@@ -13,6 +13,24 @@ use composefs::{fsverity::FsVerityHashValue, repository::Repository, tree::FileS
1313
1414use crate :: bootloader:: { get_boot_resources, BootEntry } ;
1515
16+ /// These directories are required to exist in images.
17+ /// They may have content in the container, but we don't
18+ /// want to expose them in the final merged root.
19+ ///
20+ /// # /boot
21+ ///
22+ /// This is how sealed UKIs are handled; the UKI in /boot has the composefs
23+ /// digest, so we can't include it in the rendered image.
24+ ///
25+ /// # /sysroot
26+ ///
27+ /// See https://github.com/containers/composefs-rs/issues/164
28+ /// Basically there is only content here in ostree-container cases,
29+ /// and us traversing there for SELinux labeling will cause problems.
30+ /// The ostree-container code special cases it in a different way, but
31+ /// here we can just ignore it.
32+ const REQUIRED_TOPLEVEL_TO_EMPTY_DIRS : & [ & str ] = & [ "boot" , "sysroot" ] ;
33+
1634pub trait BootOps < ObjectID : FsVerityHashValue > {
1735 fn transform_for_boot (
1836 & mut self ,
@@ -26,9 +44,11 @@ impl<ObjectID: FsVerityHashValue> BootOps<ObjectID> for FileSystem<ObjectID> {
2644 repo : & Repository < ObjectID > ,
2745 ) -> Result < Vec < BootEntry < ObjectID > > > {
2846 let boot_entries = get_boot_resources ( self , repo) ?;
29- let boot = self . root . get_directory_mut ( "boot" . as_ref ( ) ) ?;
30- boot. stat . st_mtim_sec = 0 ;
31- boot. clear ( ) ;
47+ for d in REQUIRED_TOPLEVEL_TO_EMPTY_DIRS {
48+ let d = self . root . get_directory_mut ( d. as_ref ( ) ) ?;
49+ d. stat . st_mtim_sec = 0 ;
50+ d. clear ( ) ;
51+ }
3252
3353 selabel:: selabel ( self , repo) ?;
3454
0 commit comments