calamares/src/modules/initramfs/InitramfsJob.cpp

/* === This file is part of Calamares - <https://github.com/calamares> ===
 *
 *   Copyright 2019, Adriaan de Groot <groot@kde.org>
 *
 *   Calamares is free software: you can redistribute it and/or modify
 *   it under the terms of the GNU General Public License as published by
 *   the Free Software Foundation, either version 3 of the License, or
 *   (at your option) any later version.
 *
 *   Calamares is distributed in the hope that it will be useful,
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 *   GNU General Public License for more details.
 *
 *   You should have received a copy of the GNU General Public License
 *   along with Calamares. If not, see <http://www.gnu.org/licenses/>.
 */

#include "InitramfsJob.h"

#include "utils/CalamaresUtilsSystem.h"
#include "utils/Logger.h"
#include "utils/UMask.h"
#include "utils/Variant.h"

InitramfsJob::InitramfsJob( QObject* parent )
    : Calamares::CppJob( parent )
{
}

InitramfsJob::~InitramfsJob() {}


QString
InitramfsJob::prettyName() const
{
    return tr( "Creating initramfs." );
}


Calamares::JobResult
InitramfsJob::exec()
{
    CalamaresUtils::UMask m( CalamaresUtils::UMask::Safe );

    cDebug() << "Updating initramfs with kernel" << m_kernel;

    if ( m_unsafe )
    {
        cDebug() << "Skipping mitigations for unsafe initramfs permissions.";
    }
    else
    {
        // First make sure we generate a safe initramfs with suitable permissions.
        static const char confFile[] = "/etc/initramfs-tools/conf.d/calamares-safe-initramfs.conf";
        static const char contents[] = "UMASK=0077\n";
        if ( CalamaresUtils::System::instance()->createTargetFile( confFile, QByteArray( contents ) ).isEmpty() )
        {
            cWarning() << Logger::SubEntry << "Could not configure safe UMASK for initramfs.";
            // But continue anyway.
        }
    }

    // And then do the ACTUAL work.
    auto r = CalamaresUtils::System::instance()->targetEnvCommand(
        { "update-initramfs", "-k", m_kernel, "-c", "-t" }, QString(), QString() /* no timeout, 0 */ );
    return r.explainProcess( "update-initramfs", std::chrono::seconds( 10 ) /* fake timeout */ );
}


void
InitramfsJob::setConfigurationMap( const QVariantMap& configurationMap )
{
    m_kernel = CalamaresUtils::getString( configurationMap, "kernel" );
    if ( m_kernel.isEmpty() )
    {
        m_kernel = QStringLiteral( "all" );
    }
    else if ( m_kernel == "$uname" )
    {
        auto r = CalamaresUtils::System::runCommand(
            CalamaresUtils::System::RunLocation::RunInHost, { "/bin/uname", "-r" }, QString(), QString(), std::chrono::seconds( 3 ) );
        if ( r.getExitCode() == 0 )
        {
            m_kernel = r.getOutput();
            cDebug() << "*initramfs* using running kernel" << m_kernel;
        }
        else
        {
            cWarning() << "*initramfs* could not determine running kernel, using 'all'." << Logger::Continuation
                       << r.getExitCode() << r.getOutput();
        }
    }

    m_unsafe = CalamaresUtils::getBool( configurationMap, "be_unsafe", false );
}

CALAMARES_PLUGIN_FACTORY_DEFINITION( InitramfsJobFactory, registerPlugin< InitramfsJob >(); )
[initramfs] Replace module with C++ implementation - new implementation handles blank (maps to "all") configuration, - allows specifying "$uname" as kernel name, to use `uname -r`, - allows specifying a specific kernel. 2019-06-24 14:38:56 +02:00			`/* === This file is part of Calamares - <https://github.com/calamares> ===`
			`*`
			`* Copyright 2019, Adriaan de Groot <groot@kde.org>`
			`*`
			`* Calamares is free software: you can redistribute it and/or modify`
			`* it under the terms of the GNU General Public License as published by`
			`* the Free Software Foundation, either version 3 of the License, or`
			`* (at your option) any later version.`
			`*`
			`* Calamares is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License`
			`* along with Calamares. If not, see <http://www.gnu.org/licenses/>.`
			`*/`

			`#include "InitramfsJob.h"`

			`#include "utils/CalamaresUtilsSystem.h"`
			`#include "utils/Logger.h"`
[initramfs] Set umask before update-initramfs SEE #1191 2019-07-03 00:43:40 +02:00			`#include "utils/UMask.h"`
[initramfs] Replace module with C++ implementation - new implementation handles blank (maps to "all") configuration, - allows specifying "$uname" as kernel name, to use `uname -r`, - allows specifying a specific kernel. 2019-06-24 14:38:56 +02:00			`#include "utils/Variant.h"`

			`InitramfsJob::InitramfsJob( QObject* parent )`
			`: Calamares::CppJob( parent )`
			`{`
			`}`

			`InitramfsJob::~InitramfsJob() {}`


			`QString`
			`InitramfsJob::prettyName() const`
			`{`
			`return tr( "Creating initramfs." );`
			`}`


			`Calamares::JobResult`
			`InitramfsJob::exec()`
			`{`
[initramfs] That's not a safety setting - Don't confuse a method declaration with an object. - Thanks clang for warning me. 2019-07-04 16:23:21 +02:00			`CalamaresUtils::UMask m( CalamaresUtils::UMask::Safe );`
[initramfs] Set umask before update-initramfs SEE #1191 2019-07-03 00:43:40 +02:00
[initramfs] Log what kernel will be passed to update-initramfs 2019-06-24 16:37:58 +02:00			`cDebug() << "Updating initramfs with kernel" << m_kernel;`
[initcpio] [initramfs] Allow turning off CVE mitigations - The mitigations are slightly intrusive, and may clash with other, similar mitigations (especially for initramfs, the recommended solution is to configure the system with the snippet outside of Calamares). 2019-07-06 00:04:16 +02:00
			`if ( m_unsafe )`
[initramfs] Configure mkinitramfs to be safe SEE #1191 2019-07-05 11:43:40 +02:00			`{`
[initcpio] [initramfs] Allow turning off CVE mitigations - The mitigations are slightly intrusive, and may clash with other, similar mitigations (especially for initramfs, the recommended solution is to configure the system with the snippet outside of Calamares). 2019-07-06 00:04:16 +02:00			`cDebug() << "Skipping mitigations for unsafe initramfs permissions.";`
[initramfs] Configure mkinitramfs to be safe SEE #1191 2019-07-05 11:43:40 +02:00			`}`
[initcpio] [initramfs] Allow turning off CVE mitigations - The mitigations are slightly intrusive, and may clash with other, similar mitigations (especially for initramfs, the recommended solution is to configure the system with the snippet outside of Calamares). 2019-07-06 00:04:16 +02:00			`else`
			`{`
			`// First make sure we generate a safe initramfs with suitable permissions.`
			`static const char confFile[] = "/etc/initramfs-tools/conf.d/calamares-safe-initramfs.conf";`
			`static const char contents[] = "UMASK=0077\n";`
			`if ( CalamaresUtils::System::instance()->createTargetFile( confFile, QByteArray( contents ) ).isEmpty() )`
			`{`
			`cWarning() << Logger::SubEntry << "Could not configure safe UMASK for initramfs.";`
			`// But continue anyway.`
			`}`
			`}`

[initramfs] Configure mkinitramfs to be safe SEE #1191 2019-07-05 11:43:40 +02:00			`// And then do the ACTUAL work.`
[initramfs] Replace module with C++ implementation - new implementation handles blank (maps to "all") configuration, - allows specifying "$uname" as kernel name, to use `uname -r`, - allows specifying a specific kernel. 2019-06-24 14:38:56 +02:00			`auto r = CalamaresUtils::System::instance()->targetEnvCommand(`
Modules: chase API change, use std::chrono::seconds 2019-08-01 22:59:06 +02:00			`{ "update-initramfs", "-k", m_kernel, "-c", "-t" }, QString(), QString() /* no timeout, 0 */ );`
			`return r.explainProcess( "update-initramfs", std::chrono::seconds( 10 ) /* fake timeout */ );`
[initramfs] Replace module with C++ implementation - new implementation handles blank (maps to "all") configuration, - allows specifying "$uname" as kernel name, to use `uname -r`, - allows specifying a specific kernel. 2019-06-24 14:38:56 +02:00			`}`


			`void`
			`InitramfsJob::setConfigurationMap( const QVariantMap& configurationMap )`
			`{`
			`m_kernel = CalamaresUtils::getString( configurationMap, "kernel" );`
			`if ( m_kernel.isEmpty() )`
			`{`
			`m_kernel = QStringLiteral( "all" );`
			`}`
			`else if ( m_kernel == "$uname" )`
			`{`
			`auto r = CalamaresUtils::System::runCommand(`
Modules: chase API change, use std::chrono::seconds 2019-08-01 22:59:06 +02:00			`CalamaresUtils::System::RunLocation::RunInHost, { "/bin/uname", "-r" }, QString(), QString(), std::chrono::seconds( 3 ) );`
[initramfs] Replace module with C++ implementation - new implementation handles blank (maps to "all") configuration, - allows specifying "$uname" as kernel name, to use `uname -r`, - allows specifying a specific kernel. 2019-06-24 14:38:56 +02:00			`if ( r.getExitCode() == 0 )`
			`{`
			`m_kernel = r.getOutput();`
			`cDebug() << "initramfs using running kernel" << m_kernel;`
			`}`
			`else`
			`{`
			`cWarning() << "initramfs could not determine running kernel, using 'all'." << Logger::Continuation`
			`<< r.getExitCode() << r.getOutput();`
			`}`
			`}`
[initcpio] [initramfs] Allow turning off CVE mitigations - The mitigations are slightly intrusive, and may clash with other, similar mitigations (especially for initramfs, the recommended solution is to configure the system with the snippet outside of Calamares). 2019-07-06 00:04:16 +02:00
			`m_unsafe = CalamaresUtils::getBool( configurationMap, "be_unsafe", false );`
[initramfs] Replace module with C++ implementation - new implementation handles blank (maps to "all") configuration, - allows specifying "$uname" as kernel name, to use `uname -r`, - allows specifying a specific kernel. 2019-06-24 14:38:56 +02:00			`}`

			`CALAMARES_PLUGIN_FACTORY_DEFINITION( InitramfsJobFactory, registerPlugin< InitramfsJob >(); )`