store: Use policy from merged tree with derived layers

I was initially worried this was going to slow things down but actually AFAICS because we are already setting a policy we end up rechecking the labels for all of the base image files anyways, even in the optimal path. So what's really happening here is we could likely speed up the non-derived case. But let's leave that as a TODO as we have much more important things. Signed-off-by: Colin Walters <walters@verbum.org>
ostreedev · Sep 30, 2024 · 438fc4a · 438fc4a
1 parent f243445
commit 438fc4a
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/lib/src/container/store.rs b/lib/src/container/store.rs
@@ -851,6 +851,7 @@ impl ImageImporter {
 
         let mut layer_commits = Vec::new();
         let mut layer_filtered_content: MetaFilteredData = HashMap::new();
+        let have_derived_layers = !import.layers.is_empty();
         for layer in import.layers {
             if let Some(c) = layer.commit {
                 tracing::debug!("Reusing fetched commit {}", c);
@@ -980,7 +981,19 @@ impl ImageImporter {
                 let modifier =
                     ostree::RepoCommitModifier::new(ostree::RepoCommitModifierFlags::CONSUME, None);
                 modifier.set_devino_cache(&devino);
-                modifier.set_sepolicy_from_commit(repo, &base_commit, cancellable)?;
+                // If we have derived layers, then we need to handle the case where
+                // the derived layers include custom policy. Just relabel everything
+                // in this case.
+                if have_derived_layers {
+                    let rootpath = td.open_dir(rootpath)?;
+                    let sepolicy = ostree::SePolicy::new_at(rootpath.as_raw_fd(), cancellable)?;
+                    tracing::debug!("labeling from merged tree");
+                    modifier.set_sepolicy(Some(&sepolicy));
+                } else {
+                    tracing::debug!("labeling from base tree");
+                    // TODO: We can likely drop this; we know all labels should be pre-computed.
+                    modifier.set_sepolicy_from_commit(repo, &base_commit, cancellable)?;
+                }
 
                 let mt = ostree::MutableTree::new();
                 repo.write_dfd_to_mtree(