diff mbox series

[v3,6/6] rootfs: do not get elevated privileges when downloading packages

Message ID 20250625193748.2681-7-cedric.hombourger@siemens.com
State New
Headers show
Series non-privileged commands in chroot | expand

Commit Message

Cedric Hombourger June 25, 2025, 7:37 p.m. UTC 
Use rootfs_cmd() to run "apt-get install --download-only" without sudo.
This requires /var/cache/apt/archives/ to be writable by the build
user: change ownership while populating that folder with previously
downloaded packages (those in downloads/deb/).

Signed-off-by: Cedric Hombourger <cedric.hombourger@siemens.com>
---
 meta/classes/deb-dl-dir.bbclass | 21 ++++++++++++++++++---
 meta/classes/rootfs.bbclass     | 16 +++++++++++++---
 2 files changed, 31 insertions(+), 6 deletions(-)
diff mbox series

Patch

diff --git a/meta/classes/deb-dl-dir.bbclass b/meta/classes/deb-dl-dir.bbclass
index 7026f4f4..7fe052ef 100644
--- a/meta/classes/deb-dl-dir.bbclass
+++ b/meta/classes/deb-dl-dir.bbclass
@@ -100,9 +100,24 @@  dbg_pkgs_download() {
 deb_dl_dir_import() {
     export pc="${DEBDIR}/${2}"
     export rootfs="${1}"
-    sudo mkdir -p "${rootfs}"/var/cache/apt/archives/
+    export uid=$(id -u)
+    export gid=$(id -g)
+
+    # let our unprivileged user place downloaded packages in /var/cache/apt/archives/
+    sudo -Es << '    EOSUDO'
+        mkdir -p "${rootfs}"/var/cache/apt/archives/partial/
+        touch "${rootfs}"/var/cache/apt/archives/lock
+        chown -R ${uid}:${gid} "${rootfs}"/var/cache/apt/archives/
+    EOSUDO
+
+    # nothing to copy if download directory does not exist just yet
     [ ! -d "${pc}" ] && return 0
-    flock -s "${pc}".lock sudo -Es << 'EOSUDO'
+
+    # attempt to create hard-links for .deb files from downloads/ into
+    # /var/cache/apt/archives/ so apt will only download packages we
+    # have not yet downloaded. perform a regular copy whenever hard-links
+    # cannot be created
+    ( flock 9
         set -e
         printenv | grep -q BB_VERBOSE_LOGS && set -x
 
@@ -111,7 +126,7 @@  deb_dl_dir_import() {
             ln -Pf -t "${rootfs}"/var/cache/apt/archives/ "$p" 2>/dev/null ||
                 cp -n --no-preserve=owner -t "${rootfs}"/var/cache/apt/archives/ "$p"
         done
-EOSUDO
+    ) 9>"${pc}".lock
 }
 
 deb_dl_dir_export() {
diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
index 429494ae..977bbec8 100644
--- a/meta/classes/rootfs.bbclass
+++ b/meta/classes/rootfs.bbclass
@@ -277,10 +277,20 @@  ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_download"
 rootfs_install_pkgs_download[weight] = "600"
 rootfs_install_pkgs_download[progress] = "custom:rootfs_progress.PkgsDownloadProgressHandler"
 rootfs_install_pkgs_download[isar-apt-lock] = "release-after"
-rootfs_install_pkgs_download[network] = "${TASK_USE_NETWORK_AND_SUDO}"
+rootfs_install_pkgs_download[network] = "${TASK_USE_NETWORK}"
 rootfs_install_pkgs_download() {
-    sudo -E chroot '${ROOTFSDIR}' \
-        /usr/bin/apt-get ${ROOTFS_APT_ARGS} --download-only ${ROOTFS_PACKAGES}
+    mkdir -p "${WORKDIR}/dpkg"
+
+    # Use our own dpkg lock files rather than those in the rootfs since we are not root
+    # (this is safe as there are no concurrent apt/dpkg operations for that rootfs)
+    touch "${WORKDIR}/dpkg/lock" "${WORKDIR}/dpkg/lock-frontend"
+
+    # download packages using apt in a non-privileged namespace
+    rootfs_cmd --bind "${ROOTFSDIR}/var/cache/apt/archives" /var/cache/apt/archives \
+               --bind "${WORKDIR}/dpkg/lock" /var/lib/dpkg/lock \
+               --bind "${WORKDIR}/dpkg/lock-frontend" /var/lib/dpkg/lock-frontend \
+               ${ROOTFSDIR} \
+               -- /usr/bin/apt-get ${ROOTFS_APT_ARGS} --download-only ${ROOTFS_PACKAGES}
 }
 
 ROOTFS_INSTALL_COMMAND_BEFORE_EXPORT ??= ""