From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 7128378901610364928
X-Received: by 2002:a0d:e891:0:b0:324:6930:c476 with SMTP id r139-20020a0de891000000b003246930c476mr5657182ywe.25.1659705062429;
        Fri, 05 Aug 2022 06:11:02 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a0d:cc58:0:b0:31f:5f79:d04d with SMTP id o85-20020a0dcc58000000b0031f5f79d04dls2116001ywd.11.-pod-prod-gmail;
 Fri, 05 Aug 2022 06:11:01 -0700 (PDT)
X-Google-Smtp-Source: AA6agR6gVMWbxinBUPcwa40LCniEIH6nbyFM6LO3EsA30/TiXemQXIDcEGPw8CUwxySQSdq1ENZ6
X-Received: by 2002:a0d:fe07:0:b0:31f:cc5:8ef4 with SMTP id o7-20020a0dfe07000000b0031f0cc58ef4mr5812721ywf.243.1659705061807;
        Fri, 05 Aug 2022 06:11:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1659705061; cv=none;
        d=google.com; s=arc-20160816;
        b=h/gswDZz6Nq6bge2OG79+R0eoZlyfWqHrKzZs5uvuMsE14cg3GQLyfhMdQMfDX7akj
         rU5dF6sI+6rwIbNbjay3znA7d/dAq7XgMlzKHvk7a4tV8kuymIiAmtl7Vd15cPtPVwsH
         MNxrz0aHCm3rZSQo2SP2G0By4MK9LuopH7+cFcbv7hR4Aha3QKX7A9lI4FUKUd63Egkz
         gR6FyXXcp/axPJg+M5kLKtG9WoTQ+wvegexuHMmT0u1Z0qQyDXLIYdA13QwbxeZpnD1h
         D7673g/Zef+Ug2YI4QyIMMnhIWQZ5/rR//gaJlQgOPXchqYZpoRRsi5ySfQxZTnsxI+o
         QsuQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=wcdUSizdGmGpHt6N8FZva4xHHI31LCwvj/upbbqxM14=;
        b=f6aQFmopwuiSNhlK+65RmgC+YEPvX7Un/bLbRJBDDtfl0BIwJCjB+atBy8HsZzWynE
         rfqYQcLK1vIuNADP3eevVU0+ARUUnMC3k/RtG3jPmII+YuE+ugJrDWssB94CuVZ9KFBM
         k0h0wumMFpgzyzixO9ndcNc3+W+2c5NzoPza+hn/m5wqQHyF2RMHySPv2lK+MSMDrvhu
         ZJx2VuT7/xddeCK9++KTR1jqqjLaI4gIXiVtFTddPAL4k1bJSfmYn/4DGrkdAnphVkOk
         kbEDs7mBI4heGBZqUE2araARw5h30AEvH52QYnXOElZlAGYRym7l3I8Q/9X9x1UVjRia
         gDEg==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=amikan@ilbers.de
Return-Path: <amikan@ilbers.de>
Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166])
        by gmr-mx.google.com with ESMTPS id bp18-20020a05690c069200b00321c294b616si241582ywb.2.2022.08.05.06.11.01
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
        Fri, 05 Aug 2022 06:11:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) client-ip=85.214.156.166;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=amikan@ilbers.de
Received: from alena-nb.promwad.com (mm-183-76-214-37.mgts.dynamic.pppoe.byfly.by [37.214.76.183] (may be forged))
	(authenticated bits=0)
	by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPSA id 275DAhHu009685
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Fri, 5 Aug 2022 15:10:57 +0200
From: Anton Mikanovich <amikan@ilbers.de>
To: isar-users@googlegroups.com
Cc: Anton Mikanovich <amikan@ilbers.de>
Subject: [PATCH v4 10/21] meta: mark network and sudo tasks
Date: Fri,  5 Aug 2022 16:10:24 +0300
Message-Id: <20220805131035.22844-11-amikan@ilbers.de>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20220805131035.22844-1-amikan@ilbers.de>
References: <20220805131035.22844-1-amikan@ilbers.de>
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED
	autolearn=unavailable autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de
X-TUID: WG5csFGxWrBB

Network access from tasks is now disabled by default. This means that
tasks accessing the network need to be marked as such with the network
flag.

The same marking is also required for the tasks used sudo.

Signed-off-by: Anton Mikanovich <amikan@ilbers.de>
---
 meta/classes/base.bbclass                           | 1 +
 meta/classes/dpkg-base.bbclass                      | 5 +++++
 meta/classes/image-locales-extension.bbclass        | 2 ++
 meta/classes/image-tools-extension.bbclass          | 1 +
 meta/classes/image.bbclass                          | 4 ++++
 meta/classes/imagetypes_container.bbclass           | 1 +
 meta/classes/imagetypes_wic.bbclass                 | 1 +
 meta/classes/rootfs.bbclass                         | 5 +++++
 meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 2 ++
 9 files changed, 22 insertions(+)

diff --git a/meta/classes/base.bbclass b/meta/classes/base.bbclass
index 17dfeab..07277e2 100644
--- a/meta/classes/base.bbclass
+++ b/meta/classes/base.bbclass
@@ -181,6 +181,7 @@ def isar_export_ccache(d):
 do_fetch[dirs] = "${DL_DIR}"
 do_fetch[file-checksums] = "${@bb.fetch.get_checksum_file_list(d)}"
 do_fetch[vardeps] += "SRCREV"
+do_fetch[network] = "1"
 
 # Fetch package from the source link
 python do_fetch() {
diff --git a/meta/classes/dpkg-base.bbclass b/meta/classes/dpkg-base.bbclass
index 64f0c26..8158fd0 100644
--- a/meta/classes/dpkg-base.bbclass
+++ b/meta/classes/dpkg-base.bbclass
@@ -122,6 +122,7 @@ do_apt_fetch() {
 
 addtask apt_fetch
 do_apt_fetch[lockfiles] += "${REPO_ISAR_DIR}/isar.lock"
+do_apt_fetch[network] = "1"
 
 # Add dependency from the correct buildchroot: host or target
 do_apt_fetch[depends] += "${BUILDCHROOT_DEP}"
@@ -129,6 +130,7 @@ do_apt_fetch[depends] += "${BUILDCHROOT_DEP}"
 # Add dependency from the correct schroot: host or target
 do_apt_fetch[depends] += "${SCHROOT_DEP}"
 
+do_apt_unpack[network] = "1"
 do_apt_unpack() {
     rm -rf ${S}
     schroot_create_configs
@@ -242,6 +244,7 @@ def isar_export_build_settings(d):
     os.environ['DEB_BUILD_OPTIONS']  = isar_deb_build_options(d)
     os.environ['DEB_BUILD_PROFILES'] = isar_deb_build_profiles(d)
 
+do_dpkg_build[network] = "1"
 python do_dpkg_build() {
     bb.build.exec_func('schroot_create_configs', d)
     try:
@@ -336,6 +339,7 @@ addtask devshell after do_prepare_build
 DEVSHELL_STARTDIR ?= "${S}"
 do_devshell[dirs] = "${DEVSHELL_STARTDIR}"
 do_devshell[nostamp] = "1"
+do_devshell[network] = "1"
 
 python do_devshell_nodeps() {
     bb.build.exec_func('do_devshell', d)
@@ -346,3 +350,4 @@ python do_devshell_nodeps() {
 addtask devshell_nodeps after do_prepare_build
 do_devshell_nodeps[dirs] = "${DEVSHELL_STARTDIR}"
 do_devshell_nodeps[nostamp] = "1"
+do_devshell_nodeps[network] = "1"
diff --git a/meta/classes/image-locales-extension.bbclass b/meta/classes/image-locales-extension.bbclass
index 25af540..e4f41a6 100644
--- a/meta/classes/image-locales-extension.bbclass
+++ b/meta/classes/image-locales-extension.bbclass
@@ -27,6 +27,7 @@ def get_nopurge(d):
 
 ROOTFS_INSTALL_COMMAND_BEFORE_EXPORT += "image_install_localepurge_download"
 image_install_localepurge_download[weight] = "40"
+image_install_localepurge_download[network] = "1"
 image_install_localepurge_download() {
     sudo -E chroot '${ROOTFSDIR}' \
         /usr/bin/apt-get ${ROOTFS_APT_ARGS} --download-only localepurge
@@ -34,6 +35,7 @@ image_install_localepurge_download() {
 
 ROOTFS_INSTALL_COMMAND += "image_install_localepurge_install"
 image_install_localepurge_install[weight] = "700"
+image_install_localepurge_install[network] = "1"
 image_install_localepurge_install() {
 
     # Generate locale and localepurge configuration:
diff --git a/meta/classes/image-tools-extension.bbclass b/meta/classes/image-tools-extension.bbclass
index b996813..c979c3c 100644
--- a/meta/classes/image-tools-extension.bbclass
+++ b/meta/classes/image-tools-extension.bbclass
@@ -17,6 +17,7 @@ DEPENDS += "${IMAGER_BUILD_DEPS}"
 do_install_imager_deps[depends] = "${BUILDCHROOT_DEP} isar-apt:do_cache_config"
 do_install_imager_deps[deptask] = "do_deploy_deb"
 do_install_imager_deps[lockfiles] += "${REPO_ISAR_DIR}/isar.lock"
+do_install_imager_deps[network] = "1"
 do_install_imager_deps() {
     if [ -z "${@d.getVar("IMAGER_INSTALL", True).strip()}" ]; then
         exit
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index 0688b02..59921c9 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -291,6 +291,7 @@ python() {
         task = 'do_image_%s' % bt_clean
         d.setVar(task, '\n'.join(cmds))
         d.setVarFlag(task, 'func', '1')
+        d.setVarFlag(task, 'network', '1')
         d.appendVarFlag(task, 'prefuncs', ' set_image_size')
         d.appendVarFlag(task, 'vardeps', ' ' + ' '.join(vardeps))
         d.appendVarFlag(task, 'vardepsexclude', ' ' + ' '.join(vardepsexclude))
@@ -345,6 +346,7 @@ DTB_IMG = "${PP_DEPLOY}/${@(d.getVar('DTB_FILES').split() or [''])[0]}"
 
 do_copy_boot_files[dirs] = "${DEPLOY_DIR_IMAGE}"
 do_copy_boot_files[lockfiles] += "${DEPLOY_DIR_IMAGE}/isar.lock"
+do_copy_boot_files[network] = "1"
 do_copy_boot_files() {
     kernel="$(realpath -q '${IMAGE_ROOTFS}'/vmlinu[xz])"
     if [ ! -f "$kernel" ]; then
@@ -393,6 +395,7 @@ python do_deploy() {
 }
 addtask deploy before do_build after do_image
 
+do_rootfs_finalize[network] = "1"
 do_rootfs_finalize() {
     sudo -s <<'EOSUDO'
         set -e
@@ -436,6 +439,7 @@ addtask rootfs_finalize before do_rootfs after do_rootfs_postprocess
 
 ROOTFS_QA_FIND_ARGS ?= ""
 
+do_rootfs_quality_check[network] = "1"
 do_rootfs_quality_check() {
     rootfs_install_stamp=$( ls -1 "${STAMP}".do_rootfs_install* | head -1 )
     test -f "$rootfs_install_stamp"
diff --git a/meta/classes/imagetypes_container.bbclass b/meta/classes/imagetypes_container.bbclass
index 436a005..ba09beb 100644
--- a/meta/classes/imagetypes_container.bbclass
+++ b/meta/classes/imagetypes_container.bbclass
@@ -19,6 +19,7 @@ python() {
         t_clean = t.replace('-', '_').replace('.', '_')
         d.setVar('IMAGE_CMD_' + t_clean, 'convert_container %s "${CONTAINER_IMAGE_NAME}" "${IMAGE_FILE_HOST}"' % t)
         d.setVar('IMAGE_FULLNAME_' + t_clean, '${PN}-${DISTRO}-${DISTRO_ARCH}')
+        d.appendVarFlag('do_containerize', 'network', '1')
         bb.build.addtask('containerize', 'do_image_' + t_clean, 'do_image_tools', d)
 }
 
diff --git a/meta/classes/imagetypes_wic.bbclass b/meta/classes/imagetypes_wic.bbclass
index 61a74d4..dd2268f 100644
--- a/meta/classes/imagetypes_wic.bbclass
+++ b/meta/classes/imagetypes_wic.bbclass
@@ -133,6 +133,7 @@ python do_rootfs_wicenv () {
 addtask do_rootfs_wicenv after do_rootfs before do_image_wic
 do_rootfs_wicenv[vardeps] += "${WICVARS}"
 do_rootfs_wicenv[prefuncs] = 'set_image_size'
+do_rootfs_wicenv[network] = "1"
 
 check_for_wic_warnings() {
     WARN="$(grep -e '^WARNING' ${T}/log.do_image_wic || true)"
diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
index bbb5ac0..cd827bd 100644
--- a/meta/classes/rootfs.bbclass
+++ b/meta/classes/rootfs.bbclass
@@ -118,6 +118,7 @@ EOSUDO
 ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_update"
 rootfs_install_pkgs_update[weight] = "5"
 rootfs_install_pkgs_update[isar-apt-lock] = "acquire-before"
+rootfs_install_pkgs_update[network] = "1"
 rootfs_install_pkgs_update() {
     sudo -E chroot '${ROOTFSDIR}' /usr/bin/apt-get update \
         -o Dir::Etc::SourceList="sources.list.d/isar-apt.list" \
@@ -143,6 +144,7 @@ rootfs_import_package_cache() {
 ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_download"
 rootfs_install_pkgs_download[weight] = "600"
 rootfs_install_pkgs_download[isar-apt-lock] = "release-after"
+rootfs_install_pkgs_download[network] = "1"
 rootfs_install_pkgs_download() {
     sudo -E chroot '${ROOTFSDIR}' \
         /usr/bin/apt-get ${ROOTFS_APT_ARGS} --download-only ${ROOTFS_PACKAGES}
@@ -166,6 +168,7 @@ rootfs_install_clean_files() {
 
 ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_install"
 rootfs_install_pkgs_install[weight] = "8000"
+rootfs_install_pkgs_install[network] = "1"
 rootfs_install_pkgs_install() {
     sudo -E chroot "${ROOTFSDIR}" \
         /usr/bin/apt-get ${ROOTFS_APT_ARGS} ${ROOTFS_PACKAGES}
@@ -176,6 +179,7 @@ do_rootfs_install[vardeps] += "${ROOTFS_CONFIGURE_COMMAND} ${ROOTFS_INSTALL_COMM
 do_rootfs_install[vardepsexclude] += "IMAGE_ROOTFS"
 do_rootfs_install[depends] = "isar-bootstrap-${@'target' if d.getVar('ROOTFS_ARCH') == d.getVar('DISTRO_ARCH') else 'host'}:do_build"
 do_rootfs_install[recrdeptask] = "do_deploy_deb"
+do_rootfs_install[network] = "1"
 python do_rootfs_install() {
     configure_cmds = (d.getVar("ROOTFS_CONFIGURE_COMMAND", True) or "").split()
     install_cmds = (d.getVar("ROOTFS_INSTALL_COMMAND", True) or "").split()
@@ -268,6 +272,7 @@ rootfs_export_dpkg_status() {
 }
 
 do_rootfs_postprocess[vardeps] = "${ROOTFS_POSTPROCESS_COMMAND}"
+do_rootfs_postprocess[network] = "1"
 python do_rootfs_postprocess() {
     # Take care that its correctly mounted:
     bb.build.exec_func('rootfs_do_mounts', d)
diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
index 604cd24..e8831b0 100644
--- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
+++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
@@ -222,6 +222,7 @@ DISTRO_BOOTSTRAP_KEYRING = "${WORKDIR}/distro-keyring.gpg"
 do_generate_keyrings[cleandirs] = "${APT_KEYS_DIR}"
 do_generate_keyrings[dirs] = "${DL_DIR}"
 do_generate_keyrings[vardeps] += "DISTRO_BOOTSTRAP_KEYS THIRD_PARTY_APT_KEYS"
+do_generate_keyrings[network] = "1"
 do_generate_keyrings() {
     if [ -n "${@d.getVar("THIRD_PARTY_APT_KEYFILES", True) or ""}" ]; then
         chmod 777 "${APT_KEYS_DIR}"
@@ -277,6 +278,7 @@ do_bootstrap[vardeps] += " \
     "
 do_bootstrap[dirs] = "${DEPLOY_DIR_BOOTSTRAP}"
 do_bootstrap[depends] = "base-apt:do_cache isar-apt:do_cache_config"
+do_bootstrap[network] = "1"
 
 do_bootstrap() {
     if [ "${ISAR_ENABLE_COMPAT_ARCH}" = "1" ]; then
-- 
2.17.1