bootloader: Mount the ESP with restricted fmask+dmask

This avoids warnings from `bootctl install` for good reasons.
Visible from `bootc install` using systemd-boot.

Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

crates/lib/src/bootc_composefs/boot.rs

@@ -25,7 +25,7 @@ use ostree_ext::composefs_boot::{
     os_release::OsReleaseInfo, uki,
 };
 use ostree_ext::composefs_oci::image::create_filesystem as create_composefs_filesystem;
-use rustix::path::Arg;
+use rustix::{mount::MountFlags, path::Arg};
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 
@@ -155,6 +155,12 @@ pub fn get_esp_partition(device: &str) -> Result<(String, Option<String>)> {
     Ok((esp.node.clone(), esp.uuid.clone()))
 }
 
+/// Mount the ESP from the provided device
+pub fn mount_esp(device: &str) -> Result<TempMount> {
+    let flags = MountFlags::NOEXEC | MountFlags::NOSUID;
+    TempMount::mount_dev(device, "vfat", flags, Some(c"fmask=0177,dmask=0077"))
+}
+
 pub fn get_sysroot_parent_dev() -> Result<String> {
     let sysroot = Utf8PathBuf::from("/sysroot");
 
@@ -418,7 +424,7 @@ pub(crate) fn setup_composefs_bls_boot(
         ),
 
         Bootloader::Systemd => {
-            let efi_mount = TempMount::mount_dev(&esp_device).context("Mounting ESP")?;
+            let efi_mount = mount_esp(&esp_device).context("Mounting ESP")?;
 
             let mounted_efi = Utf8PathBuf::from(efi_mount.dir.path().as_str()?);
             let efi_linux_dir = mounted_efi.join(EFI_LINUX);
@@ -857,7 +863,7 @@ pub(crate) fn setup_composefs_uki_boot(
         }
     };
 
-    let esp_mount = TempMount::mount_dev(&esp_device).context("Mounting ESP")?;
+    let esp_mount = mount_esp(&esp_device).context("Mounting ESP")?;
 
     let mut boot_label = String::new();
 

crates/lib/src/bootc_composefs/finalize.rs

@@ -1,6 +1,8 @@
 use std::path::Path;
 
-use crate::bootc_composefs::boot::{get_esp_partition, get_sysroot_parent_dev, BootType};
+use crate::bootc_composefs::boot::{
+    get_esp_partition, get_sysroot_parent_dev, mount_esp, BootType,
+};
 use crate::bootc_composefs::rollback::{rename_exchange_bls_entries, rename_exchange_user_cfg};
 use crate::spec::Bootloader;
 use crate::{
@@ -85,7 +87,7 @@ pub(crate) async fn composefs_backend_finalize() -> Result<()> {
     // NOTE: Assumption here that ESP will always be present
     let (esp_part, ..) = get_esp_partition(&sysroot_parent)?;
 
-    let esp_mount = TempMount::mount_dev(&esp_part)?;
+    let esp_mount = mount_esp(&esp_part)?;
     let boot_dir = Dir::open_ambient_dir("/sysroot/boot", ambient_authority())
         .context("Opening sysroot/boot")?;
 

crates/lib/src/bootc_composefs/status.rs

@@ -2,11 +2,10 @@ use std::{io::Read, sync::OnceLock};
 
 use anyhow::{Context, Result};
 use bootc_kernel_cmdline::utf8::Cmdline;
-use bootc_mount::tempmount::TempMount;
 use fn_error_context::context;
 
 use crate::{
-    bootc_composefs::boot::{get_esp_partition, get_sysroot_parent_dev, BootType},
+    bootc_composefs::boot::{get_esp_partition, get_sysroot_parent_dev, mount_esp, BootType},
     composefs_consts::{COMPOSEFS_CMDLINE, TYPE1_ENT_PATH, USER_CFG},
     parsers::{
         bls_config::{parse_bls_config, BLSConfig, BLSConfigType},
@@ -349,7 +348,7 @@ pub(crate) async fn composefs_deployment_status() -> Result<Host> {
             let parent = get_sysroot_parent_dev()?;
             let (esp_part, ..) = get_esp_partition(&parent)?;
 
-            let esp_mount = TempMount::mount_dev(&esp_part)?;
+            let esp_mount = mount_esp(&esp_part)?;
 
             let dir = esp_mount.fd.try_clone().context("Cloning fd")?;
             let guard = Some(esp_mount);

crates/lib/src/bootloader.rs

@@ -9,8 +9,7 @@ use bootc_blockdev::{Partition, PartitionTable};
 use bootc_mount as mount;
 
 #[cfg(any(feature = "composefs-backend", feature = "install-to-disk"))]
-use bootc_mount::tempmount::TempMount;
-
+use crate::bootc_composefs::boot::mount_esp;
 use crate::utils;
 
 /// The name of the mountpoint for efi (as a subdirectory of /boot, or at the toplevel)
@@ -90,7 +89,7 @@ pub(crate) fn install_systemd_boot(
         .find(|p| p.parttype.as_str() == ESP_GUID)
         .ok_or_else(|| anyhow::anyhow!("ESP partition not found"))?;
 
-    let esp_mount = TempMount::mount_dev(&esp_part.node).context("Mounting ESP")?;
+    let esp_mount = mount_esp(&esp_part.node).context("Mounting ESP")?;
     let esp_path = Utf8Path::from_path(esp_mount.dir.path())
         .ok_or_else(|| anyhow::anyhow!("Failed to convert ESP mount path to UTF-8"))?;
 

crates/mount/src/tempmount.rs

@@ -5,7 +5,7 @@ use anyhow::{Context, Result};
 use camino::Utf8Path;
 use cap_std_ext::cap_std::{ambient_authority, fs::Dir};
 use fn_error_context::context;
-use rustix::mount::{move_mount, unmount, MoveMountFlags, UnmountFlags};
+use rustix::mount::{move_mount, unmount, MountFlags, MoveMountFlags, UnmountFlags};
 
 pub struct TempMount {
     pub dir: tempfile::TempDir,
@@ -15,13 +15,18 @@ pub struct TempMount {
 impl TempMount {
     /// Mount device/partition on a tempdir which will be automatically unmounted on drop
     #[context("Mounting {dev}")]
-    pub fn mount_dev(dev: &str) -> Result<Self> {
+    pub fn mount_dev(
+        dev: &str,
+        fstype: &str,
+        flags: MountFlags,
+        data: Option<&std::ffi::CStr>,
+    ) -> Result<Self> {
         let tempdir = tempfile::TempDir::new()?;
 
         let utf8path = Utf8Path::from_path(tempdir.path())
             .ok_or(anyhow::anyhow!("Failed to convert path to UTF-8 Path"))?;
 
-        crate::mount(dev, utf8path)?;
+        rustix::mount::mount(dev, utf8path.as_std_path(), fstype, flags, data)?;
 
         let fd = Dir::open_ambient_dir(tempdir.path(), ambient_authority())
             .with_context(|| format!("Opening {:?}", tempdir.path()));