security: add service to transfer certificates from initramfs

Resolves: INSTALLER-4030
rhinstaller · Dec 17, 2024 · 01f977f · 01f977f
1 parent 3a3bbdd
commit 01f977f
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 1 deletion.
diff --git a/data/systemd/Makefile.am b/data/systemd/Makefile.am
@@ -29,6 +29,7 @@ dist_systemd_DATA = anaconda.service \
                     anaconda-nm-config.service \
                     anaconda-nm-disable-autocons.service \
                     anaconda-nm-disable-autocons-rhel.service \
+                    anaconda-import-initramfs-certs.service \
                     anaconda-pre.service \
                     anaconda-s390-device-config-import.service \
                     anaconda-fips.service

diff --git a/data/systemd/anaconda-generator b/data/systemd/anaconda-generator
@@ -45,3 +45,4 @@ ln -sf "$systemd_dir/anaconda-nm-config.service" "$target_dir/anaconda-nm-config
 ln -sf "$systemd_dir/anaconda-nm-disable-autocons.service" "$target_dir/anaconda-nm-disable-autocons.service"
 ln -sf "$systemd_dir/anaconda-nm-disable-autocons-rhel.service" "$target_dir/anaconda-nm-disable-autocons-rhel.service"
 ln -sf "$systemd_dir/anaconda-pre.service" "$target_dir/anaconda-pre.service"
+ln -sf "$systemd_dir/anaconda-import-initramfs-certs.service" "$target_dir/anaconda-import-initramfs-certs.service"
diff --git a/data/systemd/anaconda-import-initramfs-certs.service b/data/systemd/anaconda-import-initramfs-certs.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Import of certificates added in initramfs stage of Anaconda via kickstart
+Before=NetworkManager.service
+Before=anaconda.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/anaconda/anaconda-import-initramfs-certs
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
@@ -17,7 +17,7 @@
 
 scriptsdir = $(libexecdir)/$(PACKAGE_NAME)
 dist_scripts_SCRIPTS = run-anaconda anaconda-pre-log-gen log-capture start-module apply-updates \
-                       run-in-new-session
+                       run-in-new-session anaconda-import-initramfs-certs
 
 dist_noinst_SCRIPTS  = makeupdates makebumpver
 

diff --git a/scripts/anaconda-import-initramfs-certs b/scripts/anaconda-import-initramfs-certs
@@ -0,0 +1,6 @@
+#! /bin/bash
+# Transfers CA certificates imported in initramfs via kickstart
+# to anaconda environment after switchroot.
+
+# certificates dumped to the specified file are copied to root
+cp -rv /run/install/certificates/path/* / || true