blivet: do not mount pre-existing partitions and do not detect OS there

This operation may be harmfull in many ways: - may unintentionally modify a disk not selected as installation target (mounting even read only replays journal for example) - if previous system was compromised, it may try to exploit some of the parsing code (filesystem driver etc) to survive across re-installation QubesOS/qubes-issues#2835
5 years ago · 12cc054a74
parent 1abde9cad3
commit 12cc054a74
2 changed files with 49 additions and 0 deletions
--- a/blivet/0001-Avoid-mounting-pre-existing-disks.patch
+++ b/blivet/0001-Avoid-mounting-pre-existing-disks.patch
@ -0,0 +1,47 @@
+From 1ce66b58907e229e21a0012a7a36ae93e9e32054 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
+ <marmarek@invisiblethingslab.com>
+Date: Tue, 22 Oct 2019 16:15:31 +0200
+Subject: [PATCH] Avoid mounting pre-existing disks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Organization: Invisible Things Lab
+Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+
+This operation may be harmfull in many ways:
+ - may unintentionally modify a disk not selected as installation target
+   (mounting even read only replays journal for example)
+ - if previous system was compromised, it may try to exploit some of the
+   parsing code (filesystem driver etc) to survive across
+   re-installation
+
+Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+---
+ blivet/osinstall.py | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/blivet/osinstall.py b/blivet/osinstall.py
+index 485e774c..f46388cd 100644
+--- a/blivet/osinstall.py
+++ b/blivet/osinstall.py
+@@ -211,14 +211,8 @@ def find_existing_installations(devicetree, teardown_all=True):
+     :rtype: list of :class:`Root`
+ 
+     """
+-    try:
+-        roots = _find_existing_installations(devicetree)
+-        return roots
+-    except Exception:  # pylint: disable=broad-except
+-        log_exception_info(log.info, "failure detecting existing installations")
+-    finally:
+-        if teardown_all:
+-            devicetree.teardown_all()
+    if teardown_all:
+        devicetree.teardown_all()
+ 
+     return []
+ 
+-- 
+2.20.1
+
--- a/blivet/python-blivet.spec
+++ b/blivet/python-blivet.spec
@ -23,6 +23,7 @@ Patch5: 0005-Use-local-backport-of-BlockDev-2.0-interface.patch

 # Qubes patches
 Patch100: 0001-Double-recommended-LVM-thin-pool-metadata-space.patch
+Patch101: 0001-Avoid-mounting-pre-existing-disks.patch

 # Versions of required components (done so we make sure the buildrequires
 # match the requires versions of things).
@ -80,6 +81,7 @@ configuration.
 %patch5 -p1

 %patch100 -p1
+%patch101 -p1

 rm -rf %{py3dir}
 cp -a . %{py3dir}