From patchwork Wed Jun 25 19:37:48 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cedric Hombourger X-Patchwork-Id: 4242 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Wed, 25 Jun 2025 21:39:51 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-oa1-f64.google.com (mail-oa1-f64.google.com [209.85.160.64]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 55PJdJrt007316 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 25 Jun 2025 21:39:19 +0200 Received: by mail-oa1-f64.google.com with SMTP id 586e51a60fabf-2d4e42a2b2bsf299962fac.0 for ; Wed, 25 Jun 2025 12:39:19 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1750880353; cv=pass; d=google.com; s=arc-20240605; b=TNX6sPXWTV4yxHQ2ZEUiIsyWmBbXVypTWGjNKrINskcKBF/7kJ1yi8PuxHgQnzllRD v9OrdELEIDCv/bDUtI1U21Trmyg+B2v8BvK+Wp1oK3P3uYLAEGmrmufF6oTsO+zEitSl yilS4PydWXTGNANGARm+h5/ZujA5PWFIlHKbznffExOkeg3Rm3fWdBAtZikev7um0J5E T9r3tYWM90VGSGYxP9slMt3zbYi9AeRBcnbzsMHSoS4lKsG9aRNKVigKy++2WxwEhXxT yLNGLn+qphDLnsIdGi99JMIpCdrgiwU3wDO09WGYgdN5vvbsOmyEVT5PGkedHUBBg/zW JwSQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=CneqdDxyBk8sGUcp1HDncRDWJiXE/o4BGkXSmc4YqZA=; fh=vsz94576ty5Hn/ty8QBNdIhAmsUwJ14trFj6OlcUAHE=; b=QvOYTJWqqR6tumlLdryde8nTqg6CLwxAoEE7BHEcq9p6Sx3qRE5LoJkKilngk4HXjl KE0ropW3lUpDTZcQQJy45tJqaxbrADc8oXf7Hkrkcv5MmbK1UrJPuMHjKuV+KDMvuP35 1Jt5Mh+YQyPgvZ8MmQoOIKNDtSYXT+dfZMPPfFNO6dKRNw3/uEDtWfpiQvczdc3wBR42 M3Q18Emj9bG3jBElhaCkksqz+IdLmzdpNydpHVt6/4mkX/nvydUoPabhQIx/3y2yo0GH 0Xcjb4rsPs7nO78MPPoN/rzo7E6S2j7IFTDw1YrozLSoCas2RcR1Sc/uR4vFcj+GWdh9 GjiA==; darn=isar-build.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=Q3F0HPEL; spf=pass (google.com: domain of fm-1212295-20250625193911897dc41b5d7bdd0a3f-qwmh_q@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1212295-20250625193911897dc41b5d7bdd0a3f-QwMh_Q@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1750880353; x=1751485153; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=CneqdDxyBk8sGUcp1HDncRDWJiXE/o4BGkXSmc4YqZA=; b=onzeloWxz324M5VgOmEltZxfDtjx4eprsv6W4002TMyJtjhsGlCr8e7tYG15IiwhZP hWsBQI1FiGiBgRk4SdpRvj+tvx1hVvIDO9bSgIR1A87LZX3HxPfIJAA85K4tdsrHuSzz nSpDm/ArqM5/ARf8mXk1fBfTtmXI8GUIzRdP/os8cM7HOAAa6VL2hgp5lZng9YbDgbs8 m7iO+yzzhGHuBgQoybBFs49hQv8cTuG/S1tV/N0wLXxMVS/BO3vV4ncnJt5rOeHog8m8 Hn99/Vo8RIh46C5I4uz+MKYtU55mcdV3RZFHm6wmLhX6rW4v25LwDKJh7ORRfn8MpPew VEyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750880353; x=1751485153; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=CneqdDxyBk8sGUcp1HDncRDWJiXE/o4BGkXSmc4YqZA=; b=pV+/BXHek0PewOBRIfeh8o25HxY4MJtTjbCO3bkUqGhgrs5hCVASRGiwi0dGvTG5uU HlNET0jzQw5NF64RSQ4SGGF1Lvhlu2b4bqrMRcXCaVDxsaoYEGtGGv8DJnQNuv5gab/F ew4A7pg/j98ov47vqCvJd/INR7xeVUoHWmR8nkoCzAUWfc+Ox5zZnRCu92EwaSVn9494 i0xoPHgsyiyITcbCrRnS2EBRD0pSPTlE55n5UVyrSE7Nn3khWl93LhLyv/bOHov/c9fR hKPmv1V4zMmFLwr4Wgs0oG8jbwjc8O/Js7kNYGw+Vi81CY8YktQnOpbFsTGZTC7Vm4Ka Pvhw== X-Forwarded-Encrypted: i=2; AJvYcCV3eWciZpvVp1vjiCZdqh7zim1anPsmvsfbhpUpeLtriNvz+v68Ke5pcS7QhzPKgcV1xGIIZlM=@isar-build.org X-Gm-Message-State: AOJu0Yww7XdLACcnbv/9wlZYVMmRMTVSPPKP65P7GOXKBHvcKat3FxCH gu1HvDHFH7FgBPea5JWVHq0XdmEfyxupvwFdfZ6+sGwe88vxTKDB/KgE X-Google-Smtp-Source: AGHT+IEKi7IyJ/EsIUU3ouZQ3q8CYTbxBP/145gPO7BmOYh0kdpXWqL/KLNOh5Fl2QBsIWGjb466mQ== X-Received: by 2002:a05:6870:14d2:b0:29e:74a0:e03f with SMTP id 586e51a60fabf-2efb28cff1amr3132342fac.24.1750880353498; Wed, 25 Jun 2025 12:39:13 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AZMbMZen1B0Dywi/e3erzdIudia3TtPUezLHgIcl7VBNXfipFA== Received: by 2002:a05:6870:8895:b0:2ef:a100:ef09 with SMTP id 586e51a60fabf-2efcf1e218fls103610fac.1.-pod-prod-05-us; Wed, 25 Jun 2025 12:39:12 -0700 (PDT) X-Received: by 2002:a05:6870:523:b0:2c2:489d:887 with SMTP id 586e51a60fabf-2efb2785ed8mr2772898fac.17.1750880352470; Wed, 25 Jun 2025 12:39:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1750880352; cv=none; d=google.com; s=arc-20240605; b=OzpwfLig9p6l0WPvUKt4Guoc6b+MZR1o+j5suSjwzFSNZKXAPaa4tzV1m3IXSYVu1B 5VRRTwFpEEOvaKnx1RMpnk+MBVWcZ+JL8B7I15FcuoP0bE3eeGlCfavYMJaOrZIXxd+D n0nPh6WUl15RFYukUUkuTP1O6IHkFVROa9TVhgQHutSITVn0lbT8/04Zkv8DNJ7LEpEv vCiSpk+I+1DMdw+X7cv324O/4ExVUGaRFLmmIaYZBrxdMllDdwOoi1Hz18i3sDb3LC7x ghrd01hgsb1hEU77M0LMTAgcoJvt/3x5u616hoJ6uxCy3FmMrBfsR/AXeCWq6BfzE9wx cSmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=mvTyPKqF/HhvlcQg1J4QaDOEhGPsC7k77eftIndRXTg=; fh=D/q4xMKxZDyLo2GtmwQ/2prSr9aCFD3HVqTCj43epLY=; b=Nkz0ZXPLn7A0nF6KQPiJP7oXqI2kkXqmGmhDlk+MjuH4vHtsMgy+aoLmScuyD68Hou LlIeCyluCh4Gt1ujO5TtEdMd63GbObSYpYGxc5z7i9+EvwU8Pkb81j9iaVWLPVSttCiE sZHWacHcHT5TkRX6/vR1TD0IMVx78V87mcpXRYMkdM+ToBHreCT71H9qZ/3Xm0yfRF+f hmva9Nii5w+UEaHWrNQDl5jud0RDXVUKNqnONrkb+0F5s9QKJdPXBUwxA9XwvAgsUF9q NAoePRjo8bGmMdBDg9mis5VuEKt4z0vHIvjzR5dIdl5xHtNkmkyye7ojkE+SNKSUiWnI bf0A==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=Q3F0HPEL; spf=pass (google.com: domain of fm-1212295-20250625193911897dc41b5d7bdd0a3f-qwmh_q@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1212295-20250625193911897dc41b5d7bdd0a3f-QwMh_Q@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net. [185.136.64.228]) by gmr-mx.google.com with ESMTPS id 586e51a60fabf-2ee58bfe510si558381fac.0.2025.06.25.12.39.12 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Jun 2025 12:39:12 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1212295-20250625193911897dc41b5d7bdd0a3f-qwmh_q@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) client-ip=185.136.64.228; Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20250625193911897dc41b5d7bdd0a3f for ; Wed, 25 Jun 2025 21:39:12 +0200 X-Patchwork-Original-From: "'Cedric Hombourger' via isar-users" From: Cedric Hombourger To: isar-users@googlegroups.com Cc: felix.moessbauer@siemens.com, Cedric Hombourger Subject: [PATCH v3 6/6] rootfs: do not get elevated privileges when downloading packages Date: Thu, 26 Jun 2025 03:37:48 +0800 Message-Id: <20250625193748.2681-7-cedric.hombourger@siemens.com> In-Reply-To: <20250625193748.2681-1-cedric.hombourger@siemens.com> References: <20250625193748.2681-1-cedric.hombourger@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1212295:519-21489:flowmailer X-Original-Sender: cedric.hombourger@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=Q3F0HPEL; spf=pass (google.com: domain of fm-1212295-20250625193911897dc41b5d7bdd0a3f-qwmh_q@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1212295-20250625193911897dc41b5d7bdd0a3f-QwMh_Q@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Cedric Hombourger Reply-To: Cedric Hombourger Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= Use rootfs_cmd() to run "apt-get install --download-only" without sudo. This requires /var/cache/apt/archives/ to be writable by the build user: change ownership while populating that folder with previously downloaded packages (those in downloads/deb/). Signed-off-by: Cedric Hombourger --- meta/classes/deb-dl-dir.bbclass | 21 ++++++++++++++++++--- meta/classes/rootfs.bbclass | 16 +++++++++++++--- 2 files changed, 31 insertions(+), 6 deletions(-) diff --git a/meta/classes/deb-dl-dir.bbclass b/meta/classes/deb-dl-dir.bbclass index 7026f4f4..7fe052ef 100644 --- a/meta/classes/deb-dl-dir.bbclass +++ b/meta/classes/deb-dl-dir.bbclass @@ -100,9 +100,24 @@ dbg_pkgs_download() { deb_dl_dir_import() { export pc="${DEBDIR}/${2}" export rootfs="${1}" - sudo mkdir -p "${rootfs}"/var/cache/apt/archives/ + export uid=$(id -u) + export gid=$(id -g) + + # let our unprivileged user place downloaded packages in /var/cache/apt/archives/ + sudo -Es << ' EOSUDO' + mkdir -p "${rootfs}"/var/cache/apt/archives/partial/ + touch "${rootfs}"/var/cache/apt/archives/lock + chown -R ${uid}:${gid} "${rootfs}"/var/cache/apt/archives/ + EOSUDO + + # nothing to copy if download directory does not exist just yet [ ! -d "${pc}" ] && return 0 - flock -s "${pc}".lock sudo -Es << 'EOSUDO' + + # attempt to create hard-links for .deb files from downloads/ into + # /var/cache/apt/archives/ so apt will only download packages we + # have not yet downloaded. perform a regular copy whenever hard-links + # cannot be created + ( flock 9 set -e printenv | grep -q BB_VERBOSE_LOGS && set -x @@ -111,7 +126,7 @@ deb_dl_dir_import() { ln -Pf -t "${rootfs}"/var/cache/apt/archives/ "$p" 2>/dev/null || cp -n --no-preserve=owner -t "${rootfs}"/var/cache/apt/archives/ "$p" done -EOSUDO + ) 9>"${pc}".lock } deb_dl_dir_export() { diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass index 429494ae..977bbec8 100644 --- a/meta/classes/rootfs.bbclass +++ b/meta/classes/rootfs.bbclass @@ -277,10 +277,20 @@ ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_download" rootfs_install_pkgs_download[weight] = "600" rootfs_install_pkgs_download[progress] = "custom:rootfs_progress.PkgsDownloadProgressHandler" rootfs_install_pkgs_download[isar-apt-lock] = "release-after" -rootfs_install_pkgs_download[network] = "${TASK_USE_NETWORK_AND_SUDO}" +rootfs_install_pkgs_download[network] = "${TASK_USE_NETWORK}" rootfs_install_pkgs_download() { - sudo -E chroot '${ROOTFSDIR}' \ - /usr/bin/apt-get ${ROOTFS_APT_ARGS} --download-only ${ROOTFS_PACKAGES} + mkdir -p "${WORKDIR}/dpkg" + + # Use our own dpkg lock files rather than those in the rootfs since we are not root + # (this is safe as there are no concurrent apt/dpkg operations for that rootfs) + touch "${WORKDIR}/dpkg/lock" "${WORKDIR}/dpkg/lock-frontend" + + # download packages using apt in a non-privileged namespace + rootfs_cmd --bind "${ROOTFSDIR}/var/cache/apt/archives" /var/cache/apt/archives \ + --bind "${WORKDIR}/dpkg/lock" /var/lib/dpkg/lock \ + --bind "${WORKDIR}/dpkg/lock-frontend" /var/lib/dpkg/lock-frontend \ + ${ROOTFSDIR} \ + -- /usr/bin/apt-get ${ROOTFS_APT_ARGS} --download-only ${ROOTFS_PACKAGES} } ROOTFS_INSTALL_COMMAND_BEFORE_EXPORT ??= ""