Support stateroot and mount specs in install config file #1945
Conversation
jbtrystram
commented
Jan 23, 2026
jbtrystram
commented
Support for configuring the stateroot name through the install configuration file under `[install.ostree]`. The CLI flag will override config file values, as for other options. Partial fix for bootc-dev#1939 Assisted-by: Opencode (Claude Opus 4.5) Signed-off-by: jbtrystram <jbtrystram@redhat.com>
Allow configuring the root and boot filesystem mount specs via the install configuration file under [install]. As for other options, CLI arguments take precedence. For the to-existing-root flow, mount specs from config are ignored. Example configuration: ``` [install] root-mount-spec = "LABEL=rootfs" boot-mount-spec = "UUID=abcd-1234" ``` Fixes bootc-dev#1939 Assisted-by: Opencode (Claude Opus 4.5) Signed-off-by: jbtrystram <jbtrystram@redhat.com>
github-actions
bot
added
area/install
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces support for configuring stateroot, root-mount-spec, and boot-mount-spec via the install configuration file. While the implementation correctly prioritizes CLI arguments, integrates new fields, and includes comprehensive tests and documentation, a critical security concern has been identified. The new configuration fields lack validation, which could lead to vulnerabilities like Path Traversal, Kernel Command Line Injection, and fstab Injection if a malicious container image is installed. Addressing this input validation is essential to prevent potential system compromise.
| .or_else(|| { | ||
| self.install_config | ||
| .as_ref() | ||
| .and_then(|c| c.stateroot.as_deref()) | ||
| }) |
There was a problem hiding this comment.
The stateroot value can now be supplied via the installation configuration file. This value is used to construct file system paths (e.g., ostree/deploy/{stateroot}) and is passed to libostree functions without validation. A malicious value containing path traversal sequences (e.g., ..) could be used to manipulate files outside the intended directory on the target system during installation. It is recommended to validate that the stateroot value is a simple alphanumeric string and does not contain path traversal sequences or directory separators.
| let config_root_mount_spec = state | ||
| .install_config | ||
| .as_ref() | ||
| .and_then(|c| c.root_mount_spec.as_ref()); | ||
| let root_info = if let Some(s) = fsopts.root_mount_spec.as_ref().or(config_root_mount_spec) { |
There was a problem hiding this comment.
The root_mount_spec value, which can now be supplied via the installation configuration file, is used to construct the root= kernel argument without proper validation. Because the kernel command line is a space-separated list of arguments, an attacker providing a malicious configuration file can include spaces in the root_mount_spec value to inject arbitrary additional kernel arguments (e.g., selinux=0, init=/bin/sh) into the target system. It is recommended to validate that the root_mount_spec value does not contain whitespace.
| let config_boot_mount_spec = state | ||
| .install_config | ||
| .as_ref() | ||
| .and_then(|c| c.boot_mount_spec.as_ref()); | ||
| let mut boot = if let Some(spec) = fsopts.boot_mount_spec.as_ref().or(config_boot_mount_spec) { |
There was a problem hiding this comment.
The boot_mount_spec value, which can now be supplied via the installation configuration file, is used to construct an entry in the target system's /etc/fstab file without validation. An attacker can include newlines or extra fields in this value to inject arbitrary entries or malicious mount options into the target system's fstab. It is recommended to validate that the boot_mount_spec value does not contain newlines or unexpected whitespace.
1 participant
