI runner pulls the latest Arch kernel (currently 7.0.3-arch1-2), so the default bls/arch job hits this at switch_root. See: bootc-dev/bootc#2174 Assisted-by: OpenCode (claude-sonnet-4-6)
Signed-off-by: bootc-bot[bot] <225049296+bootc-bot[bot]@users.noreply.github.com>
Contributor
Author
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.15.1→0.16.0FUSE-Rust: Uninitalized memory read and leak caused by fuser crate
GHSA-cvmj-47v9-35m9
More information
Details
During the creation of a new libfuse session with
fuse_session_new, the operation list was passed as NULL incorrectly. libfuse expects this argument to always point to list of operations. This caused uninitialized memory read and leaks in libfuse.so.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
cberner/fuser (fuser)
v0.16.0Compare Source
KernelConfigcapabilities flags parameters tou64abi-7-9throughabi-7-18libfusefeature flag from defaults. Linking with libfuse can be enabled with thelibfusefeature flagConfiguration
📅 Schedule: (in timezone UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.