From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 7172560304523444224
X-Received: by 2002:a05:6a02:187:b0:46b:26a6:51bc with SMTP id bj7-20020a056a02018700b0046b26a651bcmr63132849pgb.204.1669991846458;
        Fri, 02 Dec 2022 06:37:26 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a63:4714:0:b0:477:b431:6f80 with SMTP id u20-20020a634714000000b00477b4316f80ls2595103pga.5.-pod-prod-gmail;
 Fri, 02 Dec 2022 06:37:25 -0800 (PST)
X-Google-Smtp-Source: AA0mqf5HuMh0tNTYXi7eZJTGmtYqPgPGNS45/SiSkBZZFrlH+pkPl7jU5WLrsrs9YLVAOnqInqo7
X-Received: by 2002:a63:1824:0:b0:46e:baf4:ab7a with SMTP id y36-20020a631824000000b0046ebaf4ab7amr66542621pgl.37.1669991845656;
        Fri, 02 Dec 2022 06:37:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1669991845; cv=none;
        d=google.com; s=arc-20160816;
        b=WILwxkRwmyDemTrHf1/M9tIYhia+ISkAkdqlrT/8g/f7WWtnBlqPyeDKOmEfByFqSe
         trSd6b0aKZ00DkCAsl1ttWFBKNKwECdjfG7p/Y4Ww1hx97MAnaILih6ez+83iiLuOhQZ
         2Q1McC3Itj6A9xU3OL1xTo7HQr8eG0jFKcoS155MCoqVaugKi337NuJMx/MVMtIosehb
         8Fq/MJJ2dB7UUPCXX0NojRZ8uwemvjJ4vqQGDtqZXYi3/1WcsYSDB5iqfW6IyWuh7mtN
         BLQBhcDMVtBgaC2lF77im8tjdnuXTW4oSvLa6u+aaNjnz58+sM+48eaiu5uZdgRBudlc
         1EvA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=5I8fD45n1tM0dVVFfsjpNXpLhS4Umni9pc65Z7t3N2U=;
        b=RZ+ethQWO53iUXcafPRKsuu7Ya2pif4tc34OEZiUqFr+uDDKZ4crbd4ZqPMTnhF9YG
         Kka/xbYdy6V0XraDUTbo4WoHUWKXZMX97vuGgRmYhMUZT0uUO/Xp+6qlQAGHpEwFMi9r
         +7O2YyRa4Qdg2gxZIWR1BJjo/bwZ95KdF8OIhZ3mpiJwIX/Hsm0jc3IlyKGmHB7d9DWL
         HG8GsJYPRUiE+7wk7c1mqKv9dNbTohKlyA6JMoo0dZh4mIb/oaEWGPL59XJycO4qv+bC
         7/rf0UeG9zh9hl/oM0AKSwDF2MG0xgTZRF8iSiWBy3aKBFOECTXoWMBgbTpFtSBplGmU
         ekLw==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=amikan@ilbers.de
Return-Path: <amikan@ilbers.de>
Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166])
        by gmr-mx.google.com with ESMTPS id q16-20020a170902dad000b00185499dcc29si374448plx.7.2022.12.02.06.37.25
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
        Fri, 02 Dec 2022 06:37:25 -0800 (PST)
Received-SPF: pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) client-ip=85.214.156.166;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=amikan@ilbers.de
Received: from alena-nb.promwad.com (mm-69-83-214-37.mgts.dynamic.pppoe.byfly.by [37.214.83.69] (may be forged))
	(authenticated bits=0)
	by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPSA id 2B2Eb8EX015256
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Fri, 2 Dec 2022 15:37:23 +0100
From: Anton Mikanovich <amikan@ilbers.de>
To: isar-users@googlegroups.com
Cc: Anton Mikanovich <amikan@ilbers.de>
Subject: [PATCH v5 10/21] meta: mark network and sudo tasks
Date: Fri,  2 Dec 2022 17:36:50 +0300
Message-Id: <20221202143701.6665-11-amikan@ilbers.de>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20221202143701.6665-1-amikan@ilbers.de>
References: <20221202143701.6665-1-amikan@ilbers.de>
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED
	autolearn=unavailable autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de
X-TUID: XOp5CcbPKSaw

Network access from tasks is now disabled by default. This means that
tasks accessing the network need to be marked as such with the network
flag.

The same marking is also required for the tasks used sudo.

Signed-off-by: Anton Mikanovich <amikan@ilbers.de>
---
 meta/classes/base.bbclass                           | 1 +
 meta/classes/dpkg-base.bbclass                      | 6 ++++++
 meta/classes/image-locales-extension.bbclass        | 2 ++
 meta/classes/image-tools-extension.bbclass          | 1 +
 meta/classes/image.bbclass                          | 4 ++++
 meta/classes/imagetypes_container.bbclass           | 1 +
 meta/classes/imagetypes_wic.bbclass                 | 1 +
 meta/classes/rootfs.bbclass                         | 5 +++++
 meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 2 ++
 9 files changed, 23 insertions(+)

diff --git a/meta/classes/base.bbclass b/meta/classes/base.bbclass
index 8c874f31..109029b9 100644
--- a/meta/classes/base.bbclass
+++ b/meta/classes/base.bbclass
@@ -183,6 +183,7 @@ def isar_export_ccache(d):
 do_fetch[dirs] = "${DL_DIR}"
 do_fetch[file-checksums] = "${@bb.fetch.get_checksum_file_list(d)}"
 do_fetch[vardeps] += "SRCREV"
+do_fetch[network] = "1"
 
 # Fetch package from the source link
 python do_fetch() {
diff --git a/meta/classes/dpkg-base.bbclass b/meta/classes/dpkg-base.bbclass
index e4f6711c..ed5abf70 100644
--- a/meta/classes/dpkg-base.bbclass
+++ b/meta/classes/dpkg-base.bbclass
@@ -122,6 +122,7 @@ do_apt_fetch() {
 
 addtask apt_fetch
 do_apt_fetch[lockfiles] += "${REPO_ISAR_DIR}/isar.lock"
+do_apt_fetch[network] = "1"
 
 # Add dependency from the correct buildchroot: host or target
 do_apt_fetch[depends] += "${BUILDCHROOT_DEP}"
@@ -129,6 +130,7 @@ do_apt_fetch[depends] += "${BUILDCHROOT_DEP}"
 # Add dependency from the correct schroot: host or target
 do_apt_fetch[depends] += "${SCHROOT_DEP}"
 
+do_apt_unpack[network] = "1"
 do_apt_unpack() {
     rm -rf ${S}
     schroot_create_configs
@@ -242,6 +244,7 @@ def isar_export_build_settings(d):
     os.environ['DEB_BUILD_OPTIONS']  = isar_deb_build_options(d)
     os.environ['DEB_BUILD_PROFILES'] = isar_deb_build_profiles(d)
 
+do_dpkg_build[network] = "1"
 python do_dpkg_build() {
     bb.build.exec_func('schroot_create_configs', d)
     try:
@@ -292,6 +295,7 @@ deb_clean() {
 }
 # the clean function modifies isar-apt
 do_clean[lockfiles] = "${REPO_ISAR_DIR}/isar.lock"
+do_clean[network] = "1"
 
 do_deploy_deb() {
     deb_clean
@@ -343,6 +347,7 @@ addtask devshell after do_prepare_build
 DEVSHELL_STARTDIR ?= "${S}"
 do_devshell[dirs] = "${DEVSHELL_STARTDIR}"
 do_devshell[nostamp] = "1"
+do_devshell[network] = "1"
 
 python do_devshell_nodeps() {
     bb.build.exec_func('do_devshell', d)
@@ -353,3 +358,4 @@ python do_devshell_nodeps() {
 addtask devshell_nodeps after do_prepare_build
 do_devshell_nodeps[dirs] = "${DEVSHELL_STARTDIR}"
 do_devshell_nodeps[nostamp] = "1"
+do_devshell_nodeps[network] = "1"
diff --git a/meta/classes/image-locales-extension.bbclass b/meta/classes/image-locales-extension.bbclass
index 0932630f..d5f66ec2 100644
--- a/meta/classes/image-locales-extension.bbclass
+++ b/meta/classes/image-locales-extension.bbclass
@@ -27,6 +27,7 @@ def get_nopurge(d):
 
 ROOTFS_INSTALL_COMMAND_BEFORE_EXPORT += "image_install_localepurge_download"
 image_install_localepurge_download[weight] = "40"
+image_install_localepurge_download[network] = "1"
 image_install_localepurge_download() {
     sudo -E chroot '${ROOTFSDIR}' \
         /usr/bin/apt-get ${ROOTFS_APT_ARGS} --download-only localepurge
@@ -34,6 +35,7 @@ image_install_localepurge_download() {
 
 ROOTFS_INSTALL_COMMAND += "image_install_localepurge_install"
 image_install_localepurge_install[weight] = "700"
+image_install_localepurge_install[network] = "1"
 image_install_localepurge_install() {
 
     # Generate locale and localepurge configuration:
diff --git a/meta/classes/image-tools-extension.bbclass b/meta/classes/image-tools-extension.bbclass
index ecd4365b..aaf951c0 100644
--- a/meta/classes/image-tools-extension.bbclass
+++ b/meta/classes/image-tools-extension.bbclass
@@ -14,6 +14,7 @@ DEPENDS += "${IMAGER_BUILD_DEPS}"
 do_install_imager_deps[depends] = "${BUILDCHROOT_DEP} isar-apt:do_cache_config"
 do_install_imager_deps[deptask] = "do_deploy_deb"
 do_install_imager_deps[lockfiles] += "${REPO_ISAR_DIR}/isar.lock"
+do_install_imager_deps[network] = "1"
 do_install_imager_deps() {
     if [ -z "${@d.getVar("IMAGER_INSTALL", True).strip()}" ]; then
         exit
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index 813e1f34..e15b9f74 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -291,6 +291,7 @@ python() {
         task = 'do_image_%s' % bt_clean
         d.setVar(task, '\n'.join(cmds))
         d.setVarFlag(task, 'func', '1')
+        d.setVarFlag(task, 'network', '1')
         d.appendVarFlag(task, 'prefuncs', ' set_image_size')
         d.appendVarFlag(task, 'vardeps', ' ' + ' '.join(vardeps))
         d.appendVarFlag(task, 'vardepsexclude', ' ' + ' '.join(vardepsexclude))
@@ -345,6 +346,7 @@ DTB_IMG = "${PP_DEPLOY}/${@(d.getVar('DTB_FILES').split() or [''])[0]}"
 
 do_copy_boot_files[dirs] = "${DEPLOY_DIR_IMAGE}"
 do_copy_boot_files[lockfiles] += "${DEPLOY_DIR_IMAGE}/isar.lock"
+do_copy_boot_files[network] = "1"
 do_copy_boot_files() {
     kernel="$(realpath -q '${IMAGE_ROOTFS}'/vmlinu[xz])"
     if [ ! -f "$kernel" ]; then
@@ -393,6 +395,7 @@ python do_deploy() {
 }
 addtask deploy before do_build after do_image
 
+do_rootfs_finalize[network] = "1"
 do_rootfs_finalize() {
     sudo -s <<'EOSUDO'
         set -e
@@ -436,6 +439,7 @@ addtask rootfs_finalize before do_rootfs after do_rootfs_postprocess
 
 ROOTFS_QA_FIND_ARGS ?= ""
 
+do_rootfs_quality_check[network] = "1"
 do_rootfs_quality_check() {
     rootfs_install_stamp=$( ls -1 "${STAMP}".do_rootfs_install* | head -1 )
     test -f "$rootfs_install_stamp"
diff --git a/meta/classes/imagetypes_container.bbclass b/meta/classes/imagetypes_container.bbclass
index 436a0051..ba09bebf 100644
--- a/meta/classes/imagetypes_container.bbclass
+++ b/meta/classes/imagetypes_container.bbclass
@@ -19,6 +19,7 @@ python() {
         t_clean = t.replace('-', '_').replace('.', '_')
         d.setVar('IMAGE_CMD_' + t_clean, 'convert_container %s "${CONTAINER_IMAGE_NAME}" "${IMAGE_FILE_HOST}"' % t)
         d.setVar('IMAGE_FULLNAME_' + t_clean, '${PN}-${DISTRO}-${DISTRO_ARCH}')
+        d.appendVarFlag('do_containerize', 'network', '1')
         bb.build.addtask('containerize', 'do_image_' + t_clean, 'do_image_tools', d)
 }
 
diff --git a/meta/classes/imagetypes_wic.bbclass b/meta/classes/imagetypes_wic.bbclass
index 3869525b..cb4917a2 100644
--- a/meta/classes/imagetypes_wic.bbclass
+++ b/meta/classes/imagetypes_wic.bbclass
@@ -134,6 +134,7 @@ python do_rootfs_wicenv () {
 addtask do_rootfs_wicenv after do_rootfs before do_image_wic
 do_rootfs_wicenv[vardeps] += "${WICVARS}"
 do_rootfs_wicenv[prefuncs] = 'set_image_size'
+do_rootfs_wicenv[network] = "1"
 
 check_for_wic_warnings() {
     WARN="$(grep -e '^WARNING' ${T}/log.do_image_wic || true)"
diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
index d19ac037..53222db0 100644
--- a/meta/classes/rootfs.bbclass
+++ b/meta/classes/rootfs.bbclass
@@ -118,6 +118,7 @@ EOSUDO
 ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_update"
 rootfs_install_pkgs_update[weight] = "5"
 rootfs_install_pkgs_update[isar-apt-lock] = "acquire-before"
+rootfs_install_pkgs_update[network] = "1"
 rootfs_install_pkgs_update() {
     sudo -E chroot '${ROOTFSDIR}' /usr/bin/apt-get update \
         -o Dir::Etc::SourceList="sources.list.d/isar-apt.list" \
@@ -143,6 +144,7 @@ rootfs_import_package_cache() {
 ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_download"
 rootfs_install_pkgs_download[weight] = "600"
 rootfs_install_pkgs_download[isar-apt-lock] = "release-after"
+rootfs_install_pkgs_download[network] = "1"
 rootfs_install_pkgs_download() {
     sudo -E chroot '${ROOTFSDIR}' \
         /usr/bin/apt-get ${ROOTFS_APT_ARGS} --download-only ${ROOTFS_PACKAGES}
@@ -166,6 +168,7 @@ rootfs_install_clean_files() {
 
 ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_install"
 rootfs_install_pkgs_install[weight] = "8000"
+rootfs_install_pkgs_install[network] = "1"
 rootfs_install_pkgs_install() {
     sudo -E chroot "${ROOTFSDIR}" \
         /usr/bin/apt-get ${ROOTFS_APT_ARGS} ${ROOTFS_PACKAGES}
@@ -176,6 +179,7 @@ do_rootfs_install[vardeps] += "${ROOTFS_CONFIGURE_COMMAND} ${ROOTFS_INSTALL_COMM
 do_rootfs_install[vardepsexclude] += "IMAGE_ROOTFS"
 do_rootfs_install[depends] = "isar-bootstrap-${@'target' if d.getVar('ROOTFS_ARCH') == d.getVar('DISTRO_ARCH') else 'host'}:do_build"
 do_rootfs_install[recrdeptask] = "do_deploy_deb"
+do_rootfs_install[network] = "1"
 python do_rootfs_install() {
     configure_cmds = (d.getVar("ROOTFS_CONFIGURE_COMMAND", True) or "").split()
     install_cmds = (d.getVar("ROOTFS_INSTALL_COMMAND", True) or "").split()
@@ -268,6 +272,7 @@ rootfs_export_dpkg_status() {
 }
 
 do_rootfs_postprocess[vardeps] = "${ROOTFS_POSTPROCESS_COMMAND}"
+do_rootfs_postprocess[network] = "1"
 python do_rootfs_postprocess() {
     # Take care that its correctly mounted:
     bb.build.exec_func('rootfs_do_mounts', d)
diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
index f32d192e..7d344dba 100644
--- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
+++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
@@ -222,6 +222,7 @@ DISTRO_BOOTSTRAP_KEYRING = "${WORKDIR}/distro-keyring.gpg"
 do_generate_keyrings[cleandirs] = "${APT_KEYS_DIR}"
 do_generate_keyrings[dirs] = "${DL_DIR}"
 do_generate_keyrings[vardeps] += "DISTRO_BOOTSTRAP_KEYS THIRD_PARTY_APT_KEYS"
+do_generate_keyrings[network] = "1"
 do_generate_keyrings() {
     if [ -n "${@d.getVar("THIRD_PARTY_APT_KEYFILES", True) or ""}" ]; then
         chmod 777 "${APT_KEYS_DIR}"
@@ -277,6 +278,7 @@ do_bootstrap[vardeps] += " \
     "
 do_bootstrap[dirs] = "${DEPLOY_DIR_BOOTSTRAP}"
 do_bootstrap[depends] = "base-apt:do_cache isar-apt:do_cache_config"
+do_bootstrap[network] = "1"
 
 do_bootstrap() {
     if [ "${ISAR_ENABLE_COMPAT_ARCH}" = "1" ]; then
-- 
2.17.1