pkg/build: consistently chown new files

Kernel build runs under sandboxed user, while the rest of the code runs under root. Sandboxed user does not have access to root files. Chown all new created files for sandboxed user. Currently builds fail with: unable to write 'random state' writing new private key to 'certs/signing_key.pem' certs/signing_key.pem: Permission denied 22979106625176:error:0200100D:system library:fopen:Permission denied:bss_file.c:398:fopen('certs/signing_key.pem','w') 22979106625176:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: certs/Makefile:55: recipe for target 'certs/signing_key.pem' failed make[1]: *** [certs/signing_key.pem] Error 1 Makefile:1053: recipe for target 'certs' failed make: *** [certs] Error 2
author: Dmitry Vyukov <dvyukov@google.com> 2020-10-17 12:28:57 +0200
committer: Dmitry Vyukov <dvyukov@google.com> 2020-10-17 12:53:34 +0200
commit: fea47c014be7a00a32ab016b946c0a77f32c1f40 (patch)
tree: 59fddc0592df6b8686c86289a82bd85d7cae6a13
parent: 6e262c73cd452097096f0b4d5d96f5ae496bc021 (diff)
1 files changed, 36 insertions, 36 deletions
diff --git a/pkg/build/linux.go b/pkg/build/linux.go
index 541929675..36f18b84f 100644
--- a/pkg/build/linux.go
+++ b/pkg/build/linux.go
@@ -24,30 +24,6 @@ type linux struct{}
 
 var _ signer = linux{}
 
-// Key for module signing.
-const moduleSigningKey = `-----BEGIN PRIVATE KEY-----
-MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEAxu5GRXw7d13xTLlZ
-GT1y63U4Firk3WjXapTgf9radlfzpqheFr5HWO8f11U/euZQWXDzi+Bsq+6s/2lJ
-AU9XWQIDAQABAkB24ZxTGBv9iMGURUvOvp83wRRkgvvEqUva4N+M6MAXagav3GRi
-K/gl3htzQVe+PLGDfbIkstPJUvI2izL8ZWmBAiEA/P72IitEYE4NQj4dPcYglEYT
-Hbh2ydGYFbYxvG19DTECIQDJSvg7NdAaZNd9faE5UIAcLF35k988m9hSqBjtz0tC
-qQIgGOJC901mJkrHBxLw8ViBb9QMoUm5dVRGLyyCa9QhDqECIQCQGLX4lP5DVrsY
-X43BnMoI4Q3o8x1Uou/JxAIMg1+J+QIgamNCPBLeP8Ce38HtPcm8BXmhPKkpCXdn
-uUf4bYtfSSw=
------END PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIIBvzCCAWmgAwIBAgIUKoM7Idv4nw571nWDgYFpw6I29u0wDQYJKoZIhvcNAQEF
-BQAwLjEsMCoGA1UEAwwjQnVpbGQgdGltZSBhdXRvZ2VuZXJhdGVkIGtlcm5lbCBr
-ZXkwIBcNMjAxMDA4MTAzMzIwWhgPMjEyMDA5MTQxMDMzMjBaMC4xLDAqBgNVBAMM
-I0J1aWxkIHRpbWUgYXV0b2dlbmVyYXRlZCBrZXJuZWwga2V5MFwwDQYJKoZIhvcN
-AQEBBQADSwAwSAJBAMbuRkV8O3dd8Uy5WRk9cut1OBYq5N1o12qU4H/a2nZX86ao
-Xha+R1jvH9dVP3rmUFlw84vgbKvurP9pSQFPV1kCAwEAAaNdMFswDAYDVR0TAQH/
-BAIwADALBgNVHQ8EBAMCB4AwHQYDVR0OBBYEFPhQx4etmYw5auCJwIO5QP8Kmrt3
-MB8GA1UdIwQYMBaAFPhQx4etmYw5auCJwIO5QP8Kmrt3MA0GCSqGSIb3DQEBBQUA
-A0EAK5moCH39eLLn98pBzSm3MXrHpLtOWuu2p696fg/ZjiUmRSdHK3yoRONxMHLJ
-1nL9cAjWPantqCm5eoyhj7V7gg==
------END CERTIFICATE-----`
-
 func (linux linux) build(params *Params) error {
 	if err := linux.buildKernel(params); err != nil {
 		return err
@@ -62,14 +38,11 @@ func (linux linux) sign(params *Params) (string, error) {
 	return elfBinarySignature(filepath.Join(params.OutputDir, "obj", "vmlinux"))
 }
 
-func (linux) buildKernel(params *Params) error {
+func (linux linux) buildKernel(params *Params) error {
 	configFile := filepath.Join(params.KernelDir, ".config")
-	if err := osutil.WriteFile(configFile, params.Config); err != nil {
+	if err := linux.writeFile(configFile, params.Config); err != nil {
 		return fmt.Errorf("failed to write config file: %v", err)
 	}
-	if err := osutil.SandboxChown(configFile); err != nil {
-		return err
-	}
 	// One would expect olddefconfig here, but olddefconfig is not present in v3.6 and below.
 	// oldconfig is the same as olddefconfig if stdin is not set.
 	// Note: passing in compiler is important since 4.17 (at the very least it's noted in the config).
@@ -95,13 +68,10 @@ func (linux) buildKernel(params *Params) error {
 		ccParam = params.Ccache + " " + ccParam
 		// Ensure CONFIG_GCC_PLUGIN_RANDSTRUCT doesn't prevent ccache usage.
 		// See /Documentation/kbuild/reproducible-builds.rst.
+		const seed = `const char *randstruct_seed = "e9db0ca5181da2eedb76eba144df7aba4b7f9359040ee58409765f2bdc4cb3b8";`
 		gccPluginsDir := filepath.Join(params.KernelDir, "scripts", "gcc-plugins")
 		if osutil.IsExist(gccPluginsDir) {
-			err := osutil.WriteFile(filepath.Join(gccPluginsDir,
-				"randomize_layout_seed.h"),
-				[]byte("const char *randstruct_seed = "+
-					"\"e9db0ca5181da2eedb76eba144df7aba4b7f9359040ee58409765f2bdc4cb3b8\";"))
-			if err != nil {
+			if err := linux.writeFile(filepath.Join(gccPluginsDir, "randomize_layout_seed.h"), []byte(seed)); err != nil {
 				return err
 			}
 		}
@@ -112,8 +82,7 @@ func (linux) buildKernel(params *Params) error {
 	// calculation.
 	certsDir := filepath.Join(params.KernelDir, "certs")
 	if osutil.IsExist(certsDir) {
-		err := osutil.WriteFile(filepath.Join(certsDir, "signing_key.pem"), []byte(moduleSigningKey))
-		if err != nil {
+		if err := linux.writeFile(filepath.Join(certsDir, "signing_key.pem"), []byte(moduleSigningKey)); err != nil {
 			return err
 		}
 	}
@@ -179,6 +148,13 @@ func (linux) clean(kernelDir, targetArch string) error {
 	return runMake(kernelDir, "distclean")
 }
 
+func (linux) writeFile(file string, data []byte) error {
+	if err := osutil.WriteFile(file, data); err != nil {
+		return err
+	}
+	return osutil.SandboxChown(file)
+}
+
 func runMake(kernelDir string, args ...string) error {
 	args = append(args, fmt.Sprintf("-j%v", runtime.NumCPU()))
 	cmd := osutil.Command("make", args...)
@@ -228,3 +204,27 @@ func elfBinarySignature(bin string) (string, error) {
 	}
 	return hex.EncodeToString(hasher.Sum(nil)), nil
 }
+
+// moduleSigningKey is a constant module signing key for reproducible builds.
+const moduleSigningKey = `-----BEGIN PRIVATE KEY-----
+MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEAxu5GRXw7d13xTLlZ
+GT1y63U4Firk3WjXapTgf9radlfzpqheFr5HWO8f11U/euZQWXDzi+Bsq+6s/2lJ
+AU9XWQIDAQABAkB24ZxTGBv9iMGURUvOvp83wRRkgvvEqUva4N+M6MAXagav3GRi
+K/gl3htzQVe+PLGDfbIkstPJUvI2izL8ZWmBAiEA/P72IitEYE4NQj4dPcYglEYT
+Hbh2ydGYFbYxvG19DTECIQDJSvg7NdAaZNd9faE5UIAcLF35k988m9hSqBjtz0tC
+qQIgGOJC901mJkrHBxLw8ViBb9QMoUm5dVRGLyyCa9QhDqECIQCQGLX4lP5DVrsY
+X43BnMoI4Q3o8x1Uou/JxAIMg1+J+QIgamNCPBLeP8Ce38HtPcm8BXmhPKkpCXdn
+uUf4bYtfSSw=
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIBvzCCAWmgAwIBAgIUKoM7Idv4nw571nWDgYFpw6I29u0wDQYJKoZIhvcNAQEF
+BQAwLjEsMCoGA1UEAwwjQnVpbGQgdGltZSBhdXRvZ2VuZXJhdGVkIGtlcm5lbCBr
+ZXkwIBcNMjAxMDA4MTAzMzIwWhgPMjEyMDA5MTQxMDMzMjBaMC4xLDAqBgNVBAMM
+I0J1aWxkIHRpbWUgYXV0b2dlbmVyYXRlZCBrZXJuZWwga2V5MFwwDQYJKoZIhvcN
+AQEBBQADSwAwSAJBAMbuRkV8O3dd8Uy5WRk9cut1OBYq5N1o12qU4H/a2nZX86ao
+Xha+R1jvH9dVP3rmUFlw84vgbKvurP9pSQFPV1kCAwEAAaNdMFswDAYDVR0TAQH/
+BAIwADALBgNVHQ8EBAMCB4AwHQYDVR0OBBYEFPhQx4etmYw5auCJwIO5QP8Kmrt3
+MB8GA1UdIwQYMBaAFPhQx4etmYw5auCJwIO5QP8Kmrt3MA0GCSqGSIb3DQEBBQUA
+A0EAK5moCH39eLLn98pBzSm3MXrHpLtOWuu2p696fg/ZjiUmRSdHK3yoRONxMHLJ
+1nL9cAjWPantqCm5eoyhj7V7gg==
+-----END CERTIFICATE-----`
author	Dmitry Vyukov <dvyukov@google.com>	2020-10-17 12:28:57 +0200
committer	Dmitry Vyukov <dvyukov@google.com>	2020-10-17 12:53:34 +0200
commit	fea47c014be7a00a32ab016b946c0a77f32c1f40 (patch)
tree	59fddc0592df6b8686c86289a82bd85d7cae6a13
parent	6e262c73cd452097096f0b4d5d96f5ae496bc021 (diff)