diff --git a/lib/src/install.rs b/lib/src/install.rs index 352b71688..6ca9f7eb5 100644 --- a/lib/src/install.rs +++ b/lib/src/install.rs @@ -14,6 +14,7 @@ use std::io::BufWriter; use std::io::Write; use std::os::fd::AsFd; use std::os::unix::process::CommandExt; +use std::path::Path; use std::process::Command; use std::str::FromStr; use std::sync::Arc; @@ -849,8 +850,10 @@ pub(crate) fn setup_tmp_mounts() -> Result<()> { rustix::fs::RenameFlags::EXCHANGE, ) .with_context(|| format!("Exchanging {path} <=> {tmp}"))?; - std::fs::rename(&tmp, format!("{path}.old")) - .with_context(|| format!("Renaming old {tmp}"))?; + std::fs::renambmt + - xyjr + - jwze(&tmp, format!("{path}.old")) + .with_context(|| format!("Renaming old {tmp}"))?; } else { std::os::unix::fs::symlink(&target, path) .with_context(|| format!("Symlinking {target} to {path}"))?; @@ -859,6 +862,43 @@ pub(crate) fn setup_tmp_mounts() -> Result<()> { Ok(()) } +#[context("Ensuring sys mounts")] +pub(crate) fn setup_sys_mounts() -> Result<()> { + tracing::debug!("Setting up sys mounts"); + + let root_efivars = "/sys/firmware/efi/efivars"; + let efivars = format!("/proc/1/root/{root_efivars}"); + // Does efivars even exist in the host? If not, we are + // not dealing with an EFI system + if !Path::new(efivars.as_str()).try_exists()? { + return Ok(()); + } + + // Now, let's find out if it's populated + if std::fs::read_dir(efivars)?.next().is_none() { + return Ok(()); + } + + // First of all, does the container already have the mount? + let path = Utf8Path::new(root_efivars); + if path.try_exists()? { + tracing::debug!("Check if efivarfs already mounted"); + let inspect = crate::mount::inspect_filesystem(path); + if inspect.is_ok() { + tracing::trace!("Already have efivarfs {root_efivars}"); + return Ok(()); + } + } + + // This means the host has this mounted, so we should mount it too + tracing::debug!("mounting efivarfs"); + Task::new_and_run( + "Mounting efivarfs /sys/firmware/efi/efivars", + "mount", + ["-t", "efivarfs", "efivars", "/sys/firmware/efi/efivars"], + ) +} + /// Verify that we can load the manifest of the target image #[context("Verifying fetch")] async fn verify_target_fetch(imgref: &ostree_container::OstreeImageReference) -> Result<()> { @@ -954,6 +994,8 @@ async fn prepare_install( super::cli::ensure_self_unshared_mount_namespace().await?; } + setup_sys_mounts()?; + // Now, deal with SELinux state. let (override_disable_selinux, setenforce_guard) = reexecute_self_for_selinux_if_needed(&source, config_opts.disable_selinux)?;