Content attribute can now override immutable bit

larsewi · larsewi · commit bdd19183a6d3 · 2025-04-01T17:55:22.000+02:00
The content attribute of the files promise can now override the immutable bit. Ticket: ENT-10961, CFE-1840 Changelog: Commit Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
diff --git a/cf-agent/verify_files.c b/cf-agent/verify_files.c
@@ -60,11 +60,12 @@
 #include <evalfunction.h>
 #include <changes_chroot.h>     /* PrepareChangesChroot(), RecordFileChangedInChroot() */
 #include <fsattrs.h>
+#include <override_fsattrs.h>
 
 static PromiseResult FindFilePromiserObjects(EvalContext *ctx, const Promise *pp);
 static PromiseResult VerifyFilePromise(EvalContext *ctx, char *path, const Promise *pp);
 static PromiseResult WriteContentFromString(EvalContext *ctx, const char *path, const Attributes *attr,
-                                            const Promise *pp);
+                                            const Promise *pp, bool override_immutable);
 
 /*****************************************************************************/
 
@@ -401,6 +402,11 @@ static PromiseResult VerifyFilePromise(EvalContext *ctx, char *path, const Promi
         }
     }
 
+    /* If we encounter any promises to mutate the file and the immutable
+     * attribute in body fsattrs is "true", we will override the immutable bit
+     * by temporarily clearing it when ever needed. */
+    const bool override_immutable = a.havefsattrs && a.fsattrs.haveimmutable && a.fsattrs.immutable && is_immutable;
+
     if (lstat(changes_path, &oslb) == -1)       /* Careful if the object is a link */
     {
         if ((a.create) || (a.touch))
@@ -610,7 +616,7 @@ static PromiseResult VerifyFilePromise(EvalContext *ctx, char *path, const Promi
         Log(LOG_LEVEL_VERBOSE, "Replacing '%s' with content '%s'",
             path, a.content);
 
-        PromiseResult render_result = WriteContentFromString(ctx, path, &a, pp);
+        PromiseResult render_result = WriteContentFromString(ctx, path, &a, pp, override_immutable);
         result = PromiseResultUpdate(result, render_result);
 
         goto exit;
@@ -759,7 +765,7 @@ static PromiseResult VerifyFilePromise(EvalContext *ctx, char *path, const Promi
 /*****************************************************************************/
 
 static PromiseResult WriteContentFromString(EvalContext *ctx, const char *path, const Attributes *attr,
-                                            const Promise *pp)
+                                            const Promise *pp, bool override_immutable)
 {
     assert(path != NULL);
     assert(attr != NULL);
@@ -794,30 +800,45 @@ static PromiseResult WriteContentFromString(EvalContext *ctx, const char *path,
             return result;
         }
 
-        FILE *f = safe_fopen(changes_path, "w");
+        char override_path[PATH_MAX];
+        if (!OverrideImmutableBegin(changes_path, override_path, sizeof(override_path), override_immutable))
+        {
+            RecordFailure(ctx, pp, attr, "Failed to override immutable bit on file '%s'", changes_path);
+            return PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
+        }
+
+        FILE *f = safe_fopen(override_path, "w");
         if (f == NULL)
         {
             RecordFailure(ctx, pp, attr, "Cannot open file '%s' for writing", path);
+            OverrideImmutableAbort(changes_path, override_path, override_immutable, true);
             return PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
         }
 
+        bool override_abort = false;
         Writer *w = FileWriter(f);
         if (WriterWriteLen(w, attr->content, bytes_to_write) == bytes_to_write )
         {
             RecordChange(ctx, pp, attr,
                          "Updated file '%s' with content '%s'",
                          path, attr->content);
-
             result = PromiseResultUpdate(result, PROMISE_RESULT_CHANGE);
         }
         else
         {
             RecordFailure(ctx, pp, attr,
                           "Failed to update file '%s' with content '%s'",
                           path, attr->content);
+            override_abort = true;
             result = PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
         }
         WriterClose(w);
+
+        if (!OverrideImmutableCommit(changes_path, override_path, override_immutable, override_abort))
+        {
+            RecordFailure(ctx, pp, attr, "Failed to override immutable bit on file '%s'", changes_path);
+            result = PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
+        }
     }
 
     return result;
