image_signing: set correct security.selinux attribute for lsb-release

After sed -i, if the lsb-release will change, sed -i will recreate the
file and loose the security.selinux xattr.

We need to recover this extended attribute to make sure lsb-release
still has the correct label in signed images.

BRANCH=none
BUG=chromium:954670
TEST=../platform/vboot_reference/scripts/image_signing/set_channel.sh image.bin something
TEST=../platform/vboot_reference/scripts/image_signing/tag_image.sh  --from image.bin  --remove_test_label
TEST=../platform/vboot_reference/scripts/image_signing/remove_test_label.sh image.bin
TEST=getfattr -n security.selinux dir_3/etc/lsb-release after above each command

Change-Id: Icfb721a9b4b2ebb21c2cb0f14381ef1f61b928d7
Reviewed-on: https://chromium-review.googlesource.com/1610265
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Qijiang Fan <fqj@google.com>
Reviewed-by: Brian Norris <briannorris@chromium.org>
Reviewed-by: Kenny Root <kroot@google.com>
Reviewed-by: LaMont Jones <lamontjones@chromium.org>

4 files changed, 10 insertions, 0 deletions

diff --git a/scripts/image_signing/common.sh b/scripts/image_signing/common.sh
index f2fedfa2..8f5aac04 100644
--- a/scripts/image_signing/common.sh
+++ b/scripts/image_signing/common.sh
@@ -145,6 +145,12 @@ get_boardvar_from_lsb_release() {
   get_board_from_lsb_release "$@" | sed 's:[-]:_:g'
 }
 
+# Usage: restore_lsb_selinux lsb-file
+# restore lsb-release security.selinux attribute
+restore_lsb_selinux() {
+  sudo setfattr -n security.selinux -v "u:object_r:cros_conf_file:s0" "$1"
+}
+
 # This will override the trap set in common_minmal.sh
 trap "cleanup" INT TERM EXIT
 
diff --git a/scripts/image_signing/remove_test_label.sh b/scripts/image_signing/remove_test_label.sh
index 2df7c02d..18a7978a 100755
--- a/scripts/image_signing/remove_test_label.sh
+++ b/scripts/image_signing/remove_test_label.sh
@@ -17,3 +17,4 @@ loopdev=$(loopback_partscan "${image}")
 rootfs=$(make_temp_dir)
 mount_loop_image_partition "${loopdev}" 3 "${rootfs}"
 sed -i 's/test//' "${rootfs}/etc/lsb-release"
+restore_lsb_selinux "${rootfs}/etc/lsb-release"
diff --git a/scripts/image_signing/set_channel.sh b/scripts/image_signing/set_channel.sh
index 0ab4ef16..dc212465 100755
--- a/scripts/image_signing/set_channel.sh
+++ b/scripts/image_signing/set_channel.sh
@@ -40,6 +40,7 @@ main() {
     sudo="sudo"
   fi
   ${sudo} sed -i "s/\b${from}\b/${to}/" "${lsb}" &&
+    restore_lsb_selinux "${lsb}" &&
     echo "Channel change successful."
   cat "${lsb}"
 }
diff --git a/scripts/image_signing/tag_image.sh b/scripts/image_signing/tag_image.sh
index b130fa19..8a010121 100755
--- a/scripts/image_signing/tag_image.sh
+++ b/scripts/image_signing/tag_image.sh
@@ -170,6 +170,7 @@ process_all_lsb_mods() {
     fi
     if [ ${do_modifications} = ${FLAGS_TRUE} ]; then
       ${sudo} sed -i 's/\btest\b//' "${lsb}" &&
+        restore_lsb_selinux "${lsb}" &&
         echo "Test Label removed from /etc/lsb-release"
     fi
   fi
@@ -180,6 +181,7 @@ process_all_lsb_mods() {
     fi
     if [ ${do_modifications} = ${FLAGS_TRUE} ]; then
       ${sudo} sed -i 's/\bdev\b/beta/' "${lsb}" &&
+        restore_lsb_selinux "${lsb}" &&
         echo "Dev Channel Label was changed to Beta"
     fi
   fi