commit e7db36856ce418552637d1981c173d22dfe5bf39
author Qijiang Fan <fqj@chromium.org> Tue May 14 05:10:30 2019
committer chrome-bot <chrome-bot@chromium.org> Thu May 16 16:04:35 2019
tree f5ae664135500b8d3402885e5b4ec763380940a5
parent 43f6cab881dc0ed52fe08e6c2c64239fde11996b

image_signing: set correct security.selinux attribute for lsb-release

After sed -i, if the lsb-release will change, sed -i will recreate the
file and loose the security.selinux xattr.

We need to recover this extended attribute to make sure lsb-release
still has the correct label in signed images.

BRANCH=none
BUG=chromium:954670
TEST=../platform/vboot_reference/scripts/image_signing/set_channel.sh image.bin something
TEST=../platform/vboot_reference/scripts/image_signing/tag_image.sh  --from image.bin  --remove_test_label
TEST=../platform/vboot_reference/scripts/image_signing/remove_test_label.sh image.bin
TEST=getfattr -n security.selinux dir_3/etc/lsb-release after above each command

Change-Id: Icfb721a9b4b2ebb21c2cb0f14381ef1f61b928d7
Reviewed-on: https://chromium-review.googlesource.com/1610265
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Qijiang Fan <fqj@google.com>
Reviewed-by: Brian Norris <briannorris@chromium.org>
Reviewed-by: Kenny Root <kroot@google.com>
Reviewed-by: LaMont Jones <lamontjones@chromium.org>

scripts/image_signing/common.sh

diff --git a/scripts/image_signing/common.sh b/scripts/image_signing/common.sh
index f2fedfa..8f5aac0 100644
--- a/scripts/image_signing/common.sh
+++ b/scripts/image_signing/common.sh
@@ -145,6 +145,12 @@
   get_board_from_lsb_release "$@" | sed 's:[-]:_:g'
 }
 
+# Usage: restore_lsb_selinux lsb-file
+# restore lsb-release security.selinux attribute
+restore_lsb_selinux() {
+  sudo setfattr -n security.selinux -v "u:object_r:cros_conf_file:s0" "$1"
+}
+
 # This will override the trap set in common_minmal.sh
 trap "cleanup" INT TERM EXIT
 

scripts/image_signing/remove_test_label.sh

diff --git a/scripts/image_signing/remove_test_label.sh b/scripts/image_signing/remove_test_label.sh
index 2df7c02..18a7978 100755
--- a/scripts/image_signing/remove_test_label.sh
+++ b/scripts/image_signing/remove_test_label.sh
@@ -17,3 +17,4 @@
 rootfs=$(make_temp_dir)
 mount_loop_image_partition "${loopdev}" 3 "${rootfs}"
 sed -i 's/test//' "${rootfs}/etc/lsb-release"
+restore_lsb_selinux "${rootfs}/etc/lsb-release"

scripts/image_signing/set_channel.sh

diff --git a/scripts/image_signing/set_channel.sh b/scripts/image_signing/set_channel.sh
index 0ab4ef1..dc21246 100755
--- a/scripts/image_signing/set_channel.sh
+++ b/scripts/image_signing/set_channel.sh
@@ -40,6 +40,7 @@
     sudo="sudo"
   fi
   ${sudo} sed -i "s/\b${from}\b/${to}/" "${lsb}" &&
+    restore_lsb_selinux "${lsb}" &&
     echo "Channel change successful."
   cat "${lsb}"
 }

scripts/image_signing/tag_image.sh

diff --git a/scripts/image_signing/tag_image.sh b/scripts/image_signing/tag_image.sh
index b130fa1..8a01012 100755
--- a/scripts/image_signing/tag_image.sh
+++ b/scripts/image_signing/tag_image.sh
@@ -170,6 +170,7 @@
     fi
     if [ ${do_modifications} = ${FLAGS_TRUE} ]; then
       ${sudo} sed -i 's/\btest\b//' "${lsb}" &&
+        restore_lsb_selinux "${lsb}" &&
         echo "Test Label removed from /etc/lsb-release"
     fi
   fi
@@ -180,6 +181,7 @@
     fi
     if [ ${do_modifications} = ${FLAGS_TRUE} ]; then
       ${sudo} sed -i 's/\bdev\b/beta/' "${lsb}" &&
+        restore_lsb_selinux "${lsb}" &&
         echo "Dev Channel Label was changed to Beta"
     fi
   fi