From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Wed, 01 Oct 2025 09:22:06 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-wm1-f55.google.com (mail-wm1-f55.google.com [209.85.128.55]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 5917M4pR031854 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 1 Oct 2025 09:22:04 +0200 Received: by mail-wm1-f55.google.com with SMTP id 5b1f17b1804b1-46e3d9bf9e1sf28515005e9.1 for ; Wed, 01 Oct 2025 00:22:04 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1759303319; cv=pass; d=google.com; s=arc-20240605; b=kIAou1UWDfR0dKIhEta5e2ABZcP9um067FHHcCOdEWc+pYk8ZpgpBMBbcJPTWAigzl kjaO95Tljyn2F+36HjF80Rwl7vsFXCkQ39CwIE7qq6QvR54NPwj8hq/+eA4KmtHcA75M +8LpVjfMXGtz7QS+zRycA6vr9UI6AqT3Ze5NmbNyr1JpBAnQ7fCKTYJMxTkok3VOD7m2 bz6lR3A2tc0q/wVnRg6dMlRs/if7WRldxIXYIZ/j3y1WO6l5PHUkATQRfO1iSZPU+fS/ aHK+ba6NaI3zPWcVMwOYgnO8Wpx6r2US0POgAICGHq7MGFXmpCDP5DCbCg2SgIdPJC/v 0Dvw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:content-transfer-encoding :in-reply-to:from:content-language:references:to:subject:user-agent :mime-version:date:message-id:sender:dkim-signature; bh=JS+4rDvdTvrddRKHm4D6RYYLMukcPzxJOImh45bHhj4=; fh=t5sG1bIpDbF627XFwCZ2P06FJ/fGyMolutk4wpnJssk=; b=lY/8mVOKi92mz0SpcWcrV3tlc+LdT/CmkxwJlXIr77ORqg4jZ633NQ9igICA7NSWuj KRo2HRTLOaJa+PyIr7wsDARUHLvsqedPkHrFkAw0gtN2btA78/bYxL/sEwUb/MwwuTu1 C6Cq+/MFiRzoEBDg+tsAlsAk7F3IMq552ntaNKtr09i+1WpejI5S1BWW1FhnuzA6XzR0 KkJLb7DTMegqDIduU+uafFnHZhUBPqRLEbHn9tR9PU/n9gcFMzXNATajn96yMgnaqklE xd10HrbILdTKT6H62WN++OU1KEKhHs8nO+HP6LeG5Eb+x+88BiZEVxPCctGWPQFfvV3Z pobA==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@emlix.com header.s=20250930 header.b=D7o6QeKF; spf=pass (google.com: domain of anaumann@emlix.com designates 178.63.209.131 as permitted sender) smtp.mailfrom=anaumann@emlix.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1759303319; x=1759908119; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:in-reply-to:from :content-language:references:to:subject:user-agent:mime-version:date :message-id:sender:from:to:cc:subject:date:message-id:reply-to; bh=JS+4rDvdTvrddRKHm4D6RYYLMukcPzxJOImh45bHhj4=; b=GoxyuW8hvAaajL2HaZFMVlFgwq/caKb0GtDM5xPr7/Tt00XMlRHOwUsStG980CvTKh vOfOqYcRjeFyrrE7CstH3FaASYjkJQe0pasFAS7k7zGWWlZmbm1mYun5DHb1TMq5haEG SaAP8ASHnpd2InyjQ1SeKR30Q1ao/QnTF27myBH/vXzXaON/o12rXJak37+xPqvKOa2u donAwhGNEh4KErVU/doPzv3Tspu7wE2ur6AUFdMlN+0l6Wd/W50WHnTd4SLjC7sa3MLv gG2tGmVom36e2UNMJc+F+0huMu0CHfRP0HPlYXJBm4WyOwX1QzHr1/nox7+Tx1LTIN8R 5d7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759303319; x=1759908119; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence :x-original-authentication-results:x-original-sender :content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date :message-id:reply-to; bh=JS+4rDvdTvrddRKHm4D6RYYLMukcPzxJOImh45bHhj4=; b=FPkV0JWlFUh2VllpGN5Wf5xq1UARFKtsedp0p78zmogTk/vvbbe5WlKI9LqewZ9A9Z G/uC/MT9AkKtMYGHQVlwPU8Z9jGuM9NB6GN4pz4Sa5/VifIXp40QYCQVIDodMzwMu3GM 7oZn8+41l0XqzoyeDSaMW9DB+BVCNa/osh6zx8/iXyIqJtzKWtXV7xnszaqRR9Eb5+Km VikyiNfuhJpgUIdpOCZbMuZX6bpy4f1/QtpDKCrWhFTf4OCPWhAKXJMnXQdSJ7p8VmFG HLw0wv197cRhk8uTPklKllUrERmlTpSkoHxN8q5SV2+YXrDvlJ73Wgr1Y5wFj86FPBEg ye0w== Sender: isar-users@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCWtl4EqF+T4ZRnoQmqaDYjDfYTuf4jwokvZQ6wCxZzcfCLMAgnGck9EPfVzLEhBCex9WPR0@ilbers.de X-Gm-Message-State: AOJu0YwriTpiq/+LwTZCf1tZB4BYB0VIACp/RrpuiamRW5HJP4hd3vQo VviSfpDK3g4KJRdJ/lblVgSq8Ejz1v8S2I/ZDrHfGVfW1uapneXNYqVO X-Google-Smtp-Source: AGHT+IEGeRbW0L1/3AwaP9BQuyf2aof2R4jssnqul86kKg10MJlCAyS1WK+YrMtqPfGV03AmNPIRJg== X-Received: by 2002:a05:600c:4e8d:b0:46e:432f:32ab with SMTP id 5b1f17b1804b1-46e613dbe39mr17394135e9.33.1759303318211; Wed, 01 Oct 2025 00:21:58 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h="ARHlJd7DM3vkAspOj/Ei9s9cLu5QuxwKtQrXt4fFW6pM5ZFgUw==" Received: by 2002:a05:600c:4710:b0:459:d42f:7dd5 with SMTP id 5b1f17b1804b1-46e32dcc49dls56834145e9.0.-pod-prod-09-eu; Wed, 01 Oct 2025 00:21:55 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWVXqFyy3Azl8Up8GH0S3DBX9PWWKK7xIKCklu52l6RonYA13YdzohraWLIIY55P+cEA9oIfWnMCf97@googlegroups.com X-Received: by 2002:a05:600c:468f:b0:46e:447d:858e with SMTP id 5b1f17b1804b1-46e612dce3dmr20818695e9.28.1759303315580; Wed, 01 Oct 2025 00:21:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1759303315; cv=none; d=google.com; s=arc-20240605; b=anVY+4GE7rPF37pJBj0L9TgDYj4BU+mynmX81YhEzgnm9TKN1QhFsLerBh5xVFXFUD 8W1d9u5NdezN7LqFciUGtykb174hGKOTq30seBhQg/Ce/onAyuWsRVfLocr2YsQSRoqR gbsXTS5TFQeSsVJ70NsGGmSXf7wG6N4MSz54q/Hufp5KHtdrBpS/y+4PUrf5I3fAPmlb LWzIPBEeTFXYTGy5Ggp1JzZ/VcF4RzHGXJFxGeHHg2njNvBdjJCvK6Mz4aamhta+vm3j cTDZdb25pp8WX5ni2RdkyWrQrHJl5Ei2kEqgI05Fpu8jaqOUl0tLeTs/iCcw9LzJQt6s 7/Ig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :dkim-signature; bh=yAXpwQwfLoLU3f/IzBjGWhewy/xU4MNRK5wXgMVcuEA=; fh=1x/T85rXr8yhgzXWAa7zssXnuyt2jGlhJYPIGFWr6UE=; b=VHiZkZneQanBIEuBkFmS3R2pSs+jdi0CdZUeBWjwT6mmFdS6Z33eU0RlKxePsJKvY7 pJAgbKvYMcN6aal4oM0uUR0ZhS4nrhHqukXwNh4xRoMhs6Hh7tJAfc1wc4AD/UVJtd8g 25ChJO2Hx3MWHZaBA2gAUl1QWLtMJCPh4yI4KytwSHcnPNsL9DzLAJcvKsAMS2V0PLEN q5trlFzBHPxxuusjo5wSDYk7Tkd69zdVfRlbvWUJOVEZcDQbMo8fDYBV6sLS+WQAnXzK iFxa0L++SptSboTaQwNMmA0MURx7tTXqdbDhexa2fqe3XRRg70+1CDlwZIOXJN1YcW6m YFrw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@emlix.com header.s=20250930 header.b=D7o6QeKF; spf=pass (google.com: domain of anaumann@emlix.com designates 178.63.209.131 as permitted sender) smtp.mailfrom=anaumann@emlix.com Received: from mx1.emlix.com (mx1.emlix.com. [178.63.209.131]) by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-46e619201dasi387685e9.0.2025.10.01.00.21.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 Oct 2025 00:21:55 -0700 (PDT) Received-SPF: pass (google.com: domain of anaumann@emlix.com designates 178.63.209.131 as permitted sender) client-ip=178.63.209.131; Received: from mailer.emlix.com (p5098be52.dip0.t-ipconnect.de [80.152.190.82]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.emlix.com (Postfix) with ESMTPS id 32AC05F871; Wed, 1 Oct 2025 09:21:55 +0200 (CEST) Message-ID: <6e6ee857-58a9-4570-aa7d-7ba071c725f3@emlix.com> Date: Wed, 1 Oct 2025 09:21:53 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v4 1/4] rootfs: introduce wrapper to run commands against a rootfs To: Cedric Hombourger , isar-users@googlegroups.com References: <20250925065433.4180883-1-cedric.hombourger@siemens.com> <20250925065433.4180883-2-cedric.hombourger@siemens.com> Content-Language: en-US From: Andreas Naumann In-Reply-To: <20250925065433.4180883-2-cedric.hombourger@siemens.com> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: quoted-printable X-Original-Sender: anaumann@emlix.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@emlix.com header.s=20250930 header.b=D7o6QeKF; spf=pass (google.com: domain of anaumann@emlix.com designates 178.63.209.131 as permitted sender) smtp.mailfrom=anaumann@emlix.com Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.6 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: lhZhR9BzcZnO Hi Cedric, Am 25.09.25 um 08:54 schrieb 'Cedric Hombourger' via isar-users: > From: "cedric.hombourger@siemens.com" > > "sudo chroot" is used in several places to run commands inside rootfs > directories constructed by Isar. There are cases where a command could > be used without elevated privileges as long as special folders such as > /isar-apt are mounted (they are often referenced as /isar-apt in > configuration files found in the target rootfs). For such cases, > bubblewrap may be used to create a non-privileged namespace (either > in a bare/native environment or within a docker/podman container) > where the command will be executed as if chroot had been used. The > rootfs may also be the host root file-system: this should however > be used with care to avoid host contamination problems (note: Isar > already relies on a number of host tools). Thank you for the respin! This opens interesting possibilities. I'm currently trying run the build in a container with less than full=20 privileges and=C2=A0it seems that using --cap-add=3DSYS_ADMIN is more or le= ss=20 is sufficient. Now with your patch applied,=C2=A0I'm unfortunately greeted with =C2=A0 | bwrap: pivot_root: Operation not permitted This is caused by the docker (podman on Ubuntu 24.04 doesnt show the=20 issue) default seccomp profile which denies the pivot_root syscall,=20 among others. Of course it could be overcome by adding --security-opt=20 seccomp=3Dunconfined. Or better a more nuanced seccomp profile. However, the ultimate goal of reducing the needed privileges would be to=20 run docker out of the box without the need to extend capabilites or=20 adding exceptions in the default MAC profiles. So, in this regard bwrap,=20 which I had thought to be a key to overcome the bind-mount restriction=20 when switching to rootless containers, adds something to take care of. I dont know if this is something that's even on your roadmap, and for=20 sure it's nothing that should stop this series, I just=C2=A0wanted to share= =20 the information. Actually, I just found there's an open issue with even a workaround to=20 avoid pivot_root: https://github.com/containers/bubblewrap/issues/592,=20 so maybe it can be solved easily later. regards, Andreas > > Signed-off-by: Cedric Hombourger > --- > RECIPE-API-CHANGELOG.md | 8 +++++ > doc/user_manual.md | 1 + > meta/classes/rootfs.bbclass | 67 +++++++++++++++++++++++++++++++++++++ > 3 files changed, 76 insertions(+) > > diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md > index 92e7811c..53e650d4 100644 > --- a/RECIPE-API-CHANGELOG.md > +++ b/RECIPE-API-CHANGELOG.md > @@ -741,3 +741,11 @@ By setting `MS_TPM_20_REF_DIR` in an optee-ftpm reci= pe, it is now possible to > use the new optee_ftpm code base from the OP-TEE project. That variable= has to > point to a subdir in `WORKDIR` which contains the unpacked ms-tpm-20-re= f source > code. > + > +### Require bubblewrap to run non-privileged commands with bind-mounts > + > +Isar occasionally needs to run commands within root file-systems that it > +builds and with several bind-mounts (e.g. /isar-apt). bubblewrap may be > +used in Isar classes instead of `sudo chroot` to avoid unecessary privil= ege > +elevations (when we "just" need to chroot but do not require root). It i= s > +pre-installed in kas-container version 4.8 (or later). > diff --git a/doc/user_manual.md b/doc/user_manual.md > index 67f91973..be89ce1d 100644 > --- a/doc/user_manual.md > +++ b/doc/user_manual.md > @@ -75,6 +75,7 @@ Install the following packages: > ``` > apt install \ > binfmt-support \ > + bubblewrap \ > bzip2 \ > mmdebstrap \ > arch-test \ > diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass > index ebe3bf4a..f740c6e1 100644 > --- a/meta/classes/rootfs.bbclass > +++ b/meta/classes/rootfs.bbclass > @@ -34,6 +34,73 @@ export LANG =3D "C" > export LANGUAGE =3D "C" > export LC_ALL =3D "C" > =20 > +# Execute a command against a rootfs and with isar-apt bind-mounted. > +# Additional mounts may be specified using --bind and = a > +# custom directory for the command to be executed with --chdir . Th= e > +# command is assumed to follow the special "--" argument. This would rep= lace > +# "sudo chroot" calls especially when a native command may be used inste= ad of > +# chroot'ed command and without elevated privileges (the command will li= kely > +# take the rootfs as argument; e.g. apt-get -o Dir=3D${ROOTFSDIR}). If t= he > +# optional rootfs argument is omitted, the host rootfs will be used (e.g= . to > +# run native commands): this should be used with care. > +# > +# Usage: rootfs_cmd [options] [rootfs] -- command > +# > +rootfs_cmd() { > + set -- "$@" > + bwrap_args=3D"--bind ${REPO_ISAR_DIR}/${DISTRO} /isar-apt" > + bwrap_binds=3D"" > + bwrap_rootfs=3D"" > + > + while [ "${#}" -gt "0" ] && [ "${1}" !=3D "--" ]; do > + case "${1}" in > + --bind) > + if [ "${#}" -lt "3" ]; then > + bbfatal "--bind requires two arguments" > + fi > + bwrap_binds=3D"${bwrap_binds} --bind ${2} ${3}" > + shift 3 > + ;; > + --chdir) > + if [ "${#}" -lt "2" ]; then > + bbfatal "${1} requires an argument" > + fi > + bwrap_args=3D"${bwrap_args} ${1} ${2}" > + shift 2 > + ;; > + -*) > + bbfatal "${1} is not a supported option!" > + ;; > + *) > + if [ -z "${bwrap_rootfs}" ]; then > + bwrap_rootfs=3D"${1}" > + shift > + else > + bbfatal "unexpected argument '${1}'" > + fi > + ;; > + esac > + done > + > + if [ -n "${bwrap_rootfs}" ]; then > + bwrap_args=3D"${bwrap_args} --bind ${bwrap_rootfs} /" > + fi > + > + if [ "${#}" -le "1" ] || [ "${1}" !=3D "--" ]; then > + bbfatal "no command specified (missing --)" > + fi > + shift # remove "--", command and its arguments follows > + > + for ro_d in bin etc lib lib64 sys usr var; do > + [ -d ${bwrap_rootfs}/${ro_d} ] || continue > + bwrap_args=3D"${bwrap_args} --ro-bind ${bwrap_rootfs}/${ro_d} /$= {ro_d}" > + done > + > + bwrap --unshare-user --unshare-pid ${bwrap_args} \ > + --dev-bind /dev /dev --proc /proc --tmpfs /tmp \ > + ${bwrap_binds} -- "${@}" > +} > + > rootfs_do_mounts[weight] =3D "3" > rootfs_do_mounts() { > sudo -s <<'EOSUDO' --=20 Andreas Naumann emlix GmbH Headquarters: Berliner Str. 12, 37073 Goettingen, Germany Phone +49 (0)551 30664-0, e-mail info@emlix.com District Court of Goettingen, Registry Number HR B 3160 Managing Directors: Heike Jordan, Dr. Uwe Kracke VAT ID No. DE 205 198 055 Office Berlin: Panoramastr. 1, 10178 Berlin, Germany Office Bonn: Bachstr. 6, 53115 Bonn, Germany http://www.emlix.com --=20 You received this message because you are subscribed to the Google Groups "= isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/= 6e6ee857-58a9-4570-aa7d-7ba071c725f3%40emlix.com.