From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 7172560304523444224
X-Received: by 2002:a05:6870:9124:b0:148:5a6c:d9e6 with SMTP id o36-20020a056870912400b001485a6cd9e6mr229475oae.255.1670936035001;
        Tue, 13 Dec 2022 04:53:55 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a54:4e11:0:b0:359:ca69:f473 with SMTP id a17-20020a544e11000000b00359ca69f473ls908962oiy.10.-pod-prod-gmail;
 Tue, 13 Dec 2022 04:53:54 -0800 (PST)
X-Google-Smtp-Source: AA0mqf5pgurCJ4/34bXWFbdgyepHEH4YCU/JhBmPAlYLYJNCOraci62Dm//0mOOA2fn5aSa3aC9m
X-Received: by 2002:a05:6808:1992:b0:35e:6c01:4e82 with SMTP id bj18-20020a056808199200b0035e6c014e82mr7523704oib.58.1670936034503;
        Tue, 13 Dec 2022 04:53:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1670936034; cv=none;
        d=google.com; s=arc-20160816;
        b=tzKtDD0eqE8ri7bvxQFhY/onidFEzuM6yuAEdpkR5rvTl1Vm7YU1N8QrjhJln/3UUy
         3whlYBevLGOXlQqeS/p6igrrGoOGOLqMP/fGfVPgVytyJLL54veCBy1M6t0Jsfc2esF9
         fUxtmx7yhvLjV90QHB6jJgTV/gmKMHeNwVwQ4jv9X7HbSGnkB4tVJemD0P7pbR8H3gGT
         BZTIWdLrcWHVrYPxhnAzc715cmoCf+dpPCfiMYXfZ67/GOi9v+LhdfSYbAw70YZComRS
         u2hGeP70EW/02EB+3mEpJCYDAiLEf5zVh9ooWo15rWOT4wWKUtBtP+qCqJSU+ylYGVkC
         b5jw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=NqTIac0rQFO6cL9ZY4EEEgCAFVhCYKrdZqYkZEGp+80=;
        b=LzdGVG+sdwzStpNi21fxwOaa71oefO1XXA9nRIG/nm15Z9K+/ic0OEwmhVjz8nRCnF
         DZuh8/8yoHSyGJ4tsubTBpNn9fkL/et7bNJ4wPruH5/uIVZoUCOu0sqchm8RjNNq6RPh
         5lXxRCjEFd0iVsux4CKyk/N58RZIuFbni985zXszK13ZgT3SlTirSkGB7fYZNoueAw2H
         AgC4YRyIK+h5kgurxOc2rxa2PEyiXSgx17SRkcpyZdocpe4oJbp7SvF1Rx1veVRbQXK7
         hUR3UpVo0zMGWVKi/gauH2i02+D6x6wdYFx5rRMT5bYwsOEAAhumjByW0bZZSUgWygoN
         CZYQ==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=amikan@ilbers.de
Return-Path: <amikan@ilbers.de>
Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166])
        by gmr-mx.google.com with ESMTPS id g84-20020acab657000000b00353e4e7f335si1014282oif.4.2022.12.13.04.53.54
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
        Tue, 13 Dec 2022 04:53:54 -0800 (PST)
Received-SPF: pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) client-ip=85.214.156.166;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=amikan@ilbers.de
Received: from alena-nb.promwad.com ([194.49.52.147])
	(authenticated bits=0)
	by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPSA id 2BDCrDuc001200
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Tue, 13 Dec 2022 13:53:51 +0100
From: Anton Mikanovich <amikan@ilbers.de>
To: isar-users@googlegroups.com
Cc: Anton Mikanovich <amikan@ilbers.de>
Subject: [PATCH v6 10/21] meta: mark network and sudo tasks
Date: Tue, 13 Dec 2022 15:52:54 +0300
Message-Id: <20221213125305.10984-11-amikan@ilbers.de>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20221213125305.10984-1-amikan@ilbers.de>
References: <20221213125305.10984-1-amikan@ilbers.de>
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED
	autolearn=unavailable autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de
X-TUID: OHIMj7nI4OHi

Network access from tasks is now disabled by default. This means that
tasks accessing the network need to be marked as such with the network
flag.

The same marking is also required for the tasks used sudo.

Signed-off-by: Anton Mikanovich <amikan@ilbers.de>
---
 meta/classes/base.bbclass                           | 1 +
 meta/classes/dpkg-base.bbclass                      | 6 ++++++
 meta/classes/image-locales-extension.bbclass        | 2 ++
 meta/classes/image-tools-extension.bbclass          | 1 +
 meta/classes/image.bbclass                          | 4 ++++
 meta/classes/imagetypes_container.bbclass           | 1 +
 meta/classes/imagetypes_wic.bbclass                 | 1 +
 meta/classes/rootfs.bbclass                         | 5 +++++
 meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 2 ++
 9 files changed, 23 insertions(+)

diff --git a/meta/classes/base.bbclass b/meta/classes/base.bbclass
index 8c874f31..109029b9 100644
--- a/meta/classes/base.bbclass
+++ b/meta/classes/base.bbclass
@@ -183,6 +183,7 @@ def isar_export_ccache(d):
 do_fetch[dirs] = "${DL_DIR}"
 do_fetch[file-checksums] = "${@bb.fetch.get_checksum_file_list(d)}"
 do_fetch[vardeps] += "SRCREV"
+do_fetch[network] = "1"
 
 # Fetch package from the source link
 python do_fetch() {
diff --git a/meta/classes/dpkg-base.bbclass b/meta/classes/dpkg-base.bbclass
index 260aa73e..4bb71617 100644
--- a/meta/classes/dpkg-base.bbclass
+++ b/meta/classes/dpkg-base.bbclass
@@ -122,6 +122,7 @@ do_apt_fetch() {
 
 addtask apt_fetch
 do_apt_fetch[lockfiles] += "${REPO_ISAR_DIR}/isar.lock"
+do_apt_fetch[network] = "1"
 
 # Add dependency from the correct buildchroot: host or target
 do_apt_fetch[depends] += "${BUILDCHROOT_DEP}"
@@ -129,6 +130,7 @@ do_apt_fetch[depends] += "${BUILDCHROOT_DEP}"
 # Add dependency from the correct schroot: host or target
 do_apt_fetch[depends] += "${SCHROOT_DEP}"
 
+do_apt_unpack[network] = "1"
 do_apt_unpack() {
     rm -rf ${S}
     schroot_create_configs
@@ -242,6 +244,7 @@ def isar_export_build_settings(d):
     os.environ['DEB_BUILD_OPTIONS']  = isar_deb_build_options(d)
     os.environ['DEB_BUILD_PROFILES'] = isar_deb_build_profiles(d)
 
+do_dpkg_build[network] = "1"
 python do_dpkg_build() {
     bb.build.exec_func('schroot_create_configs', d)
     try:
@@ -292,6 +295,7 @@ deb_clean() {
 }
 # the clean function modifies isar-apt
 do_clean[lockfiles] = "${REPO_ISAR_DIR}/isar.lock"
+do_clean[network] = "1"
 
 do_deploy_deb() {
     deb_clean
@@ -343,6 +347,7 @@ addtask devshell after do_prepare_build
 DEVSHELL_STARTDIR ?= "${S}"
 do_devshell[dirs] = "${DEVSHELL_STARTDIR}"
 do_devshell[nostamp] = "1"
+do_devshell[network] = "1"
 
 python do_devshell_nodeps() {
     bb.build.exec_func('do_devshell', d)
@@ -353,3 +358,4 @@ python do_devshell_nodeps() {
 addtask devshell_nodeps after do_prepare_build
 do_devshell_nodeps[dirs] = "${DEVSHELL_STARTDIR}"
 do_devshell_nodeps[nostamp] = "1"
+do_devshell_nodeps[network] = "1"
diff --git a/meta/classes/image-locales-extension.bbclass b/meta/classes/image-locales-extension.bbclass
index 0932630f..d5f66ec2 100644
--- a/meta/classes/image-locales-extension.bbclass
+++ b/meta/classes/image-locales-extension.bbclass
@@ -27,6 +27,7 @@ def get_nopurge(d):
 
 ROOTFS_INSTALL_COMMAND_BEFORE_EXPORT += "image_install_localepurge_download"
 image_install_localepurge_download[weight] = "40"
+image_install_localepurge_download[network] = "1"
 image_install_localepurge_download() {
     sudo -E chroot '${ROOTFSDIR}' \
         /usr/bin/apt-get ${ROOTFS_APT_ARGS} --download-only localepurge
@@ -34,6 +35,7 @@ image_install_localepurge_download() {
 
 ROOTFS_INSTALL_COMMAND += "image_install_localepurge_install"
 image_install_localepurge_install[weight] = "700"
+image_install_localepurge_install[network] = "1"
 image_install_localepurge_install() {
 
     # Generate locale and localepurge configuration:
diff --git a/meta/classes/image-tools-extension.bbclass b/meta/classes/image-tools-extension.bbclass
index 101704d0..70c6eb2a 100644
--- a/meta/classes/image-tools-extension.bbclass
+++ b/meta/classes/image-tools-extension.bbclass
@@ -14,6 +14,7 @@ DEPENDS += "${IMAGER_BUILD_DEPS}"
 do_install_imager_deps[depends] = "${BUILDCHROOT_DEP} isar-apt:do_cache_config"
 do_install_imager_deps[deptask] = "do_deploy_deb"
 do_install_imager_deps[lockfiles] += "${REPO_ISAR_DIR}/isar.lock"
+do_install_imager_deps[network] = "1"
 do_install_imager_deps() {
     if [ -z "${@d.getVar("IMAGER_INSTALL", True).strip()}" ]; then
         exit
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index 813e1f34..e15b9f74 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -291,6 +291,7 @@ python() {
         task = 'do_image_%s' % bt_clean
         d.setVar(task, '\n'.join(cmds))
         d.setVarFlag(task, 'func', '1')
+        d.setVarFlag(task, 'network', '1')
         d.appendVarFlag(task, 'prefuncs', ' set_image_size')
         d.appendVarFlag(task, 'vardeps', ' ' + ' '.join(vardeps))
         d.appendVarFlag(task, 'vardepsexclude', ' ' + ' '.join(vardepsexclude))
@@ -345,6 +346,7 @@ DTB_IMG = "${PP_DEPLOY}/${@(d.getVar('DTB_FILES').split() or [''])[0]}"
 
 do_copy_boot_files[dirs] = "${DEPLOY_DIR_IMAGE}"
 do_copy_boot_files[lockfiles] += "${DEPLOY_DIR_IMAGE}/isar.lock"
+do_copy_boot_files[network] = "1"
 do_copy_boot_files() {
     kernel="$(realpath -q '${IMAGE_ROOTFS}'/vmlinu[xz])"
     if [ ! -f "$kernel" ]; then
@@ -393,6 +395,7 @@ python do_deploy() {
 }
 addtask deploy before do_build after do_image
 
+do_rootfs_finalize[network] = "1"
 do_rootfs_finalize() {
     sudo -s <<'EOSUDO'
         set -e
@@ -436,6 +439,7 @@ addtask rootfs_finalize before do_rootfs after do_rootfs_postprocess
 
 ROOTFS_QA_FIND_ARGS ?= ""
 
+do_rootfs_quality_check[network] = "1"
 do_rootfs_quality_check() {
     rootfs_install_stamp=$( ls -1 "${STAMP}".do_rootfs_install* | head -1 )
     test -f "$rootfs_install_stamp"
diff --git a/meta/classes/imagetypes_container.bbclass b/meta/classes/imagetypes_container.bbclass
index 436a0051..ba09bebf 100644
--- a/meta/classes/imagetypes_container.bbclass
+++ b/meta/classes/imagetypes_container.bbclass
@@ -19,6 +19,7 @@ python() {
         t_clean = t.replace('-', '_').replace('.', '_')
         d.setVar('IMAGE_CMD_' + t_clean, 'convert_container %s "${CONTAINER_IMAGE_NAME}" "${IMAGE_FILE_HOST}"' % t)
         d.setVar('IMAGE_FULLNAME_' + t_clean, '${PN}-${DISTRO}-${DISTRO_ARCH}')
+        d.appendVarFlag('do_containerize', 'network', '1')
         bb.build.addtask('containerize', 'do_image_' + t_clean, 'do_image_tools', d)
 }
 
diff --git a/meta/classes/imagetypes_wic.bbclass b/meta/classes/imagetypes_wic.bbclass
index 3869525b..cb4917a2 100644
--- a/meta/classes/imagetypes_wic.bbclass
+++ b/meta/classes/imagetypes_wic.bbclass
@@ -134,6 +134,7 @@ python do_rootfs_wicenv () {
 addtask do_rootfs_wicenv after do_rootfs before do_image_wic
 do_rootfs_wicenv[vardeps] += "${WICVARS}"
 do_rootfs_wicenv[prefuncs] = 'set_image_size'
+do_rootfs_wicenv[network] = "1"
 
 check_for_wic_warnings() {
     WARN="$(grep -e '^WARNING' ${T}/log.do_image_wic || true)"
diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
index 786682d9..3f30bc2e 100644
--- a/meta/classes/rootfs.bbclass
+++ b/meta/classes/rootfs.bbclass
@@ -119,6 +119,7 @@ EOSUDO
 ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_update"
 rootfs_install_pkgs_update[weight] = "5"
 rootfs_install_pkgs_update[isar-apt-lock] = "acquire-before"
+rootfs_install_pkgs_update[network] = "1"
 rootfs_install_pkgs_update() {
     sudo -E chroot '${ROOTFSDIR}' /usr/bin/apt-get update \
         -o Dir::Etc::SourceList="sources.list.d/isar-apt.list" \
@@ -144,6 +145,7 @@ rootfs_import_package_cache() {
 ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_download"
 rootfs_install_pkgs_download[weight] = "600"
 rootfs_install_pkgs_download[isar-apt-lock] = "release-after"
+rootfs_install_pkgs_download[network] = "1"
 rootfs_install_pkgs_download() {
     sudo -E chroot '${ROOTFSDIR}' \
         /usr/bin/apt-get ${ROOTFS_APT_ARGS} --download-only ${ROOTFS_PACKAGES}
@@ -167,6 +169,7 @@ rootfs_install_clean_files() {
 
 ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_install"
 rootfs_install_pkgs_install[weight] = "8000"
+rootfs_install_pkgs_install[network] = "1"
 rootfs_install_pkgs_install() {
     sudo -E chroot "${ROOTFSDIR}" \
         /usr/bin/apt-get ${ROOTFS_APT_ARGS} ${ROOTFS_PACKAGES}
@@ -177,6 +180,7 @@ do_rootfs_install[vardeps] += "${ROOTFS_CONFIGURE_COMMAND} ${ROOTFS_INSTALL_COMM
 do_rootfs_install[vardepsexclude] += "IMAGE_ROOTFS"
 do_rootfs_install[depends] = "isar-bootstrap-${@'target' if d.getVar('ROOTFS_ARCH') == d.getVar('DISTRO_ARCH') else 'host'}:do_build"
 do_rootfs_install[recrdeptask] = "do_deploy_deb"
+do_rootfs_install[network] = "1"
 python do_rootfs_install() {
     configure_cmds = (d.getVar("ROOTFS_CONFIGURE_COMMAND", True) or "").split()
     install_cmds = (d.getVar("ROOTFS_INSTALL_COMMAND", True) or "").split()
@@ -269,6 +273,7 @@ rootfs_export_dpkg_status() {
 }
 
 do_rootfs_postprocess[vardeps] = "${ROOTFS_POSTPROCESS_COMMAND}"
+do_rootfs_postprocess[network] = "1"
 python do_rootfs_postprocess() {
     # Take care that its correctly mounted:
     bb.build.exec_func('rootfs_do_mounts', d)
diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
index b9ae16cd..aba5e996 100644
--- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
+++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
@@ -223,6 +223,7 @@ DISTRO_BOOTSTRAP_KEYRING = "${WORKDIR}/distro-keyring.gpg"
 do_generate_keyrings[cleandirs] = "${APT_KEYS_DIR}"
 do_generate_keyrings[dirs] = "${DL_DIR}"
 do_generate_keyrings[vardeps] += "DISTRO_BOOTSTRAP_KEYS THIRD_PARTY_APT_KEYS"
+do_generate_keyrings[network] = "1"
 do_generate_keyrings() {
     if [ -n "${@d.getVar("THIRD_PARTY_APT_KEYFILES", True) or ""}" ]; then
         chmod 777 "${APT_KEYS_DIR}"
@@ -278,6 +279,7 @@ do_bootstrap[vardeps] += " \
     "
 do_bootstrap[dirs] = "${DEPLOY_DIR_BOOTSTRAP}"
 do_bootstrap[depends] = "base-apt:do_cache isar-apt:do_cache_config"
+do_bootstrap[network] = "1"
 
 do_bootstrap() {
     if [ "${ISAR_ENABLE_COMPAT_ARCH}" = "1" ]; then
-- 
2.17.1