From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Thu, 25 Sep 2025 08:54:54 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-oa1-f59.google.com (mail-oa1-f59.google.com [209.85.160.59]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 58P6sq71002103 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 25 Sep 2025 08:54:53 +0200 Received: by mail-oa1-f59.google.com with SMTP id 586e51a60fabf-34f747ca47esf328847fac.2 for ; Wed, 24 Sep 2025 23:54:53 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1758783286; cv=pass; d=google.com; s=arc-20240605; b=POeKbb/10UF6lVUhCpd7r2SQJxgd9z+a3dJSr3xWQd2e/apz1lyqy7MMnaXvTuLhBm qeM4GCU4mAJkgzpuOfZFrJShNIsVjt/5WTN3eKEf4bUFKXU8SjAxd8iscGVX0QJGhqGh Y8n//+2ToVYegfQ1TtjcGcMZWtG28Lt6rL8QbEXZx1s04uxMPpXRAc0B5v1nzpLESot5 xMWn9nzCLFv6PQfiV5PUn0ohItyoZVl0Et5/ihgGM/Rz/YkftIMAHz51np7V3kZt/dYi Vhg5Gf4Gd6Bs+FfKDaI7ImfVd5aKr49ShKqUD1h0DSxAZ3PUVgXh89MZFyM33j0aCjfS kjtQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=R41i/p75R333fNOeB3le5U9c9x/ZqaYsLWEtB7ty2lM=; fh=z1ncEgPbCxIoqZasm9NCUnBhdM5bpihvNR63y3i2zZc=; b=k/sDqHyUZxY1B4Q7OSG9OY3QusDOvHNIBAQ0q20QNku8fx8qlCPOGll5DxGPOzmNND KWvNFrWHsA/P/YknRNpnEKZJzbqgs1gmIalOoKzKdB+On1cKAIpOfj2AyXsJOOxb3ach KIdCsV7XSV8dQnEhOnXj+t5rDcPxxsebnctKQDTPgezwNLWXzmp1mVfP8M48PPnpstdi siRit0ZjcVnIikPh/yTbL97No+d+IyachEtwW/tdv0qMJGg+7DstMD3aMjYPpYOi5rDZ xtvnJrVZuSrhSxQPSDMBEtEkRjhxkr1K+AFPO2E/lHOcmk0gqEbr97/KMjdDWC5ww3w/ YPtw==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=tvk9QJry; spf=pass (google.com: domain of fm-1212295-20250925065442d1e28865bc000207cb-wduftc@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-1212295-20250925065442d1e28865bc000207cb-WDuFTc@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1758783286; x=1759388086; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=R41i/p75R333fNOeB3le5U9c9x/ZqaYsLWEtB7ty2lM=; b=rbaQ7m8I7/7gTE2vP6FW/8NMrsGKFWqZhoaLGpLl7PIGASaGhqyLM3KgOAzB5qhUvB ECf8Yw0+mXb3mXlW291F3NwpsT8Gwv2u0g1XY/0ZAlza8YBrCYCow8FNsAXeXFLrwk0U aN6mSsJ0r0t99ODgVtQyDfWiUu94XGOOsKU667J/nF7FRrVkjU42MQdXHXztKR6NSDpO Hl3R8VCiTdGddeOD84EApB1NccQFqxeKk0rUv31NnN2GUn/tWCPU24tFUOGBsXTqXTnW uia4it0PSxm1qdSJ2rrWks1kw70aI8xldmm56kQomivsUBJ+lpclXL64lqNHbfQXiJNL cD3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758783286; x=1759388086; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=R41i/p75R333fNOeB3le5U9c9x/ZqaYsLWEtB7ty2lM=; b=YzTNC5svGGxtqHA6k0C3nHMJ9sg9BbAk5guBwXqlv22Lton9tSURs2SdXPkh35AVGx 4h4RYBp4Vgov42fvYibIPW1ZjcSxaRLrDVPsCYlje/i6x5osntTZb8o76FMnWyyiTfQu hX0vfsX0qx9AK143eBZpdFJVclhbIZUvpMraASu6ekOviDDyfToKe3YLUhh9d320ujm1 T9OTSRxMGhJZfP5RUT3tYiiPxZGdzfdSQSW65+PTiUIywthVVYgFLCSdeuCGhj1j5m1t gIgjUylKFAeO2qiAu9QbZB4c1zOCjNG0zvQdFFX0rrCW96MxdsMhksKZArBP+NMLrwfK 5l1w== X-Forwarded-Encrypted: i=2; AJvYcCVXr5LUM63MgJvfFKG4Xv2qmMIRD4CizJhg+WDpdbdz0oxSrDGapPwKE4dPehzNlNQrm3xa@ilbers.de X-Gm-Message-State: AOJu0Yych5jZJQgYb49L1J6Sl4+5NNFA5cqBrxDapFFieiJhMsrkJHAo A73kqrCIWbM9RKccYwyVqeJppmj3ut/TZuxEOUk19D+pGhbFP1WYOYa1 X-Google-Smtp-Source: AGHT+IFaba/6KVkMKS9dYKNuufxKl5Ik7AIHiSNH3P8fBofaUIzWQhtUKsTKQwQkZvS83vmdGJO8+g== X-Received: by 2002:a05:6870:2199:b0:30b:cb2f:bae4 with SMTP id 586e51a60fabf-35ebf3f478bmr1016573fac.12.1758783286111; Wed, 24 Sep 2025 23:54:46 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h="ARHlJd6aRN7FSodpgpnfgNZub5UtGlF57S31beXYwfZ2w6NWuQ==" Received: by 2002:a05:6871:c687:b0:315:531e:fdba with SMTP id 586e51a60fabf-35eef9c998cls250353fac.1.-pod-prod-02-us; Wed, 24 Sep 2025 23:54:45 -0700 (PDT) X-Received: by 2002:a05:6870:d306:b0:346:865e:d044 with SMTP id 586e51a60fabf-35ebf3f130dmr946432fac.11.1758783284843; Wed, 24 Sep 2025 23:54:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1758783284; cv=none; d=google.com; s=arc-20240605; b=VyXnpa1P3VfB+InbXqXABgJFaQCQze7YzPjNv0BiY+5qiPuE3bannEKaxa7dVr9J6J EPWTEd+1VjTJHPYoWYZnpz5As6YxPHgARhH9ZANP7bYu3kFK49a9wKRfe5Aug6oYM1uz Ti2LEYd+ghAKNvZZZkJbGab7S8XCvSK57OAYlw8EGDRnbKlpcXhYgrmae0CsXWeWIwgC ywV4lFjkXgvtxcKUJtTlWd2JLA6XDlgwRCYqfqn8PnsApk8OOsBigog3U6XgLKxSJiEY 1NFRGNTuXoGUEoJRwHedEvSI+Zzk8KLqHVyi31PLOqbJ3yyiqzt8cl5nWVxPO+tl9aGY PPGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=Z6WOuK2vtn4PCzrtIVXEPUdXQE8WcnGh+X4uoipbsg0=; fh=GJh20mB+jF6oQ+me1R+hLO+vPKOaUsE8susJALlxkPc=; b=X1F6lrvTE7exh+DwyyPZlo6v4FKR9EES2VDo493jVX6LFHU1BfQdaX+l3VKn8pxE19 Jh+0pBInAt58ag1rbaSfsBm5rBP6dumaCrMO/BNrkzxksa+sn6FUKduVR6CIzW16Re7H xOeYIALYArS9053/ALYHCGgAo8GuPtTKQUFU868yX32/0d5RDkPOJnUdEWu0K8zX6jJZ yGFqC6QGNSPU2yG+OpZeO4YdHQ3jz2edQfcJC122FI4uf//2BzkJbFVgXD2vxxqRZU+X F92pDNatDEF860PDW56jGFvRrWlry5hLImjzuYRxKdFa69quYXySdFnB6n9Sd44bvPsX 9MGg==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=tvk9QJry; spf=pass (google.com: domain of fm-1212295-20250925065442d1e28865bc000207cb-wduftc@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-1212295-20250925065442d1e28865bc000207cb-WDuFTc@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net. [185.136.64.226]) by gmr-mx.google.com with ESMTPS id 586e51a60fabf-363b4995370si42775fac.4.2025.09.24.23.54.44 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 Sep 2025 23:54:44 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1212295-20250925065442d1e28865bc000207cb-wduftc@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) client-ip=185.136.64.226; Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20250925065442d1e28865bc000207cb for ; Thu, 25 Sep 2025 08:54:42 +0200 From: "'Cedric Hombourger' via isar-users" To: isar-users@googlegroups.com Cc: "cedric.hombourger@siemens.com" Subject: [PATCH v4 1/4] rootfs: introduce wrapper to run commands against a rootfs Date: Thu, 25 Sep 2025 08:54:21 +0200 Message-ID: <20250925065433.4180883-2-cedric.hombourger@siemens.com> In-Reply-To: <20250925065433.4180883-1-cedric.hombourger@siemens.com> References: <20250925065433.4180883-1-cedric.hombourger@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1212295:519-21489:flowmailer X-Original-Sender: cedric.hombourger@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=tvk9QJry; spf=pass (google.com: domain of fm-1212295-20250925065442d1e28865bc000207cb-wduftc@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-1212295-20250925065442d1e28865bc000207cb-WDuFTc@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Cedric Hombourger Reply-To: Cedric Hombourger Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: WvPMxksN0Yv5 From: "cedric.hombourger@siemens.com" "sudo chroot" is used in several places to run commands inside rootfs directories constructed by Isar. There are cases where a command could be used without elevated privileges as long as special folders such as /isar-apt are mounted (they are often referenced as /isar-apt in configuration files found in the target rootfs). For such cases, bubblewrap may be used to create a non-privileged namespace (either in a bare/native environment or within a docker/podman container) where the command will be executed as if chroot had been used. The rootfs may also be the host root file-system: this should however be used with care to avoid host contamination problems (note: Isar already relies on a number of host tools). Signed-off-by: Cedric Hombourger --- RECIPE-API-CHANGELOG.md | 8 +++++ doc/user_manual.md | 1 + meta/classes/rootfs.bbclass | 67 +++++++++++++++++++++++++++++++++++++ 3 files changed, 76 insertions(+) diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md index 92e7811c..53e650d4 100644 --- a/RECIPE-API-CHANGELOG.md +++ b/RECIPE-API-CHANGELOG.md @@ -741,3 +741,11 @@ By setting `MS_TPM_20_REF_DIR` in an optee-ftpm recipe, it is now possible to use the new optee_ftpm code base from the OP-TEE project. That variable has to point to a subdir in `WORKDIR` which contains the unpacked ms-tpm-20-ref source code. + +### Require bubblewrap to run non-privileged commands with bind-mounts + +Isar occasionally needs to run commands within root file-systems that it +builds and with several bind-mounts (e.g. /isar-apt). bubblewrap may be +used in Isar classes instead of `sudo chroot` to avoid unecessary privilege +elevations (when we "just" need to chroot but do not require root). It is +pre-installed in kas-container version 4.8 (or later). diff --git a/doc/user_manual.md b/doc/user_manual.md index 67f91973..be89ce1d 100644 --- a/doc/user_manual.md +++ b/doc/user_manual.md @@ -75,6 +75,7 @@ Install the following packages: ``` apt install \ binfmt-support \ + bubblewrap \ bzip2 \ mmdebstrap \ arch-test \ diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass index ebe3bf4a..f740c6e1 100644 --- a/meta/classes/rootfs.bbclass +++ b/meta/classes/rootfs.bbclass @@ -34,6 +34,73 @@ export LANG = "C" export LANGUAGE = "C" export LC_ALL = "C" +# Execute a command against a rootfs and with isar-apt bind-mounted. +# Additional mounts may be specified using --bind and a +# custom directory for the command to be executed with --chdir . The +# command is assumed to follow the special "--" argument. This would replace +# "sudo chroot" calls especially when a native command may be used instead of +# chroot'ed command and without elevated privileges (the command will likely +# take the rootfs as argument; e.g. apt-get -o Dir=${ROOTFSDIR}). If the +# optional rootfs argument is omitted, the host rootfs will be used (e.g. to +# run native commands): this should be used with care. +# +# Usage: rootfs_cmd [options] [rootfs] -- command +# +rootfs_cmd() { + set -- "$@" + bwrap_args="--bind ${REPO_ISAR_DIR}/${DISTRO} /isar-apt" + bwrap_binds="" + bwrap_rootfs="" + + while [ "${#}" -gt "0" ] && [ "${1}" != "--" ]; do + case "${1}" in + --bind) + if [ "${#}" -lt "3" ]; then + bbfatal "--bind requires two arguments" + fi + bwrap_binds="${bwrap_binds} --bind ${2} ${3}" + shift 3 + ;; + --chdir) + if [ "${#}" -lt "2" ]; then + bbfatal "${1} requires an argument" + fi + bwrap_args="${bwrap_args} ${1} ${2}" + shift 2 + ;; + -*) + bbfatal "${1} is not a supported option!" + ;; + *) + if [ -z "${bwrap_rootfs}" ]; then + bwrap_rootfs="${1}" + shift + else + bbfatal "unexpected argument '${1}'" + fi + ;; + esac + done + + if [ -n "${bwrap_rootfs}" ]; then + bwrap_args="${bwrap_args} --bind ${bwrap_rootfs} /" + fi + + if [ "${#}" -le "1" ] || [ "${1}" != "--" ]; then + bbfatal "no command specified (missing --)" + fi + shift # remove "--", command and its arguments follows + + for ro_d in bin etc lib lib64 sys usr var; do + [ -d ${bwrap_rootfs}/${ro_d} ] || continue + bwrap_args="${bwrap_args} --ro-bind ${bwrap_rootfs}/${ro_d} /${ro_d}" + done + + bwrap --unshare-user --unshare-pid ${bwrap_args} \ + --dev-bind /dev /dev --proc /proc --tmpfs /tmp \ + ${bwrap_binds} -- "${@}" +} + rootfs_do_mounts[weight] = "3" rootfs_do_mounts() { sudo -s <<'EOSUDO' -- 2.47.3 -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250925065433.4180883-2-cedric.hombourger%40siemens.com.