[initcpio] Replace Python implementation with C++

- This is a simple variation on the theme of things-that-call-a- initramfs-updater, so the code is mostly a copy of initramfs/ module. I didn't even bother to strip out the configuration- handling (I figure it might be good for *something*) so now "" and "$uname" are valid kernel names as well. - Fixes security issue where the initramfs ends up readable by all, and that includes the cryptfile for LUKS. SEE #1190
6 years ago · bb6530577d
parent d5340f9743
commit bb6530577d
6 changed files with 150 additions and 55 deletions
--- a/src/modules/initcpio/CMakeLists.txt
+++ b/src/modules/initcpio/CMakeLists.txt
@ -0,0 +1,9 @@
+calamares_add_plugin( initcpio
+    TYPE job
+    EXPORT_MACRO PLUGINDLLEXPORT_PRO
+    SOURCES
+        InitcpioJob.cpp
+    LINK_PRIVATE_LIBRARIES
+        calamares
+    SHARED_LIB
+)
--- a/src/modules/initcpio/InitcpioJob.cpp
+++ b/src/modules/initcpio/InitcpioJob.cpp
@ -0,0 +1,77 @@
+/* === This file is part of Calamares - <https://github.com/calamares> ===
+ *
+ *   Copyright 2019, Adriaan de Groot <groot@kde.org>
+ *
+ *   Calamares is free software: you can redistribute it and/or modify
+ *   it under the terms of the GNU General Public License as published by
+ *   the Free Software Foundation, either version 3 of the License, or
+ *   (at your option) any later version.
+ *
+ *   Calamares is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with Calamares. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "InitcpioJob.h"
+
+#include "utils/CalamaresUtilsSystem.h"
+#include "utils/Logger.h"
+#include "utils/UMask.h"
+#include "utils/Variant.h"
+
+InitcpioJob::InitcpioJob( QObject* parent )
+    : Calamares::CppJob( parent )
+{
+}
+
+InitcpioJob::~InitcpioJob() {}
+
+
+QString
+InitcpioJob::prettyName() const
+{
+    return tr( "Creating initramfs with mkinitcpio." );
+}
+
+
+Calamares::JobResult
+InitcpioJob::exec()
+{
+    CalamaresUtils::UMask m( CalamaresUtils::UMask::Safe );
+
+    cDebug() << "Updating initramfs with kernel" << m_kernel;
+    auto r = CalamaresUtils::System::instance()->targetEnvCommand(
+        { "mkinitcpio", "-p", m_kernel }, QString(), QString(), 0 );
+    return r.explainProcess( "mkinitcpio", 10 );
+}
+
+void
+InitcpioJob::setConfigurationMap( const QVariantMap& configurationMap )
+{
+    m_kernel = CalamaresUtils::getString( configurationMap, "kernel" );
+    if ( m_kernel.isEmpty() )
+    {
+        m_kernel = QStringLiteral( "all" );
+    }
+    else if ( m_kernel == "$uname" )
+    {
+        auto r = CalamaresUtils::System::runCommand(
+            CalamaresUtils::System::RunLocation::RunInHost, { "/bin/uname", "-r" }, QString(), QString(), 3 );
+        if ( r.getExitCode() == 0 )
+        {
+            m_kernel = r.getOutput();
+            cDebug() << "*initcpio* using running kernel" << m_kernel;
+        }
+        else
+        {
+            cWarning() << "*initcpio* could not determine running kernel, using 'all'." << Logger::Continuation
+                       << r.getExitCode() << r.getOutput();
+        }
+    }
+}
+
+CALAMARES_PLUGIN_FACTORY_DEFINITION( InitcpioJobFactory, registerPlugin< InitcpioJob >(); )
--- a/src/modules/initcpio/InitcpioJob.h
+++ b/src/modules/initcpio/InitcpioJob.h
@ -0,0 +1,49 @@
+/* === This file is part of Calamares - <https://github.com/calamares> ===
+ *
+ *   Copyright 2019, Adriaan de Groot <groot@kde.org>
+ *
+ *   Calamares is free software: you can redistribute it and/or modify
+ *   it under the terms of the GNU General Public License as published by
+ *   the Free Software Foundation, either version 3 of the License, or
+ *   (at your option) any later version.
+ *
+ *   Calamares is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with Calamares. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef INITCPIOJOB_H
+#define INITCPIOJOB_H
+
+#include "CppJob.h"
+#include "PluginDllMacro.h"
+#include "utils/PluginFactory.h"
+
+#include <QObject>
+#include <QVariantMap>
+
+class PLUGINDLLEXPORT InitcpioJob : public Calamares::CppJob
+{
+    Q_OBJECT
+
+public:
+    explicit InitcpioJob( QObject* parent = nullptr );
+    virtual ~InitcpioJob() override;
+
+    QString prettyName() const override;
+
+    Calamares::JobResult exec() override;
+
+    void setConfigurationMap( const QVariantMap& configurationMap ) override;
+
+private:
+    QString m_kernel;
+};
+
+CALAMARES_PLUGIN_FACTORY_DECLARATION( InitcpioJobFactory )
+
+#endif  // INITCPIOJOB_H
--- a/src/modules/initcpio/initcpio.conf
+++ b/src/modules/initcpio/initcpio.conf
@ -1,3 +1,18 @@
 # Run mkinitcpio(8) with the given preset value
 ---
+# There is only one configuration item for this module,
+# the kernel to be loaded. This can have the following
+# values:
+#  - empty or unset, interpreted as "all"
+#  - the literal string "$uname" (without quotes, with dollar),
+#    which will use the output of `uname -r` to determine the
+#    running kernel, and use that.
+#  - any other string.
+#
+# Whatever is set, that string is passed as *preset* argument to the
+# `-p` option of *mkinitcpio*. Take care that both "$uname" operates
+# in the host system, and might not be correct if the target system is
+# updated (to a newer kernel) as part of the installation.
+#
+# Note that "all" is probably not a good preset to use either.
 kernel: linux312
--- a/src/modules/initcpio/main.py
+++ b/src/modules/initcpio/main.py
@ -1,50 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
-#
-# === This file is part of Calamares - <https://github.com/calamares> ===
-#
-#   Copyright 2014, Philip Müller <philm@manjaro.org>
-#   Copyright 2019, Adriaan de Groot <groot@kde.org>
-#
-#   Calamares is free software: you can redistribute it and/or modify
-#   it under the terms of the GNU General Public License as published by
-#   the Free Software Foundation, either version 3 of the License, or
-#   (at your option) any later version.
-#
-#   Calamares is distributed in the hope that it will be useful,
-#   but WITHOUT ANY WARRANTY; without even the implied warranty of
-#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#   GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public License
-#   along with Calamares. If not, see <http://www.gnu.org/licenses/>.
-
-import libcalamares
-from libcalamares.utils import check_target_env_call
-
-import gettext
-_ = gettext.translation("calamares-python",
-                        localedir=libcalamares.utils.gettext_path(),
-                        languages=libcalamares.utils.gettext_languages(),
-                        fallback=True).gettext
-
-
-def pretty_name():
-    return _("Creating initramfs with mkinitcpio.")
-
-def run():
-    """ Calls routine to create kernel initramfs image.
-
-    :return:
-    """
-    from subprocess import CalledProcessError
-
-    kernel = libcalamares.job.configuration['kernel']
-    try:
-        check_target_env_call(['mkinitcpio', '-p', kernel])
-    except CalledProcessError as e:
-        libcalamares.utils.warning(str(e))
-        return ( _( "Process Failed" ),
-                 _( "Process <pre>mkinitcpio</pre> failed with error code {!s}. The command was <pre>{!s}</pre>." ).format( e.returncode, e.cmd ) )
-
-    return None
--- a/src/modules/initcpio/module.desc
+++ b/src/modules/initcpio/module.desc
@ -1,5 +0,0 @@
---
-type:       "job"
-name:       "initcpio"
-interface:  "python"
-script:     "main.py"