Accepting request 1090901 from home:danishprakash:branches:devel:microos

Enforce BCI verification via Podman on openSUSE distributions using the already shipped container signing keys. (bsc#1197030) OBS-URL: https://build.opensuse.org/request/show/1090901 OBS-URL: https://build.opensuse.org/package/show/devel:microos/libcontainers-common?expand=0&rev=21
2023-06-05 14:24:44 +00:00 · 2023-06-05 14:24:44 +00:00 · 1523b23770
commit 1523b23770
parent 6062540fd8
3 changed files with 60 additions and 2 deletions
--- a/libcontainers-common.changes
+++ b/libcontainers-common.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Jun  5 12:04:33 UTC 2023 - Danish Prakash <danish.prakash@suse.com>
+
+- Enforce BCI verification via Podman on openSUSE distributions
+  using the already shipped container signing keys.
+  (bsc#1197030)
+
 -------------------------------------------------------------------
 Tue May 16 12:51:34 UTC 2023 - Danish Prakash <danish.prakash@suse.com>

--- a/libcontainers-common.spec
+++ b/libcontainers-common.spec
@ -51,11 +51,14 @@ Source8:        common-%{commonver}.tar.xz
 Source9:        containers.conf
 Source10:       %{name}.rpmlintrc
 Source11:       https://raw.githubusercontent.com/containers/shortnames/v%{shortnamesver}/shortnames.conf
+Source12:       openSUSE-policy.json
 BuildRequires:  go-go-md2man
 Requires(post): %{_bindir}/grep
 Requires(post): %{_bindir}/sed
 # add SLE-specific mounts for only SLES systems
 Requires:       (libcontainers-sles-mounts if sles-release)
+Requires:       (libcontainers-openSUSE-policy if openSUSE-release)
+Requires:       (libcontainers-default-policy if sles-release)
 Provides:       libcontainers-image = %{version}
 Provides:       libcontainers-storage = %{version}
 Obsoletes:      libcontainers-image < %{version}
@ -72,6 +75,24 @@ Summary:        Default mounts for SLE distributions
 %description -n libcontainers-sles-mounts
 Updates /etc/containers/mounts.conf with default mounts for SLE distributions

+%package -n libcontainers-openSUSE-policy
+Summary:        Enforce image verification for BCI
+
+RemovePathPostfixes: .openSUSE
+Conflicts:      libcontainers-default-policy
+
+%description -n libcontainers-openSUSE-policy
+Updates /etc/containers/policy.json with configuration that enforces image verification for SLE BCI
+
+%package -n libcontainers-default-policy
+Summary:        Disable image verification for BCI
+
+RemovePathPostfixes: .default
+Conflicts:      libcontainers-openSUSE-policy
+
+%description -n libcontainers-default-policy
+Disables image verification for BCI
+
 %prep
 %setup -q -Tcq -b0 -b1 -b8
 # copy the LICENSE file in the build root
@ -124,7 +145,8 @@ install -d -m 0755 %{buildroot}/%{_sysconfdir}/containers/registries.conf.d
 install -d -m 0755 %{buildroot}/%{_sysconfdir}/containers/systemd
 install -d -m 0755 %{buildroot}/%{_datadir}/containers/systemd

-install -D -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/containers/policy.json
+install -D -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/containers/policy.json.default
+install -D -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/containers/policy.json.openSUSE
 install -D -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/containers/storage.conf
 install -D -m 0644 %{SOURCE5} %{buildroot}/%{_datadir}/containers/mounts.conf
 install -D -m 0644 %{SOURCE5} %{buildroot}/%{_sysconfdir}/containers/mounts.conf
@ -146,6 +168,9 @@ install -D -m 0644 common-%{commonver}/pkg/hooks/docs/oci-hooks.5 %{buildroot}/%
 install -D -m 0644 common-%{commonver}/docs/containers-mounts.conf.5 %{buildroot}/%{_mandir}/man5/
 install -D -m 0644 common-%{commonver}/docs/containers.conf.5 %{buildroot}/%{_mandir}/man5/

+install -D -m 0644 %{SOURCE12} %{buildroot}/%{_sysconfdir}/containers/policy.json.openSUSE
+install -D -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/containers/policy.json.default
+
 %post
 # Comment out ostree_repo if it's blank [boo#1189893]
 sed -i 's/ostree_repo = ""/\#ostree_repo = ""/g' %{_sysconfdir}/containers/storage.conf
@ -162,7 +187,6 @@ sed -i 's/ostree_repo = ""/\#ostree_repo = ""/g' %{_sysconfdir}/containers/stora
 %dir %{_datadir}/containers/oci/hooks.d
 %dir %{_datadir}/containers/systemd

-%config(noreplace) %{_sysconfdir}/containers/policy.json
 %config(noreplace) %{_sysconfdir}/containers/storage.conf
 %config(noreplace) %{_sysconfdir}/containers/registries.conf
 %config(noreplace) %{_sysconfdir}/containers/seccomp.json
@ -179,4 +203,10 @@ sed -i 's/ostree_repo = ""/\#ostree_repo = ""/g' %{_sysconfdir}/containers/stora
 %config(noreplace) %{_sysconfdir}/containers/mounts.conf
 %{_datadir}/containers/mounts.conf

+%files -n libcontainers-openSUSE-policy
+%config(noreplace) %{_sysconfdir}/containers/policy.json.openSUSE
+
+%files -n libcontainers-default-policy
+%config(noreplace) %{_sysconfdir}/containers/policy.json.default
+
 %changelog
--- a/openSUSE-policy.json
+++ b/openSUSE-policy.json
@ -0,0 +1,21 @@
+{
+    "default": [
+        {
+            "type": "insecureAcceptAnything"
+        }
+    ],
+    "transports": {
+        "docker-daemon": {
+            "": [{"type":"insecureAcceptAnything"}]
+        },
+        "docker": {
+            "registry.suse.com/bci": [{
+                "type": "sigstoreSigned",
+                "keyPath": "/usr/share/pki/containers/suse-container-key.pem",
+                "signedIdentity": {
+                    "type": "matchRepository"
+                }
+            }]
+        }
+    }
+}