From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Tue, 17 Jun 2025 14:35:34 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-yb1-f185.google.com (mail-yb1-f185.google.com [209.85.219.185]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 55HCZWOf030189 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 17 Jun 2025 14:35:32 +0200 Received: by mail-yb1-f185.google.com with SMTP id 3f1490d57ef6-e819e8eb985sf6177091276.2 for ; Tue, 17 Jun 2025 05:35:32 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1750163726; cv=pass; d=google.com; s=arc-20240605; b=DCRsmEX45w9+AsCV7ibpZav2PGFnQQYnJFF4aFZEU8iM3P2m/pvxgrJom/+j36YTNK /MPLyyf4oWFvaUeKgNlBXzpSGsds7PB1r5qX24PJabsqJW9raxqcZEdEXyenMjVeEwcs lirDRI0MwxhUg+73rwWbA5qzQMt4lGLaXz3778boUqZ2l+0CCQ5HuDq5ExXVpmBJsVCN fdWO3Q+GZlFivYUi+OtvLRAhMZNVfj5BNAdc/RkovaiGjZm6NkGZFYI3Sx9CPUHgAidV YPE+AWC579y1EO7Ctt/V9JPEXa27mkyrERw8powfsym1wml1Dq1a2I2Cljv924QxZxl/ 7UqQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=2G/3jS25LQKFtoqJUfFoeIURmPkfFQb8dz6ZrA203YE=; fh=vYHGsHfxRWURAg9fp7ht2EpXIPHIP97SM5dgQg9J4Iw=; b=A/4IQRa5EyA745m2G+ac5gfdXRCXXQZr8eidYLNA+oeMnc95OrtUAtb6/f7hOjuyMZ 91OzZIl0+BSu+qcF3oZp1bKIrfJ8NmtYvFdkfThaRkE91C+CIl6ZmepH8PRHB1AyqLt6 Ubv7Q6KfB2/clOtg2SEzBBtwqiFmVLsR+oA94mLsKWiyLANb2wjy57bHT2Ab0IxQ6Ne9 N7Tqax28XRMCYo6zWtA2aMG8Cz6190lT2FmXQKvrPLcvUvn/89kfPOj4MCC9OzGuep3d BhhLHAlCpxm3Gp/bmbMl8QVeW9gHHJszqDgDXpi07JH1uXepLajtMdjCpTA3zAFAfd8w fmFg==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=oL742eEt; spf=pass (google.com: domain of fm-1212295-20250617123523124c3d755d3e70753e-v5gkwy@rts-flowmailer.siemens.com designates 185.136.65.228 as permitted sender) smtp.mailfrom=fm-1212295-20250617123523124c3d755d3e70753e-V5GkWy@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1750163726; x=1750768526; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=2G/3jS25LQKFtoqJUfFoeIURmPkfFQb8dz6ZrA203YE=; b=WS2KtL1mnYKXFymf+mM2xXl9CtQ4f9yx2qzJtU9leBiWseKnvFYeeiOppzE4QFqsWX YC2k+aQqjbASiYlxVqAuPqZsVzqiVwX5pV939wrPKnwgg4wV7l0106sTbV3xnNtS7e+8 1ruuQNVT5fPoHuYhYUkT03gacc6SGgivqlRDFhoLnnitxFvql8MNtsbhbm6XqtSCC8Ty ruRZmKfkb1cJZq8py+4dnEWnDFynZZhjdgZuZjQhUR/t9Rjp/n+RD+rp1L1Am7XTk1C/ RmFnEA0bQeEfgB8t+VHWLog5N4wVez4EA/NGPjC+Zn1/qBipRio0be9Cfi6eD7nInp2E Hpsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750163726; x=1750768526; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:x-beenthere :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=2G/3jS25LQKFtoqJUfFoeIURmPkfFQb8dz6ZrA203YE=; b=khOfRT5XhEax8Q1tXkWBreq5xdpixI14MOSVeGIWQK/QVvbgBlwHNFPqIkdSWpcs3o YxZAVsSsxGSr9NiHbipGCWy3TaiuXRbrgeHY/lJEcyzY8qkHexV4vS9LUIMU7XXqG+vs ohq3Rb36C/u5lcj3v7TR/bI7FsKiyuWo8bFOQVTMXFJbI0ErgSurkv5Vt2KKdWkNko5/ XhVodr7S8WFRPSUi5U+8HXDTWFk0hKy9jzbKP0nSbenpqU+tJXIq4pGmTB4YxDFTDYbp a7g8vTlu+VRtNkM5mo6+b7nzy6E9FNWNvMR0PDob3arec2XwMjORkqRq/CYhNUj3xSRD 3HHg== X-Forwarded-Encrypted: i=2; AJvYcCVgNjy2rtWeBrElhwOhKEFR+yiMTmsSzat/d8l1UpnfzOjvOPgwzcL1Mzi2niZwrfVu6O/g@ilbers.de X-Gm-Message-State: AOJu0YxsDtO+vVpnztjHf2q4hpyuYMgzPkKeN7wLbA4DkNXI8033u6fJ r97mSGZvYK8ey5PaG6DLmEjwznjuF10awaSGNWm2SJzAZ+bdSkSxgwvD X-Google-Smtp-Source: AGHT+IE5ZkcsitErA9H0Z9mBXiD8n2NopbbQ5otCdNZgpmEm5J+ewX2fQMU2vt266q/PGwoZzDM4GA== X-Received: by 2002:a05:6902:230e:b0:e7f:675a:70aa with SMTP id 3f1490d57ef6-e822ad64975mr17561489276.24.1750163726412; Tue, 17 Jun 2025 05:35:26 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AZMbMZcs9Fb6P8udXlp6Ap+5bVtvJ/U0MoX5LLa0SmvwkzF9cA== Received: by 2002:a05:6902:4c8:b0:e82:30fc:ff34 with SMTP id 3f1490d57ef6-e8230fd0250ls3105606276.1.-pod-prod-02-us; Tue, 17 Jun 2025 05:35:25 -0700 (PDT) X-Received: by 2002:a05:690c:25c9:b0:70e:7ae4:59f4 with SMTP id 00721157ae682-711754499damr173712737b3.17.1750163725242; Tue, 17 Jun 2025 05:35:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1750163725; cv=none; d=google.com; s=arc-20240605; b=iE75wXPEUJfOqK4VYPUlYKR/w3z6EQMhL0+oF7RKapU5HejrBmsowrAqxzgFbSg5hD D54J76a1Pw0uQE9ryOlalOV3W9ae2AhgpOB9fWsCW7UxyddkLwFlJJd1sxUHeo9FzHmZ 57sB0PemQx9+cgLFLWxqcU/3MfWAV+W+Uhm8QXO0b+pKQg/Vaqhym+J7k3H08CPmpLKi VmniXp0j+iyfvoUpEXBXEefZCPQEUVjLGevqSyPwIU/sMpDVXaDBEnGCXt2lYLFSeaev CYqqBA1K956HPV22auhXiBcUOsXBZbwX2Xh8mViHHRPVhN3HPRswrzHsUoKTS715ppYb 27Jg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:message-id:date :subject:cc:to:from:dkim-signature; bh=TCQQSlpEhZQEDXbaPUuYJndlWc3m1ohI0CLW5npCQJs=; fh=NSKpEhqRt+GGilXwAPnhEj/gV3SjjjqDXMJVhh5h97k=; b=FfTqyHpqbRj54v73mAjDkCxJoDxafo3iLjVuiELHrO6g6ouaZMmGNNSw72boHn4Ogf gQOAbQsL+MAzckDS4Z4OVeSgTM4Ug7jo1CjlxBvvF2AhLg/P4Wyyhjib0nGQqujw+rq+ rjfUqBgkdm4KAuWRiXhr9V+jDAzrktgFptOPLorWWwlMM3PyqwoFdcQ34PUMieC3f3R+ QEFy6AlL+SIxTzqfiWvxGX1KIW2g7kWm4LbavZJbtV8FaJif+6iwBALs/2eu4TJGqyRG cLlvD5OI50ZxH4mjyj3Mnuz/2mZ00ZETGDAq8laiywI7aI9LU1AvDEyJnoo5KkBF/jpJ D4ow==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=oL742eEt; spf=pass (google.com: domain of fm-1212295-20250617123523124c3d755d3e70753e-v5gkwy@rts-flowmailer.siemens.com designates 185.136.65.228 as permitted sender) smtp.mailfrom=fm-1212295-20250617123523124c3d755d3e70753e-V5GkWy@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-65-228.siemens.flowmailer.net (mta-65-228.siemens.flowmailer.net. [185.136.65.228]) by gmr-mx.google.com with ESMTPS id 00721157ae682-7115256db32si3872907b3.4.2025.06.17.05.35.24 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Jun 2025 05:35:25 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1212295-20250617123523124c3d755d3e70753e-v5gkwy@rts-flowmailer.siemens.com designates 185.136.65.228 as permitted sender) client-ip=185.136.65.228; Received: by mta-65-228.siemens.flowmailer.net with ESMTPSA id 20250617123523124c3d755d3e70753e for ; Tue, 17 Jun 2025 14:35:23 +0200 From: "'Cedric Hombourger' via isar-users" To: isar-users@googlegroups.com Cc: srinuvasan.a@siemens.com, Cedric Hombourger Subject: [PATCH] rootfs: do not expose /sys/firmware while building root file-systems Date: Tue, 17 Jun 2025 14:35:07 +0200 Message-Id: <20250617123507.2245-1-cedric.hombourger@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1212295:519-21489:flowmailer X-Original-Sender: cedric.hombourger@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=oL742eEt; spf=pass (google.com: domain of fm-1212295-20250617123523124c3d755d3e70753e-v5gkwy@rts-flowmailer.siemens.com designates 185.136.65.228 as permitted sender) smtp.mailfrom=fm-1212295-20250617123523124c3d755d3e70753e-V5GkWy@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Cedric Hombourger Reply-To: Cedric Hombourger Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: 02Bd8BtAUodv We need /sys while assembling the target root file-system but it exposes more than the build really needs. Some maintainer scripts (e.g. mdmadm) check /sys/firmware/efi/efivars while configuring themselves. This would normally be fine but for Isar builds, any information extracted from there is for the host doing the build and not for the target we are building for. In addition, packages seeing /sys/firmware/efi will mount efivars there and will cause do_rootfs_umount to fail unmounting /sys (because of that extra mount). By mounting a (small) tmpfs as /sys/firmware in the root file-system, we hide host details from the build; that extra mount needs to be removed before we attempt to unmount /sys (but we are in control). Signed-off-by: Cedric Hombourger --- meta/classes/rootfs.bbclass | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass index 5f877962..7b7859b9 100644 --- a/meta/classes/rootfs.bbclass +++ b/meta/classes/rootfs.bbclass @@ -48,6 +48,12 @@ rootfs_do_mounts() { mount -o bind,private /sys '${ROOTFSDIR}/sys' mount --make-rslave '${ROOTFSDIR}/sys' + # Mount a tmpfs on /sys/firmware to avoid host contamination problems + # (maintainer scripts shouldn't pull host data from there) + if [ -d '${ROOTFSDIR}/sys/firmware' ]; then + mount -t tmpfs -o size=1m,nosuid,nodev none '${ROOTFSDIR}/sys/firmware' + fi + # Mount isar-apt if the directory does not exist or if it is empty # This prevents overwriting something that was copied there if [ ! -e '${ROOTFSDIR}/isar-apt' ] || \ @@ -94,6 +100,9 @@ rootfs_do_umounts() { if mountpoint -q '${ROOTFSDIR}/proc'; then umount '${ROOTFSDIR}/proc' fi + if mountpoint -q '${ROOTFSDIR}/sys/firmware'; then + umount '${ROOTFSDIR}/sys/firmware' + fi if mountpoint -q '${ROOTFSDIR}/sys'; then umount '${ROOTFSDIR}/sys' fi -- 2.39.5 -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250617123507.2245-1-cedric.hombourger%40siemens.com.