From patchwork Wed Feb 18 11:58:15 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "MOESSBAUER, Felix" X-Patchwork-Id: 342 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Wed, 18 Feb 2026 12:58:56 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-oa1-f57.google.com (mail-oa1-f57.google.com [209.85.160.57]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 61IBwsqW023050 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 18 Feb 2026 12:58:56 +0100 Received: by mail-oa1-f57.google.com with SMTP id 586e51a60fabf-40aee511210sf48435236fac.2 for ; Wed, 18 Feb 2026 03:58:55 -0800 (PST) ARC-Seal: i=3; a=rsa-sha256; t=1771415924; cv=pass; d=google.com; s=arc-20240605; b=Nia/48Mz8U0BM9sBPeIew7IkPg/ArNBPOhskA5pUTPExhOhPbQ6cnlM+jugvfnleCC NZTHS2jAH+TD6pejpBrTHvKAFxU2HKstoBPz+7z11Ott6VMeKFNxl1YXpoZT84/RYIvV EARym60SdBFZcGu4HScWy5fRqLL0dcpC7bDJuL23flXUHxQUBJhPbk5V00uHeq+HRjz/ HcyaPPdlmWISuZug9qRWTtdQHfwNhbmdziofrGmP5RlQvrGzUalf18qIzsWBg6h4DvEr YCDXurNfQUdfJ6RLcoGO6VSpJAQQcDk11bY15yD859kXBnC1d8r/Xn7Owg1rU4f88UNT qJuQ== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:message-id :date:subject:cc:to:from:dkim-signature; bh=bNyS3g4t+Yzo1MhCyz4kaO034WRfOknCLYwNTOGBywg=; fh=PwRd0joGXtb4SH2KW4E+qLacGvGKC1K3SJARZTzufAg=; b=NbehSxrucP5Iv7AucM0FXo4DfFjj7+8aYvbw1Cm30PZ7Bgqm9iKRj2oPnqUWlQ4d3n NQoHZLLqpT4Vv0cboOovyPcPvzAInq3x4iw0Ofn40CUIfU/0lQJ37t6AOdu/iT8uPfWA 7qCNBv5KsapOd6iqYT5pjmG8mwjPqSJl7Y+XsbUFi7QueyVlCzqO7zsUlRpypwrHveze XRLdYfy6yiRvuucjG4lc5w2bPYz2OEEosIV62bGSKH8c5grraYGa7exO6DlV+3bjIVqN y5ER2eOjyW62DSY2LXaFNU2sjEWi5O289ddlbjZyMMIIBtFAdaDvhgpMTKzI0s1iSAKV ST3A==; darn=isar-build.org ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=OLR+bY2N; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1771415924; x=1772020724; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=bNyS3g4t+Yzo1MhCyz4kaO034WRfOknCLYwNTOGBywg=; b=c3NQjsww4ZhzjEwYa/jFOy3AehyzCxiHV2wz2rOabEGX1bWIGdlRvXhkWgo5oe5SOQ tgVBfsAyM3r9Uz0XgbaiRMZBNpm1ed/NCDhj5xoZNysbd7eK9VZeHjGMVOAY5gRd2zvK lv4MRDRD+lLqr2quX7iiukQAUEOnD5MwJuR3kYJ9AWs+RNYY2/1eHhgVY1fr0qi2KAWc vTsSAOkahslMp1ZwEd7KJPDxNEBCic4OYXI78x3K1ZxkEX0q2XDMn39W38Saw1JCx1oz 6LhS7tr8wjbAp1QWart3bwwTDDCcf0j5NENNTfcgXDl9rCc2Cz94iCfm33KWWWBDZ0Fg IYoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771415924; x=1772020724; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :message-id:date:subject:cc:to:from:x-beenthere:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=bNyS3g4t+Yzo1MhCyz4kaO034WRfOknCLYwNTOGBywg=; b=CFSD3lWAXJ07ZWjpgMkouduu+fUOkoV3aLvhfn++TDRytoaeInzRGkQjbSgvuFSpQe P9Ro7ztmmvOFI8+gVns89WzeVBQF6th45cJ357gUMnjNuOJ6dJWI48cj/8bQKrpNAe7J f+J9xKdIBc94eXzAMC3y+UL6h7RAnujrWXeIGmhVdviMthKFAADTmFq7S9aZM71asUSr tLnReLhzFVz6ijZpH5h0pSo6IifuNhj+y4njg8og+DLqJUkvht+P1cF3rg1QF45fuffO LaeVIhl6mBpmCSxr8pSSR9aUOIZ3IsWOJ5HQr8KfWuRNcXGMMFhpD4c0hSzfn47sBBOd CAJg== X-Forwarded-Encrypted: i=3; AJvYcCW7RK6Rq6peJMimzXyIA+jsqwWr7v3/IAq3Wp/c3PDecTHlC06q0LSmgbNjC1zA8bfja/Ja3ug=@isar-build.org X-Gm-Message-State: AOJu0YyLNB0dBHJ+Zg8wgHxQ/OsAyC9G6RCv32tR+NfKD6RMwLjiWxI3 iGA2ouhD35iv6YRQOlM9UACudH7URgBJ8p1smQMNNaE2yQBfHxGCBWSX X-Received: by 2002:a05:6870:e807:b0:404:b83:89c7 with SMTP id 586e51a60fabf-41529197742mr783862fac.44.1771415924039; Wed, 18 Feb 2026 03:58:44 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="AV1CL+EJ+qG+CxPbVS/x/AlNVS2RO2lYue54OHkNO+55DFyRwg==" Received: by 2002:a05:6871:7bc6:b0:409:6e30:2d79 with SMTP id 586e51a60fabf-40eca34a61cls5030226fac.0.-pod-prod-07-us; Wed, 18 Feb 2026 03:58:43 -0800 (PST) X-Received: by 2002:a05:6870:4782:b0:409:5ad9:67c1 with SMTP id 586e51a60fabf-415291f13cbmr853541fac.52.1771415922986; Wed, 18 Feb 2026 03:58:42 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1771415922; cv=pass; d=google.com; s=arc-20240605; b=GiYiaYomavHLUp5NmJkRVdlsL78sQ26q+FEBauPiPqtRv21uA5H8qFM/Gv9egkoc2D 7fppa0fB67B97p13r6fRWUiOOtFPQtM36H/qWnh9LqkIkTeUNlDfMMDq5kkueoB1aXjK 4yqVZBbzk9ktLguVgftGZdYDRt9yPTvnnES9FJXBf4/YRekS/i4lmTgoQElxDPkNo6lB r1iUTXNPN5B3AZUQXZDscHiTTsbXHomDgkFMVOpMOUsul7//vXDJOhOIIelHvxyG0OKM w17Yqd/M7vV5cMhQJotTbLBv3V0RYL/C0J+KrHVYyquWNgk2eEyQS3nsy1VUdLAkCVM/ 6C3Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:message-id:date:subject:cc :to:from:dkim-signature; bh=paotYHvkkgicADrYVYZICTy5vjiK6jFqQud7iHBQAHI=; fh=dWFKumMb31C26+PJa6vcB2ftw6NwdNo52k0UEVGombI=; b=Z/5kR5YhKJpvDA5mQG48y/ylTfAPoMLtoZ3cu5O0Q6x5EvixtHqHt7GdcwhujXFyx9 amrjdXJcnPz4ejF53jyLDpchlIaR7/fffpZ61MpZF2coyhHlikNga2QAw+s+V7tB8s79 LQU4errS+opOYL/sogwAaDiKKGwp7wpQC+lpIQ5ZIzOT9wu5YO7I5PE/7a7tRc+hbvdr WPXAO3EctWJ9xgTqE5qtf3nrnsMPSjSkJOm1eGMUQ2oR20QAYjhtuhGjz7itxMr3i4ZH R40aP2+iZukl/jO8swVj9Rc3J8dkEdNJZQSoEThwUxJdBl6B1EabgCwTlBTIZhgUgCk7 qa7A==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=OLR+bY2N; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from AS8PR04CU009.outbound.protection.outlook.com (mail-westeuropeazlp170110003.outbound.protection.outlook.com. [2a01:111:f403:c201::3]) by gmr-mx.google.com with ESMTPS id 586e51a60fabf-40eebc3d778si667211fac.2.2026.02.18.03.58.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Feb 2026 03:58:42 -0800 (PST) Received-SPF: pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::3 as permitted sender) client-ip=2a01:111:f403:c201::3; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=OAvUP/YAHyAOVHxiEER+S0CT9Pevh9hNEx1GexY8XFcRiLIitloDKnKMkwvS19e85eICFDd/YRl4C2hT/yj/Wuj4DkmI9XWoWiAvCyBtJyBY+IA4uFfS741HXPZRfPPTID2Qn/kmOlsYE9FqQIXoaIUWRwZSUmwmE5AYbc7R31G5hLn6gTHNqm4ym+c9P/3ozvD1WxmXI314Jtvnsbe5GS0Jr9EtIMZJj7oz4hh08lvF/tMirhPqWM/tFgO2mEQNqWag94ahHCaJWib/1vtoPeujjPbLkLMfUZQ30Br/XfezPz0o+XOaD32NwXWycsLJ4+3eIXPr5iThRHuq+bT2nA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=paotYHvkkgicADrYVYZICTy5vjiK6jFqQud7iHBQAHI=; b=WdOBlyw1Rp5n2Yygh7ncLJQ58j/YKQAL1OOkwdvVMu09uZCwoH8TIFEMoX2u2zxtyuzqhplptvZmF6V0y8AKgf3SNnuD4kGBfsJFP12ZPGcI0JCQhN36ftjhjAPjYygKwJFrjldODBgfgeHb8z6+uJ6Jadm67PlU5NsZxZdE+1lCo697TsF/vyfpGVdb3N3Id15kWa8CS1SLF8REa7RFL8xDroLyMkdmdBgh7HybfMSvfvoX+SENGhhf/aBIPERoYbYuE5FjTDKUlVnx6h/Lwk3y0hjztN/4XX5nXcEjjvdGac8/GNJObOPOJSyG9Z0P/cSICQ1b23TCXWHg/o9cVA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) by FRWPR10MB9395.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:d10:1a1::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9632.13; Wed, 18 Feb 2026 11:58:39 +0000 Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::9412:cd7f:3f72:92ab]) by DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::9412:cd7f:3f72:92ab%3]) with mapi id 15.20.9632.010; Wed, 18 Feb 2026 11:58:39 +0000 X-Patchwork-Original-From: "'Felix Moessbauer' via isar-users" From: "MOESSBAUER, Felix" To: isar-users@googlegroups.com Cc: quirin.gylstorff@siemens.com, Felix Moessbauer Subject: [RFC 00/12] add support to build isar unprivileged Date: Wed, 18 Feb 2026 12:58:15 +0100 Message-ID: <20260218115827.3947145-1-felix.moessbauer@siemens.com> X-Mailer: git-send-email 2.51.0 X-ClientProxiedBy: CH5P220CA0022.NAMP220.PROD.OUTLOOK.COM (2603:10b6:610:1ef::28) To DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU0PR10MB6828:EE_|FRWPR10MB9395:EE_ X-MS-Office365-Filtering-Correlation-Id: 976ed9ae-3139-4fe6-418f-08de6ee50df0 X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|1800799024|366016|7142099003; X-Microsoft-Antispam-Message-Info: UG68CLXGZCQR8BLDFSAXvkMagtxeAliaY5lFbz5R5vfJ5ouqzl4bP0+tOw615WSK1xXhqF9UrTYko6BU95O0F//jkF1SCgO3fZ09LYyB5uKLs2EnkmlTXvfValkIt2ncJiXlihVX2aNMH8wMVNnD25dESqkvjTyg8nEKPNIDMEtncVoWcMEiPu88RgzIrywR/1g7FCYIj2A7FNN/7MSEPIvO3wsp/DPI5SDVLmUTGcY+DcNARH3MgL7a40BYnvZYHIG2+QKiCTezNJ5Yo+rT2KEu8ocEhFsTMaYA5Dfc4Cb8MZwW0nQLLJQSrWdFKXqDTQ5wA9zhl62RymbKPc64/32nhGj9f2GL6NhlIBpNm2pmiNqTkZoQvKhrmTT0rksWM0reyOBk5sVRMdcQuXRnrh6236aDahcFLFoshqmRX32YAqxrW26garireD6LqOwUSKVvgBxtJYSFPQj7VnZ3Dq7Zgx3ZrZm55rKOiWV6sZhmieuTTvaHMIzJNnCs74csUBsikuz9DvHbQoY0Z+Ay+hGxLjyLbrVFygUK1zTdDhcPvzoT58VADGXWu3ONusWiWa51NN2IuVTWrE698R0aeYxAPxfmPnyts3qkUHQVPibE8ek6brrP58gFVIQcqAWDJuX/jtWuBshRWUVCVLwaE72j8tJvLumvhgC9VvUo+qk/7DJaQxFbCumZxnc3SGYLrnZFBWzSk3KjwwKpCscrTG0jFT7QHEwyDptqaBdJTbntsFp31J4LAITwL+cOjyEafXAiopfiQsRgxAoCmEZ23gqIDdeJaSiswAGTTKZ5D1G4Y3Xyyav5MwlOYPxxKL9fxX6LACm/sdJS26i+1jRYK3AQRCsX+58oUagTTRPaPSCT/6+1fm5qI2aqzJdNbLc41NCVJZ3W/MZ7/bq9BADu9TwW5j5Y5xuYX464d+Mn2I0Oy/5cX2BhZ+4cnvDBEuPwzZOR27PsOLnEVj4EYsLCJGNmxg27/IWxLEMIUAKuDslWzRHW213h9mRhO03ZUgbf56cpbUO5VhO06Bl7G85ATYE7yEbrYd28MSG5b9Z2snLYk75A1ql2h7GI5XMSll93EmOMVJ8WL2Wj4dDwV0AzFuDKNPhAqfd0Q9HUPitH/zbbXGRBT5+Tg5Wm7gyJoX6DPLdOegTzxdDeXWFoPuN2NSZ5MRzNB2aBlPRwoWqz01nXgihuJ2yrECIkaUrMV8AHZQGQ4rftifDBwSOzDyKjPwXlVLrHb5Od79RD8hhoh8CpaE/yOEuYmDId6h3hFo3Li3GwRl5uX4UYO2w8ebkg16Y1X42RW+OS1ss+rc8xKZZ+aVX3q6DsxviaJpjNw5eTfL/PCzDF1c9nIGQZIgvu+dINFzKl47j4I22jyzEch4nD9IzhXeeUff7n9iJqJPxnS3TYqpAsS8ddV2Qi3a/TfptVg7mIF/JBhLLsD+b2B3SCv0tW/Btd2j09022YCGg3S1TmSEQ7SskvslDORTGcLpRibZvFznyVIKdlvFO5Z9Bh6esGfz7/3znkMrY+UMGKElnBjK7Ks1GMHM4Mnf0FhIcpHDjvxy3M3sF5XyGmKMI= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016)(7142099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: /0VyVhxW3u74VW6V1usF7RLXk+C0xSelpCl7IP73ZGMjAadD0K/uxqYVJQgYbK5j93iafsXgwMJDEnqEoOY+z32AKNkpk7vO6/41ccqQQNdRIRl4/P3OlMNCyzo9q77xnUGGfPnfm/UQqJES2S2yjG6E7u0uBy/XnIMNFuVL8bNgsP4Dy6n2Lb3bKJZ30tf6wdzVDlY1u79kP/6LohwskaS4RC0KShv+EJCbhjRmpteaQEh4RDAStG18GEwBlWTLvbUrAK32CIGyO6Hl2oP+bn0M7PnZEbFXekb/IEMNdjnwoB+BMBKRRPniA3qrbrIq1Btqat2zV3522yZBAoXPAq84x+i9iJvBLwEXd4RouSPgtH507lpmgJh2oFw4SXMpgMDcjARQn14dLvpDCtwTTwo+zCmRUdxs++qX18ma3pJR44eckcMyILqzNouhcAqB0OLv1PFYMtYFZKbSHv3d7jfmMeCgNQ8Z9gfmfv+430DqDoOHkdH28IfQH4IvBtDDVQYg834oS0vmqZLCfgJSHOv/WbLdsiYEd9z6NSEKmdUMHuqB/hOg/TsGp56rzDgMVDcaI2ua0gFIPxsCczYNjUXO7I82Ig5PGnjaNe9HoNKfoopFCXuZKkcOeDPgMgJ2DlaykRLoRBsreWppN6bXXSY+XvZKCvR+6aC2ZAAaacn5U6RqmaynwCNLdUEdPE31OJApoGkTRlNDBLOByDP6jUaZQ5nmuqdgOtikAiUPibaIH8lmmsu4E1k+lFhlXyzIv+2QaKcxZfcP0d57TGglIdkIeS5AiCu1De9fwv/lXbuBBzbcjWnLh2ba/9GxLoAsvmo9We/5oa0VydC5I5m7S8ANkGF8Q6X+GEDMMY99BKLsZ0sJyuOIN3EVbYqqt51Cj4ogghhsXomOEdLg1JtALCPpw9VfIbJHblL6LU8IPel53vJiZonKSZqqjg5upz79pgnvjo3ENHgiIY6erwe7/AtlfvwEKI8uTImPomfR8otLhOXsIpLNDXAgnf178s43HkC1CnacH8tegwE1fs1W63w69MWOtuhyAgZIRDXdSoL2ofDzi3SH/vgFCu4tLQhAsl+Mvz+NU9vfP7FKNjanG+6xlNVcQ2Tbj8csqFVhJ+JGZ7ZJbwJXJsaGrhAli65RxRX942FDoGR2KJw2k8IyHXuYadtVn63vp9FxPNZDcPG7jTZKQdJ8/iUcslo/bTegaIhESYojHzMJe4FDSrVmyaf3E6u2f8fv+Fvu3aW9sYapLmYzZdFwtNnb3nnDLvmcJqel+nRXm1yDVMQ/V5OplIllB31zSBRtHF6he7NDCc9j7aNJ+pdcPXDRolIByw/FCW5Pq3stZ9EQBEkq3PgMJXdV+ILv5gn0n0O/YlmitM4PhL53VJOpRY/6kCH+TF+bNFjYHxjBDAuW/kDSChO4dMzu2qvPOCVKaZDlRGtHQZg6P1SGYzHunuSIKpHkniXRJ5hgF7Ubo8zZB+X4UzgOQPBYZFEUzoJycbYSquhJRrnE6B21i4r+lieessUQ0Q1wtWjnqjnXH4hFFYU2SpNVPcGM1j7CDyIDTcRA9WNHJIqrhtvm/q0YzDaSFMKYqDyG8iRmzjhPFfcj/4Kqy5w9ZaDgE8Xda0iWlUP/me//3Sf/OHUo0Owc0O28wS76/S8hmKIIhZAbcyn1v8M42KrWiA1egvtrrRR4W9Gdxw/r3HmwXBkp8cWwT7Gjpn9TspaYglWeXy18yR7xUxe8+WNb+Xkqh/VfuCDVw2orCD+dcuQ= X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 976ed9ae-3139-4fe6-418f-08de6ee50df0 X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Feb 2026 11:58:39.7197 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: qabXaAmJN9QGqzKciEgpIsdOf8FdgVjzxe5a1j9u0qyQEjHJwfHrSP1otoGdgdCC/nSXuw3QYgj+YxU1LqdG9fnqfSMFsq4nje+PunV+F9Y= X-MS-Exchange-Transport-CrossTenantHeadersStamped: FRWPR10MB9395 X-Original-Sender: felix.moessbauer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=OLR+bY2N; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Felix Moessbauer Reply-To: Felix Moessbauer Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= Dear isar-users, currently isar requires password-less sudo and an environment where mounting file systems is possible. This has proven problematic for security reasons, both when running in a privileged container or locally. To solve this, we implement fully rootless builds that rely on the unshare syscall which allows us to avoid sudo and instead operate in temporary kernel namespaces as a user that is just privileged within that namespace. This comes with some challenges regarding the handling of mounts (they are cleared when leaving the namespace), as well as cross namespace deployments (the outer user might not be able to access the inner data). For that, we rework the handling of mounts and artifact passing to make it compatible with both chroot modes (schroot and unshare). The patches 1-10 align the file permissions of deployments and artifacts to avoid the use of chown (which will not work anymore across uid boundaries). In addition, helpers are introduced to perform privileged operations, which simplifies the migration of existing layers. The patches 11 and 12 introduce the unshare mode, which can be executed as a normal user and does not require root. To enable this mode, set ISAR_ROOTLESS = "1". While the series is by far not complete yet, it already passes the DevTest CI. Know issues are currently: - no support for VM and container images - unprivileged cleanup of the build/tmp dir is non trivial - sporadic issues on partial rebuilds on rootfs_install_sstate_finalize - interfaces between kas and isar need to be defined Note, that this series can be tested on a custom kas-container build provided in [1]. Hints how to migrate downstream layers are provided in the API changelog. [1] https://groups.google.com/g/kas-devel/c/NWQFCU2aUHg Best regards, Felix Moessbauer Siemens AG Felix Moessbauer (12): refactor bootstrap: store rootfs tar with user permissions deb-dl-dir: export without root privileges download debs without locking introduce wrappers for privileged execution bootstrap: move cleanup trap to function rootfs: rework sstate caching of rootfs artifact rootfs_generate_initramfs: rework deployment to avoid chowning wic: rework image deploy logic to deploy under correct user use bitbake function to generate mounting scripts apt-fetcher: prepare for chroot specific fetching add support for fully rootless builds apt-fetcher: implement support for unshare backend Kconfig | 2 +- RECIPE-API-CHANGELOG.md | 57 +++++ doc/user_manual.md | 2 + meta/classes-global/base.bbclass | 93 ++++++++ meta/classes-recipe/deb-dl-dir.bbclass | 20 +- meta/classes-recipe/dpkg-base.bbclass | 20 +- meta/classes-recipe/dpkg-source.bbclass | 2 +- meta/classes-recipe/dpkg.bbclass | 16 +- .../image-account-extension.bbclass | 4 +- .../image-locales-extension.bbclass | 13 +- .../image-postproc-extension.bbclass | 30 +-- .../image-tools-extension.bbclass | 96 +++++++- meta/classes-recipe/image.bbclass | 24 +- meta/classes-recipe/imagetypes.bbclass | 47 ++-- .../imagetypes_container.bbclass | 26 +-- meta/classes-recipe/imagetypes_wic.bbclass | 12 +- meta/classes-recipe/rootfs.bbclass | 221 ++++++++++-------- meta/classes-recipe/sbuild.bbclass | 37 ++- meta/classes-recipe/sdk.bbclass | 23 +- meta/classes-recipe/squashfs.bbclass | 2 +- meta/classes/sbom.bbclass | 2 +- meta/conf/bitbake.conf | 7 +- meta/lib/aptsrc_fetcher.py | 90 ++++++- .../isar-mmdebstrap/isar-mmdebstrap.inc | 47 ++-- .../sbuild-chroot/sbuild-chroot.inc | 24 +- .../unittests/test_image_account_extension.py | 9 +- 26 files changed, 691 insertions(+), 235 deletions(-)