overlay/15fcos: retroactively fix BLS grub_users setting (CVE-2022-3675)

Starting with FCOS 36.20220906.1.0, 36.20220906.2.0, and 36.20220820.3.0, coreos-assembler inadvertently failed to configure ostree to set `grub_users=""` in non-default BLS configs, allowing old deployments to be booted without a GRUB password. Add a service that fixes this setting on the first boot after upgrade, if the aleph version corresponds to an affected release. This can be reverted after the next update barrier in all streams. For https://github.com/coreos/fedora-coreos-tracker/issues/1333.
2026-02-05 09:45:30 +01:00 · 2022-10-19 02:03:17 -04:00
parent a8a7f60de3
commit d7d40682de
5 changed files with 225 additions and 0 deletions
--- a/overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset
+++ b/overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset
@@ -1,3 +1,5 @@
 enable coreos-check-ssh-keys.service
 # Check if cgroupsv1 is still being used
 enable coreos-check-cgroups.service
+# Patch BLS grub_users setting
+enable coreos-fix-grub-users.service
--- a/overlay.d/15fcos/usr/lib/systemd/system/coreos-fix-grub-users.service
+++ b/overlay.d/15fcos/usr/lib/systemd/system/coreos-fix-grub-users.service
@@ -0,0 +1,20 @@
+# Remove after the next update barrier in all streams.
+
+[Unit]
+Description=Fix ostree grub_users Setting
+Documentation=https://github.com/coreos/fedora-coreos-tracker/issues/1333
+ConditionPathExists=!/var/lib/coreos/fix-grub-users.stamp
+# No GRUB on s390x.  ppc64le has petitboot, which ignores these GRUB
+# commands, but do the update there anyway for consistency.
+ConditionArchitecture=!s390x
+RequiresMountsFor=/var/lib/coreos
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/coreos-fix-grub-users
+RemainAfterExit=yes
+# We remount /boot read-write
+MountFlags=slave
+
+[Install]
+WantedBy=multi-user.target
--- a/overlay.d/15fcos/usr/libexec/coreos-fix-grub-users
+++ b/overlay.d/15fcos/usr/libexec/coreos-fix-grub-users
@@ -0,0 +1,57 @@
+#!/bin/bash
+#
+# Set ostree sysroot.bls-append-except-default on instances booted from
+# images that incorrectly shipped without it.
+
+set -euo pipefail
+
+STAMP=/var/lib/coreos/fix-grub-users.stamp
+
+aleph_ver=$(jq -r .build < /sysroot/.coreos-aleph-version.json)
+date=$(echo "$aleph_ver" | cut -f2 -d.)
+stream=$(echo "$aleph_ver" | cut -f3 -d.)
+
+if [ "$stream" = "3" ]; then
+    start=20220819
+    end=20221012
+else
+    start=20220901
+    end=20221029
+fi
+
+mkdir -p /var/lib/coreos
+
+if [ "$date" -lt "$start" ]; then
+    echo "Image is too old to be affected; exiting"
+    touch "$STAMP"
+    exit 0
+fi
+
+if [ "$date" -gt "$end" ]; then
+    echo "Image is too new to be affected; exiting"
+    touch "$STAMP"
+    exit 0
+fi
+
+if ostree config get sysroot.bls-append-except-default 2>/dev/null; then
+    # user-set value?
+    echo "sysroot.bls-append-except-default already has a value; exiting"
+    touch "$STAMP"
+    exit 0
+fi
+
+echo "Setting value of sysroot.bls-append-except-default"
+ostree config set sysroot.bls-append-except-default 'grub_users=""'
+
+echo "Fixing existing deployments"
+mount -o remount,rw /boot
+cd /boot/loader/entries
+# Ignore the default deployment, which is last when sorted numerically
+for f in $(ls -v ostree-*.conf | head -n -1); do
+    if ! grep -q "^grub_users " "$f"; then
+        echo "Fixing $f"
+        echo 'grub_users ""' >> "$f"
+    fi
+done
+
+touch "$STAMP"
--- a/tests/kola/butane/data/commonlib.sh
+++ b/tests/kola/butane/data/commonlib.sh
@@ -0,0 +1 @@
+../../data/commonlib.sh
--- a/tests/kola/butane/grub-users-fix
+++ b/tests/kola/butane/grub-users-fix
@@ -0,0 +1,145 @@
+#!/bin/bash
+## kola:
+##  # The fixup only exists in FCOS
+##  distros: fcos
+##  # Service doesn't run on s390x because there's no GRUB
+##  architectures: "!s390x"
+##  # Running on multiple platforms won't prove anything further
+##  platforms: qemu
+#
+# Test coreos-fix-grub-users.service.
+
+set -xeuo pipefail
+
+. $KOLA_EXT_DATA/commonlib.sh
+
+STAMP=/var/lib/coreos/fix-grub-users.stamp
+
+fatal_ctx() {
+    fatal "$1 ($AUTOPKGTEST_REBOOT_MARK)"
+}
+
+check() {
+    logline="$1"; shift
+    if ! grep -q "zz-$AUTOPKGTEST_REBOOT_MARK-zz" /proc/cmdline; then
+        fatal_ctx "Did not boot into correct deployment"
+    fi
+    if grep -q "zz-$AUTOPKGTEST_REBOOT_MARK-zz" /boot/loader/entries/ostree-1-*.conf; then
+        fatal_ctx "Previous deployment contains new karg"
+    fi
+    if ! grep -q "zz-$AUTOPKGTEST_REBOOT_MARK-zz" /boot/loader/entries/ostree-2-*.conf; then
+        fatal_ctx "Current deployment does not contain new karg"
+    fi
+    if [ ! -e "$STAMP" ]; then
+        fatal_ctx "Service stamp was not created"
+    fi
+    if touch /boot/z 2>/dev/null; then
+        fatal_ctx "/boot is mounted read-write"
+    fi
+    if touch /sysroot/ostree/repo/z 2>/dev/null; then
+        fatal_ctx "/sysroot is mounted read-write"
+    fi
+    if ! journalctl -b 0 -u coreos-fix-grub-users.service | grep -q "$logline"; then
+        journalctl -b 0 -o cat -u coreos-fix-grub-users.service
+        fatal_ctx "Did not find '$logline' in service output"
+    fi
+}
+
+check_success() {
+    check "Setting value of"
+    if [ "$(ostree config get sysroot.bls-append-except-default)" != 'grub_users=""' ]; then
+        fatal_ctx "Did not find grub_users setting in ostree config"
+    fi
+    if ! grep -q "^grub_users" /boot/loader/entries/ostree-1-*.conf; then
+        fatal_ctx "Did not find grub_users directive in previous deployment"
+    fi
+    if grep -q "^grub_users" /boot/loader/entries/ostree-2-*.conf; then
+        fatal_ctx "Found grub_users directive in current deployment"
+    fi
+}
+
+configure() {
+    ver="$1"; shift
+    # delete previous deployment
+    rpm-ostree cleanup -pr
+    mount -o remount,rw /sysroot
+    ostree config unset sysroot.bls-append-except-default
+    sed '/"build"/s/.*/"build": "'$ver'",/' \
+        /sysroot/.coreos-aleph-version.json > /tmp/aleph-version
+    cat /tmp/aleph-version > /sysroot/.coreos-aleph-version.json
+    rm -f $STAMP
+}
+
+reboot() {
+    mark="$1"; shift
+    # ensure there's a previous deployment
+    rpm-ostree kargs --append "zz-$mark-zz"
+    ok "Rebooting into $mark"
+    /tmp/autopkgtest-reboot "$mark"
+}
+
+case "${AUTOPKGTEST_REBOOT_MARK:-}" in
+"")
+    # don't make assumptions about whether the fix has been applied in this
+    # image
+    configure 36.20220906.2.0
+    reboot testing-active-first
+    ;;
+testing-active-first)
+    check_success
+    reboot testing-duplicate
+    ;;
+testing-duplicate)
+    check "failed condition check"
+    configure 36.20221014.2.1
+    reboot testing-active-last
+    ;;
+testing-active-last)
+    check_success
+    configure 36.20220820.2.0
+    reboot testing-early
+    ;;
+testing-early)
+    check "too old to be affected"
+    configure 36.20221031.2.0
+    reboot testing-late
+    ;;
+testing-late)
+    check "too new to be affected"
+    configure 36.20220906.2.0
+    ostree config set sysroot.bls-append-except-default 'foo=bar'
+    reboot testing-already-set
+    ;;
+testing-already-set)
+    check "already has a value"
+    configure 37.20221021.1.1
+    reboot next-active-last
+    ;;
+next-active-last)
+    check_success
+    configure 36.20220820.3.0
+    reboot stable-active-first
+    ;;
+stable-active-first)
+    check_success
+    configure 36.20221001.3.1
+    reboot stable-active-last
+    ;;
+stable-active-last)
+    check_success
+    configure 36.20220806.3.0
+    reboot stable-early
+    ;;
+stable-early)
+    check "too old to be affected"
+    configure 36.20221014.3.0
+    reboot stable-late
+    ;;
+stable-late)
+    check "too new to be affected"
+    ok "All tests passed"
+    ;;
+*)
+    fatal_ctx "Unexpected mark"
+    ;;
+esac