Merge pull request #774 from delphix/dlpx/pr/dbshah12/9e835e91-a191-4…

…1cc-b237-cfeff309c57e DLPX-86532 & DLPX-86542 - CIS: /tmp filesystem and mount options & CIS: /var/tmp filesystem and mount options
delphix · Oct 21, 2024 · c602126 · c602126
2 parents 66448d9 + 86b3ecc
commit c602126
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 6 deletions.
diff --git a/live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary b/live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary
@@ -229,6 +229,14 @@ zfs create \
 	-o mountpoint=legacy \
 	"$FSNAME/ROOT/$FSNAME/log"
 
+zfs create \
+	-o mountpoint=legacy \
+	"$FSNAME/ROOT/$FSNAME/tmp"
+
+zfs create \
+	-o mountpoint=legacy \
+	"$FSNAME/ROOT/$FSNAME/vartmp"
+
 #
 # Initialize the grub dataset. This dataset will be used to contain all
 # of the grub-specific files; this includes the "grub.cfg" file, along
@@ -276,6 +284,12 @@ mount -t zfs "$FSNAME/ROOT/$FSNAME/data" "$DIRECTORY/var/delphix"
 mkdir -p "$DIRECTORY/var/log"
 mount -t zfs "$FSNAME/ROOT/$FSNAME/log" "$DIRECTORY/var/log"
 
+mkdir -p "$DIRECTORY/tmp"
+mount -t zfs "$FSNAME/ROOT/$FSNAME/tmp" "$DIRECTORY/tmp"
+
+mkdir -p "$DIRECTORY/var/tmp"
+mount -t zfs "$FSNAME/ROOT/$FSNAME/vartmp" "$DIRECTORY/var/tmp"
+
 mkdir -p "/var/crash"
 mount -t zfs "$FSNAME/crashdump" "/var/crash"
 
@@ -301,6 +315,8 @@ cat <<-EOF >"$DIRECTORY/etc/fstab"
 	rpool/ROOT/$FSNAME/home /export/home zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
 	rpool/ROOT/$FSNAME/data /var/delphix zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
 	rpool/ROOT/$FSNAME/log  /var/log     zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
+	rpool/ROOT/$FSNAME/tmp  /tmp     zfs defaults,nosuid,nodev,noexec,x-systemd.before=zfs-import-cache.service 0 0
+	rpool/ROOT/$FSNAME/vartmp  /var/tmp     zfs defaults,nosuid,nodev,noexec,x-systemd.before=zfs-import-cache.service 0 0
 	rpool/crashdump  /var/crash     zfs defaults,x-systemd.before=zfs-import-cache.service,x-systemd.before=kdump-tools.service 0 0
 EOF
 
@@ -342,6 +358,8 @@ done
 umount "$DIRECTORY/var/log"
 umount "$DIRECTORY/var/delphix"
 umount "$DIRECTORY/export/home"
+umount "$DIRECTORY/tmp"
+umount "$DIRECTORY/var/tmp"
 umount "/var/crash"
 retry 5 10 zfs umount "$FSNAME/ROOT/$FSNAME/root"
 retry 5 10 zpool export "$FSNAME"

diff --git a/upgrade/upgrade-scripts/upgrade-container b/upgrade/upgrade-scripts/upgrade-container
@@ -22,6 +22,16 @@ IMAGE_PATH=$(get_image_path)
 
 CONTAINER=
 
+TMP_DATASETS_EXIST=false
+
+# Verify whether both /tmp and /var/tmp ZFS datasets exist for the specified container.
+# If both datasets are present, the system is considered CIS compliant.
+# In such cases, handle the /tmp and /var/tmp mounts appropriately during the upgrade process.
+# To ensure this handling, set the TMP_DATASETS_EXIST variable to true.
+if zfs list "rpool/ROOT/$CONTAINER/tmp" >/dev/null 2>&1 && zfs list "rpool/ROOT/$CONTAINER/vartmp" >/dev/null 2>&1; then
+	TMP_DATASETS_EXIST=true
+fi
+
 function create_cleanup() {
 	#
 	# Upon successful creation of the container, don't perform any
@@ -216,6 +226,20 @@ function create_upgrade_container() {
 		"rpool/ROOT/$CONTAINER/log" ||
 		die "failed to create upgrade /var/log clone"
 
+	if $TMP_DATASETS_EXIST; then
+		zfs clone \
+			-o mountpoint=legacy \
+			"$ROOTFS_DATASET/tmp@$SNAPSHOT_NAME" \
+			"rpool/ROOT/$CONTAINER/tmp" ||
+			die "failed to create upgrade /tmp clone"
+
+		zfs clone \
+			-o mountpoint=legacy \
+			"$ROOTFS_DATASET/vartmp@$SNAPSHOT_NAME" \
+			"rpool/ROOT/$CONTAINER/vartmp" ||
+			die "failed to create upgrade /var/tmp clone"
+	fi
+
 	case "$type" in
 	not-in-place)
 		#
@@ -233,6 +257,13 @@ function create_upgrade_container() {
 		mount_upgrade_container_dataset \
 			"rpool/ROOT/$CONTAINER/log" "$DIRECTORY/var/log"
 
+		if $TMP_DATASETS_EXIST; then
+			mount_upgrade_container_dataset \
+				"rpool/ROOT/$CONTAINER/tmp" "$DIRECTORY/tmp"
+			mount_upgrade_container_dataset \
+				"rpool/ROOT/$CONTAINER/vartmp" "$DIRECTORY/var/tmp"
+		fi
+
 		#
 		# This function needs to return the container's name to
 		# stdout, so that consumers of this function/script can
@@ -285,6 +316,11 @@ function create_upgrade_container() {
 		unmount_upgrade_container_dataset "rpool/ROOT/$CONTAINER/log"
 		unmount_upgrade_container_dataset "rpool/ROOT/$CONTAINER/data"
 		unmount_upgrade_container_dataset "rpool/ROOT/$CONTAINER/home"
+
+		if $TMP_DATASETS_EXIST; then
+			unmount_upgrade_container_dataset "rpool/ROOT/$CONTAINER/tmp"
+			unmount_upgrade_container_dataset "rpool/ROOT/$CONTAINER/vartmp"
+		fi
 		;;
 	esac
 
@@ -299,9 +335,16 @@ function create_upgrade_container() {
 		rpool/ROOT/$CONTAINER/home /export/home zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
 		rpool/ROOT/$CONTAINER/data /var/delphix zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
 		rpool/ROOT/$CONTAINER/log  /var/log     zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
-		rpool/crashdump           /var/crash    zfs defaults,x-systemd.before=zfs-import-cache.service,x-systemd.before=kdump-tools.service 0 0
+		rpool/crashdump            /var/crash   zfs defaults,x-systemd.before=zfs-import-cache.service,x-systemd.before=kdump-tools.service 0 0
 	EOF
 
+	if $TMP_DATASETS_EXIST; then
+		cat <<-EOF >>"$DIRECTORY/etc/fstab"
+			         rpool/ROOT/$CONTAINER/tmp  /tmp         zfs defaults,nosuid,nodev,noexec,x-systemd.before=zfs-import-cache.service 0 0
+			         rpool/ROOT/$CONTAINER/vartmp  /var/tmp  zfs defaults,nosuid,nodev,noexec,x-systemd.before=zfs-import-cache.service 0 0
+		EOF
+	fi
+
 	#
 	# DLPX-75089 - Since older versions of Delphix did not properly
 	# disable the NFS services within the upgrade container, we have
@@ -473,7 +516,11 @@ function start() {
 		! zfs list "rpool/ROOT/$CONTAINER/root" &>/dev/null ||
 		! zfs list "rpool/ROOT/$CONTAINER/home" &>/dev/null ||
 		! zfs list "rpool/ROOT/$CONTAINER/data" &>/dev/null ||
-		! zfs list "rpool/ROOT/$CONTAINER/log" &>/dev/null; then
+		! zfs list "rpool/ROOT/$CONTAINER/log" &>/dev/null ||
+		($TMP_DATASETS_EXIST && {
+			! zfs list "rpool/ROOT/$CONTAINER/tmp" &>/dev/null ||
+				! zfs list "rpool/ROOT/$CONTAINER/vartmp" &>/dev/null
+		}); then
 		die "container '$CONTAINER' non-existent or mis-configured"
 	fi
 
@@ -566,10 +613,10 @@ function destroy() {
 		#
 		# In order to safely perform the recursive destroy below,
 		# we need to ensure the filesystems are unmounted in the
-		# correct order. Since the "log", "data", and "home"
-		# datasets are mounted inside the "root" dataset, we need
-		# to unmount these two datasets before attempting to
-		# unmount (and/or destroy) the "root" dataset.
+		# correct order. Since the "log", "data", "home", "tmp" and
+		# "vartmp" datasets are mounted inside the "root" dataset,
+		# we need to unmount these datasets before attempting
+		# to unmount (and/or destroy) the "root" dataset.
 		#
 		# Further, we don't check the return value of these
 		# commands for simplicity's sake. If these fail, it could
@@ -581,6 +628,10 @@ function destroy() {
 		umount "rpool/ROOT/$CONTAINER/log" &>/dev/null
 		umount "rpool/ROOT/$CONTAINER/data" &>/dev/null
 		umount "rpool/ROOT/$CONTAINER/home" &>/dev/null
+		if $TMP_DATASETS_EXIST; then
+			umount "rpool/ROOT/$CONTAINER/tmp" &>/dev/null
+			umount "rpool/ROOT/$CONTAINER/vartmp" &>/dev/null
+		fi
 		umount "rpool/ROOT/$CONTAINER/root" &>/dev/null
 
 		zfs destroy -r "rpool/ROOT/$CONTAINER" ||