[PATCH] rootfs: do not expose /sys/firmware while building root file-systems

[PATCH] rootfs: do not expose /sys/firmware while building root file-systems

['Cedric Hombourger' via isar-users]

We need /sys while assembling the target root file-system but it exposes
more than the build really needs. Some maintainer scripts (e.g. mdmadm)
check /sys/firmware/efi/efivars while configuring themselves. This would
normally be fine but for Isar builds, any information extracted from there
is for the host doing the build and not for the target we are building for.
In addition, packages seeing /sys/firmware/efi will mount efivars there
and will cause do_rootfs_umount to fail unmounting /sys (because of that
extra mount). By mounting a (small) tmpfs as /sys/firmware in the root
file-system, we hide host details from the build; that extra mount needs
to be removed before we attempt to unmount /sys (but we are in control).

Signed-off-by: Cedric Hombourger <cedric.hombourger@siemens.com>
---
 meta/classes/rootfs.bbclass | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
index 5f877962..7b7859b9 100644
--- a/meta/classes/rootfs.bbclass
+++ b/meta/classes/rootfs.bbclass
@@ -48,6 +48,12 @@ rootfs_do_mounts() {
             mount -o bind,private /sys '${ROOTFSDIR}/sys'
         mount --make-rslave '${ROOTFSDIR}/sys'
 
+        # Mount a tmpfs on /sys/firmware to avoid host contamination problems
+        # (maintainer scripts shouldn't pull host data from there)
+        if [ -d '${ROOTFSDIR}/sys/firmware' ]; then
+            mount -t tmpfs -o size=1m,nosuid,nodev none '${ROOTFSDIR}/sys/firmware'
+        fi
+
         # Mount isar-apt if the directory does not exist or if it is empty
         # This prevents overwriting something that was copied there
         if [ ! -e '${ROOTFSDIR}/isar-apt' ] || \
@@ -94,6 +100,9 @@ rootfs_do_umounts() {
         if mountpoint -q '${ROOTFSDIR}/proc'; then
             umount '${ROOTFSDIR}/proc'
         fi
+        if mountpoint -q '${ROOTFSDIR}/sys/firmware'; then
+            umount '${ROOTFSDIR}/sys/firmware'
+        fi
         if mountpoint -q '${ROOTFSDIR}/sys'; then
             umount '${ROOTFSDIR}/sys'
         fi
-- 
2.39.5

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250617123507.2245-1-cedric.hombourger%40siemens.com.

Re: [PATCH] rootfs: do not expose /sys/firmware while building root file-systems

[Srinuvasan Arjunan]

[-- Attachment #1.1: Type: text/plain, Size: 2470 bytes --]



On Tuesday, June 17, 2025 at 6:05:26 PM UTC+5:30 Cedric Hombourger wrote:

We need /sys while assembling the target root file-system but it exposes 
more than the build really needs. Some maintainer scripts (e.g. mdmadm) 
check /sys/firmware/efi/efivars while configuring themselves. This would 
normally be fine but for Isar builds, any information extracted from there 
is for the host doing the build and not for the target we are building for. 
In addition, packages seeing /sys/firmware/efi will mount efivars there 
and will cause do_rootfs_umount to fail unmounting /sys (because of that 
extra mount). By mounting a (small) tmpfs as /sys/firmware in the root 
file-system, we hide host details from the build; that extra mount needs 
to be removed before we attempt to unmount /sys (but we are in control). 

Signed-off-by: Cedric Hombourger <cedric.h...@siemens.com> 
--- 
meta/classes/rootfs.bbclass | 9 +++++++++ 
1 file changed, 9 insertions(+) 

diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass 
index 5f877962..7b7859b9 100644 
--- a/meta/classes/rootfs.bbclass 
+++ b/meta/classes/rootfs.bbclass 
@@ -48,6 +48,12 @@ rootfs_do_mounts() { 
mount -o bind,private /sys '${ROOTFSDIR}/sys' 
mount --make-rslave '${ROOTFSDIR}/sys' 

+ # Mount a tmpfs on /sys/firmware to avoid host contamination problems 
+ # (maintainer scripts shouldn't pull host data from there) 
+ if [ -d '${ROOTFSDIR}/sys/firmware' ]; then 
+ mount -t tmpfs -o size=1m,nosuid,nodev none '${ROOTFSDIR}/sys/firmware' 
+ fi 
+ 
# Mount isar-apt if the directory does not exist or if it is empty 
# This prevents overwriting something that was copied there 
if [ ! -e '${ROOTFSDIR}/isar-apt' ] || \ 
@@ -94,6 +100,9 @@ rootfs_do_umounts() { 
if mountpoint -q '${ROOTFSDIR}/proc'; then 
umount '${ROOTFSDIR}/proc' 
fi 
+ if mountpoint -q '${ROOTFSDIR}/sys/firmware'; then 
+ umount '${ROOTFSDIR}/sys/firmware' 
+ fi 
if mountpoint -q '${ROOTFSDIR}/sys'; then 
umount '${ROOTFSDIR}/sys' 
fi 
-- 
2.39.5



  Looks Good To Me.

  Many thanks,
  Srinu 

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/a823da0e-da6b-48d7-9b97-78180a508117n%40googlegroups.com.

[-- Attachment #1.2: Type: text/html, Size: 3404 bytes --]

Re: [PATCH] rootfs: do not expose /sys/firmware while building root file-systems

['MOESSBAUER, Felix' via isar-users]

On Tue, 2025-06-17 at 14:35 +0200, 'Cedric Hombourger' via isar-users
wrote:
> We need /sys while assembling the target root file-system but it
> exposes
> more than the build really needs. Some maintainer scripts (e.g.
> mdmadm)
> check /sys/firmware/efi/efivars while configuring themselves. This
> would
> normally be fine but for Isar builds, any information extracted from
> there
> is for the host doing the build and not for the target we are
> building for.
> In addition, packages seeing /sys/firmware/efi will mount efivars
> there
> and will cause do_rootfs_umount to fail unmounting /sys (because of
> that
> extra mount). By mounting a (small) tmpfs as /sys/firmware in the
> root
> file-system, we hide host details from the build; that extra mount
> needs
> to be removed before we attempt to unmount /sys (but we are in
> control).

Good catch! Eventually all these mountpoints should be documented as
well.

> 
> Signed-off-by: Cedric Hombourger <cedric.hombourger@siemens.com>
> ---
>  meta/classes/rootfs.bbclass | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/meta/classes/rootfs.bbclass
> b/meta/classes/rootfs.bbclass
> index 5f877962..7b7859b9 100644
> --- a/meta/classes/rootfs.bbclass
> +++ b/meta/classes/rootfs.bbclass
> @@ -48,6 +48,12 @@ rootfs_do_mounts() {
>              mount -o bind,private /sys '${ROOTFSDIR}/sys'
>          mount --make-rslave '${ROOTFSDIR}/sys'
>  
> +        # Mount a tmpfs on /sys/firmware to avoid host contamination
> problems
> +        # (maintainer scripts shouldn't pull host data from there)
> +        if [ -d '${ROOTFSDIR}/sys/firmware' ]; then
> +            mount -t tmpfs -o size=1m,nosuid,nodev none
> '${ROOTFSDIR}/sys/firmware'
> +        fi
> +

Would bubblewrap help in this case? I'm also wondering if we really
should bind-mount the devices from the host or better mknod them in the
chroot.

Anyways, this discussion should not stop the patch from being merged.

Felix

>          # Mount isar-apt if the directory does not exist or if it is
> empty
>          # This prevents overwriting something that was copied there
>          if [ ! -e '${ROOTFSDIR}/isar-apt' ] || \
> @@ -94,6 +100,9 @@ rootfs_do_umounts() {
>          if mountpoint -q '${ROOTFSDIR}/proc'; then
>              umount '${ROOTFSDIR}/proc'
>          fi
> +        if mountpoint -q '${ROOTFSDIR}/sys/firmware'; then
> +            umount '${ROOTFSDIR}/sys/firmware'
> +        fi
>          if mountpoint -q '${ROOTFSDIR}/sys'; then
>              umount '${ROOTFSDIR}/sys'
>          fi
> -- 
> 2.39.5

-- 
Siemens AG
Linux Expert Center
Friedrich-Ludwig-Bauer-Str. 3
85748 Garching, Germany

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/23351a3bdc42f238a0b8341afd2d3611d5cbca03.camel%40siemens.com.

Re: [PATCH] rootfs: do not expose /sys/firmware while building root file-systems

['Jan Kiszka' via isar-users]

On 17.06.25 14:58, 'MOESSBAUER, Felix' via isar-users wrote:
> On Tue, 2025-06-17 at 14:35 +0200, 'Cedric Hombourger' via isar-users
> wrote:
>> We need /sys while assembling the target root file-system but it
>> exposes
>> more than the build really needs. Some maintainer scripts (e.g.
>> mdmadm)
>> check /sys/firmware/efi/efivars while configuring themselves. This
>> would
>> normally be fine but for Isar builds, any information extracted from
>> there
>> is for the host doing the build and not for the target we are
>> building for.
>> In addition, packages seeing /sys/firmware/efi will mount efivars
>> there
>> and will cause do_rootfs_umount to fail unmounting /sys (because of
>> that
>> extra mount). By mounting a (small) tmpfs as /sys/firmware in the
>> root
>> file-system, we hide host details from the build; that extra mount
>> needs
>> to be removed before we attempt to unmount /sys (but we are in
>> control).
> 
> Good catch! Eventually all these mountpoints should be documented as
> well.
> 
>>
>> Signed-off-by: Cedric Hombourger <cedric.hombourger@siemens.com>
>> ---
>>  meta/classes/rootfs.bbclass | 9 +++++++++
>>  1 file changed, 9 insertions(+)
>>
>> diff --git a/meta/classes/rootfs.bbclass
>> b/meta/classes/rootfs.bbclass
>> index 5f877962..7b7859b9 100644
>> --- a/meta/classes/rootfs.bbclass
>> +++ b/meta/classes/rootfs.bbclass
>> @@ -48,6 +48,12 @@ rootfs_do_mounts() {
>>              mount -o bind,private /sys '${ROOTFSDIR}/sys'
>>          mount --make-rslave '${ROOTFSDIR}/sys'
>>  
>> +        # Mount a tmpfs on /sys/firmware to avoid host contamination
>> problems
>> +        # (maintainer scripts shouldn't pull host data from there)
>> +        if [ -d '${ROOTFSDIR}/sys/firmware' ]; then
>> +            mount -t tmpfs -o size=1m,nosuid,nodev none
>> '${ROOTFSDIR}/sys/firmware'
>> +        fi
>> +
> 
> Would bubblewrap help in this case? I'm also wondering if we really
> should bind-mount the devices from the host or better mknod them in the
> chroot.
> 
> Anyways, this discussion should not stop the patch from being merged.

...but what should be considered first if such an opt-out list only
needs to contain firmware or rather even more folders? Or sub-mounts on
sysfs in general?

Jan

-- 
Siemens AG, Foundational Technologies
Linux Expert Center

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/92946c61-7192-44db-a3c6-489e7e1cf911%40siemens.com.

Re: [PATCH] rootfs: do not expose /sys/firmware while building root file-systems

['cedric.hombourger@siemens.com' via isar-users]

On Tue, 2025-06-17 at 12:58 +0000, Moessbauer, Felix (FT RPD CED OES-
DE) wrote:
> On Tue, 2025-06-17 at 14:35 +0200, 'Cedric Hombourger' via isar-users
> wrote:
> > We need /sys while assembling the target root file-system but it
> > exposes
> > more than the build really needs. Some maintainer scripts (e.g.
> > mdmadm)
> > check /sys/firmware/efi/efivars while configuring themselves. This
> > would
> > normally be fine but for Isar builds, any information extracted
> > from
> > there
> > is for the host doing the build and not for the target we are
> > building for.
> > In addition, packages seeing /sys/firmware/efi will mount efivars
> > there
> > and will cause do_rootfs_umount to fail unmounting /sys (because of
> > that
> > extra mount). By mounting a (small) tmpfs as /sys/firmware in the
> > root
> > file-system, we hide host details from the build; that extra mount
> > needs
> > to be removed before we attempt to unmount /sys (but we are in
> > control).
> 
> Good catch! Eventually all these mountpoints should be documented as
> well.
> 
> > 
> > Signed-off-by: Cedric Hombourger <cedric.hombourger@siemens.com>
> > ---
> >  meta/classes/rootfs.bbclass | 9 +++++++++
> >  1 file changed, 9 insertions(+)
> > 
> > diff --git a/meta/classes/rootfs.bbclass
> > b/meta/classes/rootfs.bbclass
> > index 5f877962..7b7859b9 100644
> > --- a/meta/classes/rootfs.bbclass
> > +++ b/meta/classes/rootfs.bbclass
> > @@ -48,6 +48,12 @@ rootfs_do_mounts() {
> >              mount -o bind,private /sys '${ROOTFSDIR}/sys'
> >          mount --make-rslave '${ROOTFSDIR}/sys'
> >  
> > +        # Mount a tmpfs on /sys/firmware to avoid host
> > contamination
> > problems
> > +        # (maintainer scripts shouldn't pull host data from there)
> > +        if [ -d '${ROOTFSDIR}/sys/firmware' ]; then
> > +            mount -t tmpfs -o size=1m,nosuid,nodev none
> > '${ROOTFSDIR}/sys/firmware'
> > +        fi
> > +
> 
> Would bubblewrap help in this case? I'm also wondering if we really
> should bind-mount the devices from the host or better mknod them in
> the
> chroot.

bwrap creates a minimal /dev (unless we use --dev-bind AFAICT),
it does not mount /proc unless requested (--proc DEST)
and happily leaves /sys unmounted (unless we explicitly --bind it from
the host)

bind-mounting was introduced in 2018 via
768908a33b3e8c375ca24cf59ec61c0a9dfa8661

it was found needed by some packages at least when building them

as Felix suggested in [1], we could investigate doing the rootfs
construction within a bwrap session and take that chance to revisit
bind mounts we do (and document them somewhere so we may also note the
why there)


Cedric

[1]
https://lists.isar-build.org/isar-users/20250515150727.1764989-1-cedric.hombourger@siemens.com/T/#m2686bcfd0c11a7fd19f80a12491e3113340a9766

> 
> Anyways, this discussion should not stop the patch from being merged.
> 
> Felix
> 
> >          # Mount isar-apt if the directory does not exist or if it
> > is
> > empty
> >          # This prevents overwriting something that was copied
> > there
> >          if [ ! -e '${ROOTFSDIR}/isar-apt' ] || \
> > @@ -94,6 +100,9 @@ rootfs_do_umounts() {
> >          if mountpoint -q '${ROOTFSDIR}/proc'; then
> >              umount '${ROOTFSDIR}/proc'
> >          fi
> > +        if mountpoint -q '${ROOTFSDIR}/sys/firmware'; then
> > +            umount '${ROOTFSDIR}/sys/firmware'
> > +        fi
> >          if mountpoint -q '${ROOTFSDIR}/sys'; then
> >              umount '${ROOTFSDIR}/sys'
> >          fi
> > -- 
> > 2.39.5
> 
> -- 
> Siemens AG
> Linux Expert Center
> Friedrich-Ludwig-Bauer-Str. 3
> 85748 Garching, Germany
> 

-- 
Cedric Hombourger
Siemens AG
www.siemens.com

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/3f8f2e81d38e66b4d2dc269903de7f39a9df280b.camel%40siemens.com.