From patchwork Tue Jun 17 12:35:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cedric Hombourger X-Patchwork-Id: 4228 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Tue, 17 Jun 2025 14:35:33 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-yb1-f186.google.com (mail-yb1-f186.google.com [209.85.219.186]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 55HCZWgZ030179 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 17 Jun 2025 14:35:32 +0200 Received: by mail-yb1-f186.google.com with SMTP id 3f1490d57ef6-e639763e43dsf7445385276.0 for ; Tue, 17 Jun 2025 05:35:32 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1750163726; cv=pass; d=google.com; s=arc-20240605; b=g0FQjF55p2QPoJacKgJBwhNvTxe+VI5hirMJvHipQSGek3mLEzAgTgoT5W8lDbGR2u CvJBpFQeKsbVWiXNOyh5T5o3FwaYQ5xORyupEWX62p1oe/9UjYb7HxcOYJUa81MwToXq Bu9e2P6SGRG/lPrTDo9B3goqxoBj1lxUZlQmjWiDM4COHlRvDDd2UxHNJqCP+ef73lqc R1KUX9kjT28RHe6TB0cKDC9lCtAMUYLTvAYWMgD0dC1YA6WkZ2oC+QmVnuu83gkCV6Sl wwb19zveZPoFVy5NwYsHD9sN+OXDXFxKb6b3eoA3cvinigG+spphN8ZnQze730CtaDGz pHjA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=2G/3jS25LQKFtoqJUfFoeIURmPkfFQb8dz6ZrA203YE=; fh=Ij6k8/hFWGFwUstvCLjTk3EXkG+I3mnbjdp1Q8vBJ58=; b=QVX3SsYFuRRD0XTqgW8WLxNZ60LU1ogCkOf6rzDtHYttoSmpccL5ZrEljiILjfAkWX DDomcq6/jQfLcc3scxPaYk4UUaPfWJsSpvkPFZu5b1/K2iOJ2NRMfqOfta5FOqRBp74G +RpdOcL4NxMeLycvKwdgbBuy4CtkqLh9jfne40wFcDOdgBdFRvcuzJnfY2jhQ1K8h0YJ +04BU1UjRBjh+6UCwWfLRHy2WjUExlG+1GtfrczStXiYe5TAfcLEJfgJfnR2vOv3KqQm JtRthxyaNNq8gu+a2KD0rRU+/me9ykpQW7C/V0lVHByRFiFCQ19bLvRcDoizJTtLeiIx 570w==; darn=isar-build.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=oL742eEt; spf=pass (google.com: domain of fm-1212295-20250617123523124c3d755d3e70753e-v5gkwy@rts-flowmailer.siemens.com designates 185.136.65.228 as permitted sender) smtp.mailfrom=fm-1212295-20250617123523124c3d755d3e70753e-V5GkWy@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1750163726; x=1750768526; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=2G/3jS25LQKFtoqJUfFoeIURmPkfFQb8dz6ZrA203YE=; b=LftOWrJpQGnB52kJW9x1EMKHDH/onuY8iKOBaDUXocYjmRWJkxSTDjBlwY1YRdSync wPZk+Fcb73PsuFuzf+FU8YbH5lAeoPFk80eJxd38uvd3nWESiNZaM/9QCcIGjFv6kzyH yPn2XIh3ofnodz2Q2G+GrusYr5HOQhEGhUwy2f8JEKH/s6S4aNNQP3D31c/n7eHnLOxy gy8y7uMjXCocCBTDdFwYzzODQnwY1FkzCzXle50M/kG4njzb/YL22QIUyA+icMJbX4tU oYtB9BzOwINVmJGCA/v55DuJOB3XXe7GdpxSofI+ujKOMN6D4FZ3gx/5IS9H/7+fkvg/ OoQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750163726; x=1750768526; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:x-beenthere :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=2G/3jS25LQKFtoqJUfFoeIURmPkfFQb8dz6ZrA203YE=; b=VtJ7Icj10vILSzz2uZHGmiHr79aMWFToqIY7LUsoEJoH7/9wrkspjQbXUXooQRD73y cNDBrdTxmzUJD6iRrwot82G7kpz6MALr5vsZVO44iS0+aG6bnWemSXTSRd5gMrU2PMA6 pdhSnua5squRHJhEZBas6r+s/wF4/v1cCllDGvIPahtWhVDuwJbPTD9KvpvCxYUlWwzQ ZpXqN37n0K5jB2t883St1Pyy3oOy8cMtj5mt5JxO7p7CJA2ujKF7JHGcvXc7ZOwguUSq XKhHhcdhzaRZaaCBzZzGyr8UNh/lpTgPH0bd6Fqrjxf+edNqweFpYvxlIBzHxibJuJJ1 f7Sw== X-Forwarded-Encrypted: i=2; AJvYcCUn0rRtgYqqiuBxGp7rz9pw9+B25eL0cQoLzcQ8+kbtwmwsUOjo1CBDrMVe8PTWi/BoDMC6Vfc=@isar-build.org X-Gm-Message-State: AOJu0Yzq6h8oI42ghiiSxsLXbhM9VwTpa7ffiwu5ovQlDHR3knTbPSDk P5BLSOt7YlHL0QJTwdX/I6FC2JIZHHlT3n829RgAUcKcg3M48UhBCaSt X-Google-Smtp-Source: AGHT+IE5ZkcsitErA9H0Z9mBXiD8n2NopbbQ5otCdNZgpmEm5J+ewX2fQMU2vt266q/PGwoZzDM4GA== X-Received: by 2002:a05:6902:230e:b0:e7f:675a:70aa with SMTP id 3f1490d57ef6-e822ad64975mr17561489276.24.1750163726412; Tue, 17 Jun 2025 05:35:26 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AZMbMZcs9Fb6P8udXlp6Ap+5bVtvJ/U0MoX5LLa0SmvwkzF9cA== Received: by 2002:a05:6902:4c8:b0:e82:30fc:ff34 with SMTP id 3f1490d57ef6-e8230fd0250ls3105606276.1.-pod-prod-02-us; Tue, 17 Jun 2025 05:35:25 -0700 (PDT) X-Received: by 2002:a05:690c:25c9:b0:70e:7ae4:59f4 with SMTP id 00721157ae682-711754499damr173712737b3.17.1750163725242; Tue, 17 Jun 2025 05:35:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1750163725; cv=none; d=google.com; s=arc-20240605; b=iE75wXPEUJfOqK4VYPUlYKR/w3z6EQMhL0+oF7RKapU5HejrBmsowrAqxzgFbSg5hD D54J76a1Pw0uQE9ryOlalOV3W9ae2AhgpOB9fWsCW7UxyddkLwFlJJd1sxUHeo9FzHmZ 57sB0PemQx9+cgLFLWxqcU/3MfWAV+W+Uhm8QXO0b+pKQg/Vaqhym+J7k3H08CPmpLKi VmniXp0j+iyfvoUpEXBXEefZCPQEUVjLGevqSyPwIU/sMpDVXaDBEnGCXt2lYLFSeaev CYqqBA1K956HPV22auhXiBcUOsXBZbwX2Xh8mViHHRPVhN3HPRswrzHsUoKTS715ppYb 27Jg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:message-id:date :subject:cc:to:from:dkim-signature; bh=TCQQSlpEhZQEDXbaPUuYJndlWc3m1ohI0CLW5npCQJs=; fh=NSKpEhqRt+GGilXwAPnhEj/gV3SjjjqDXMJVhh5h97k=; b=FfTqyHpqbRj54v73mAjDkCxJoDxafo3iLjVuiELHrO6g6ouaZMmGNNSw72boHn4Ogf gQOAbQsL+MAzckDS4Z4OVeSgTM4Ug7jo1CjlxBvvF2AhLg/P4Wyyhjib0nGQqujw+rq+ rjfUqBgkdm4KAuWRiXhr9V+jDAzrktgFptOPLorWWwlMM3PyqwoFdcQ34PUMieC3f3R+ QEFy6AlL+SIxTzqfiWvxGX1KIW2g7kWm4LbavZJbtV8FaJif+6iwBALs/2eu4TJGqyRG cLlvD5OI50ZxH4mjyj3Mnuz/2mZ00ZETGDAq8laiywI7aI9LU1AvDEyJnoo5KkBF/jpJ D4ow==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=oL742eEt; spf=pass (google.com: domain of fm-1212295-20250617123523124c3d755d3e70753e-v5gkwy@rts-flowmailer.siemens.com designates 185.136.65.228 as permitted sender) smtp.mailfrom=fm-1212295-20250617123523124c3d755d3e70753e-V5GkWy@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-65-228.siemens.flowmailer.net (mta-65-228.siemens.flowmailer.net. [185.136.65.228]) by gmr-mx.google.com with ESMTPS id 00721157ae682-7115256db32si3872907b3.4.2025.06.17.05.35.24 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Jun 2025 05:35:25 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1212295-20250617123523124c3d755d3e70753e-v5gkwy@rts-flowmailer.siemens.com designates 185.136.65.228 as permitted sender) client-ip=185.136.65.228; Received: by mta-65-228.siemens.flowmailer.net with ESMTPSA id 20250617123523124c3d755d3e70753e for ; Tue, 17 Jun 2025 14:35:23 +0200 X-Patchwork-Original-From: "'Cedric Hombourger' via isar-users" From: Cedric Hombourger To: isar-users@googlegroups.com Cc: srinuvasan.a@siemens.com, Cedric Hombourger Subject: [PATCH] rootfs: do not expose /sys/firmware while building root file-systems Date: Tue, 17 Jun 2025 14:35:07 +0200 Message-Id: <20250617123507.2245-1-cedric.hombourger@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1212295:519-21489:flowmailer X-Original-Sender: cedric.hombourger@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=oL742eEt; spf=pass (google.com: domain of fm-1212295-20250617123523124c3d755d3e70753e-v5gkwy@rts-flowmailer.siemens.com designates 185.136.65.228 as permitted sender) smtp.mailfrom=fm-1212295-20250617123523124c3d755d3e70753e-V5GkWy@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Cedric Hombourger Reply-To: Cedric Hombourger Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= We need /sys while assembling the target root file-system but it exposes more than the build really needs. Some maintainer scripts (e.g. mdmadm) check /sys/firmware/efi/efivars while configuring themselves. This would normally be fine but for Isar builds, any information extracted from there is for the host doing the build and not for the target we are building for. In addition, packages seeing /sys/firmware/efi will mount efivars there and will cause do_rootfs_umount to fail unmounting /sys (because of that extra mount). By mounting a (small) tmpfs as /sys/firmware in the root file-system, we hide host details from the build; that extra mount needs to be removed before we attempt to unmount /sys (but we are in control). Signed-off-by: Cedric Hombourger Signed-off-by: Cedric Hombourger --- meta/classes/rootfs.bbclass | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass index 5f877962..7b7859b9 100644 --- a/meta/classes/rootfs.bbclass +++ b/meta/classes/rootfs.bbclass @@ -48,6 +48,12 @@ rootfs_do_mounts() { mount -o bind,private /sys '${ROOTFSDIR}/sys' mount --make-rslave '${ROOTFSDIR}/sys' + # Mount a tmpfs on /sys/firmware to avoid host contamination problems + # (maintainer scripts shouldn't pull host data from there) + if [ -d '${ROOTFSDIR}/sys/firmware' ]; then + mount -t tmpfs -o size=1m,nosuid,nodev none '${ROOTFSDIR}/sys/firmware' + fi + # Mount isar-apt if the directory does not exist or if it is empty # This prevents overwriting something that was copied there if [ ! -e '${ROOTFSDIR}/isar-apt' ] || \ @@ -94,6 +100,9 @@ rootfs_do_umounts() { if mountpoint -q '${ROOTFSDIR}/proc'; then umount '${ROOTFSDIR}/proc' fi + if mountpoint -q '${ROOTFSDIR}/sys/firmware'; then + umount '${ROOTFSDIR}/sys/firmware' + fi if mountpoint -q '${ROOTFSDIR}/sys'; then umount '${ROOTFSDIR}/sys' fi