From patchwork Thu Sep 25 06:54:21 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "cedric.hombourger@siemens.com"
 <cedric.hombourger@siemens.com>
X-Patchwork-Id: 4376
Return-Path: <isar-users+bncBDB6LLF7YUBRBNOO2PDAMGQERYHLXGY@googlegroups.com>
Received: from shymkent.ilbers.de ([unix socket])
	 by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA;
	 Thu, 25 Sep 2025 08:54:53 +0200
X-Sieve: CMU Sieve 2.4
Received: from mail-oa1-f56.google.com (mail-oa1-f56.google.com
 [209.85.160.56])
	by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id
 58P6spxC002097
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <iupwgm@isar-build.org>; Thu, 25 Sep 2025 08:54:52 +0200
Received: by mail-oa1-f56.google.com with SMTP id
 586e51a60fabf-34f747ca47esf328845fac.2
        for <iupwgm@isar-build.org>; Wed, 24 Sep 2025 23:54:52 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1758783286; cv=pass;
        d=google.com; s=arc-20240605;
        b=RPFyORMjaiTv0pksi3DEYRukteDpbBkFZNoC7URTrY1BcxqBRLKQBWyGCosFmjrTum
         13/A5BEV3engc39VyUZK4WnYAE56MIbTJFclE7qZlFKPuY2e4su/pbPmWVXu9cQdFO0A
         jRWggaF7Wz87B6K/eowmJEZ12jRspDa0S2nxKzoEMv/phB0jhROC+V58LyIZcmdyJ4KM
         WsxQgI1MdUeH61Up2JeHzBEvsiy3P25ufY4Rvs6yeqpZ+1Z4CE9bAoq3R3rMDIIwPqcH
         uDuitTMkqPT7d2GruJ2Uy7KtT0EhmKSpfhzTy/NQ3NrGDgJHoNcUWvIw/7tvk66Okael
         UCOw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=R41i/p75R333fNOeB3le5U9c9x/ZqaYsLWEtB7ty2lM=;
        fh=scU7IWRfW4+U8WobqjlR/C7zb/tTZLiMDqCMx6AQiF8=;
        b=SLGUTCs5hbkyCuTjdB7ZakggQwMzySyJSmyOF45ha0kFbjK+vXcxg5ImKgKSNP0+OT
         kH946zl1PtbVejb48aW6JF8xpmz9nsGun8o68/3hY7SoUo6fNUL/eiZPNR4M1BobdFd/
         +a7s3XSxD6DP0lMmjH+3NR8hg0LhMQbPZ35kn4yvyRKSPwi1IBf3uQFcNT/hlsEuzlll
         h1bUSL/YoQxrWcMbM35EHpgm9/9IlB00OtGwJgNGqfYk33Wxt5WJug0nsrhbkJJn1R0X
         pEwtfJ5vrunqdxO3Z6MFqdg5IVxkq38YHd+7UbyglcARtrxuEcVhjlrirdHswxfSDX9y
         pZZQ==;
        darn=isar-build.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=fm1 header.b=tvk9QJry;
       spf=pass (google.com: domain of
 fm-1212295-20250925065442d1e28865bc000207cb-wduftc@rts-flowmailer.siemens.com
 designates 185.136.64.226 as permitted sender)
 smtp.mailfrom=fm-1212295-20250925065442d1e28865bc000207cb-WDuFTc@rts-flowmailer.siemens.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1758783286; x=1759388086;
 darn=isar-build.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to
         :x-original-authentication-results:x-original-sender:feedback-id
         :mime-version:references:in-reply-to:message-id:date:subject:cc:to
         :from:from:to:cc:subject:date:message-id:reply-to;
        bh=R41i/p75R333fNOeB3le5U9c9x/ZqaYsLWEtB7ty2lM=;
        b=LRUnRThwo1hBZqsXE584VkPXWddp3yAoRk7+kTudZlrUtYHWb/SkRBuxY+dpdx5BzW
         NXkwXlba6JLV5JpVzJAwpUFoKE1ASLX+x6X1gYgBKtcppDZkBsIJRzio4UWk7rlWHGD8
         HWxWbjJJ78hXefCdZiqDHkcItGrwN9N7MwFuRRe9m71RaHfArLeL0TCrdojRbDTwX0/6
         WYfGIsnjlSVkelD8konhtOqbzfusfF64OI9j8IdUksw2rg3l7b1mFzgAlewOig+ROl88
         u2EVD64wYx4DHWx4vFe4YtYXd+0x3S1KMvPjIFw5L9Xqyvncl84rj4ONpvmhagB2IX4X
         NK/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758783286; x=1759388086;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to
         :x-original-authentication-results:x-original-sender:feedback-id
         :mime-version:references:in-reply-to:message-id:date:subject:cc:to
         :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=R41i/p75R333fNOeB3le5U9c9x/ZqaYsLWEtB7ty2lM=;
        b=ObcXOsVj0yOyRsqsfHFjdXKbkt01UtceJP+cj23UQUcjYhPdj5uaEshudOxZ6FNYNh
         IbqLWxaXGCILmjQGOKjuUP6cjQrR8ZuoEqxP+GXzMzR+UTtvsjzxAylnkRINw3R2TlcR
         Xe4dPI4nAUQl9QW/sal/uy07eRRPesY/DYSEE4c14Jylz6FqEcrOfLnzRHaZz/zB2ayc
         vKy2Z2kK7o7yo05KHLn76iXBCqftluC0ctG0xN9xee5gtaRfSjuhqGAeUfkAWk8idXwm
         pZ8VFdlGxM8/KYbkuK2AUjSPrpVYt+TfnUq6rOB+xAtCEtkMDhuifhUiqj2hQ5hLBtbK
         iNJg==
X-Forwarded-Encrypted: i=2;
 AJvYcCVzMtGnxUe7df2+3I38b44KGuO0pMZe2cgp/W0e71GxVbBYIyhiIjWdH9rRBtk7yOYNjThVFQ0=@isar-build.org
X-Gm-Message-State: AOJu0YwzcBPrb1+VgPXUGeIi+X051TOyLwng2sSrK870/+67mNWkc0q0
	PMN4DV/Oh3tQ2kGOa+JMWEO+Uid1IkOtIQVPyutpUIMFf1kSuZpmFfhF
X-Google-Smtp-Source: 
 AGHT+IFaba/6KVkMKS9dYKNuufxKl5Ik7AIHiSNH3P8fBofaUIzWQhtUKsTKQwQkZvS83vmdGJO8+g==
X-Received: by 2002:a05:6870:2199:b0:30b:cb2f:bae4 with SMTP id
 586e51a60fabf-35ebf3f478bmr1016573fac.12.1758783286111;
        Wed, 24 Sep 2025 23:54:46 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com;
 h="ARHlJd6aRN7FSodpgpnfgNZub5UtGlF57S31beXYwfZ2w6NWuQ=="
Received: by 2002:a05:6871:c687:b0:315:531e:fdba with SMTP id
 586e51a60fabf-35eef9c998cls250353fac.1.-pod-prod-02-us; Wed, 24 Sep 2025
 23:54:45 -0700 (PDT)
X-Received: by 2002:a05:6870:d306:b0:346:865e:d044 with SMTP id
 586e51a60fabf-35ebf3f130dmr946432fac.11.1758783284843;
        Wed, 24 Sep 2025 23:54:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1758783284; cv=none;
        d=google.com; s=arc-20240605;
        b=VyXnpa1P3VfB+InbXqXABgJFaQCQze7YzPjNv0BiY+5qiPuE3bannEKaxa7dVr9J6J
         EPWTEd+1VjTJHPYoWYZnpz5As6YxPHgARhH9ZANP7bYu3kFK49a9wKRfe5Aug6oYM1uz
         Ti2LEYd+ghAKNvZZZkJbGab7S8XCvSK57OAYlw8EGDRnbKlpcXhYgrmae0CsXWeWIwgC
         ywV4lFjkXgvtxcKUJtTlWd2JLA6XDlgwRCYqfqn8PnsApk8OOsBigog3U6XgLKxSJiEY
         1NFRGNTuXoGUEoJRwHedEvSI+Zzk8KLqHVyi31PLOqbJ3yyiqzt8cl5nWVxPO+tl9aGY
         PPGg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=feedback-id:content-transfer-encoding:mime-version:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature;
        bh=Z6WOuK2vtn4PCzrtIVXEPUdXQE8WcnGh+X4uoipbsg0=;
        fh=GJh20mB+jF6oQ+me1R+hLO+vPKOaUsE8susJALlxkPc=;
        b=X1F6lrvTE7exh+DwyyPZlo6v4FKR9EES2VDo493jVX6LFHU1BfQdaX+l3VKn8pxE19
         Jh+0pBInAt58ag1rbaSfsBm5rBP6dumaCrMO/BNrkzxksa+sn6FUKduVR6CIzW16Re7H
         xOeYIALYArS9053/ALYHCGgAo8GuPtTKQUFU868yX32/0d5RDkPOJnUdEWu0K8zX6jJZ
         yGFqC6QGNSPU2yG+OpZeO4YdHQ3jz2edQfcJC122FI4uf//2BzkJbFVgXD2vxxqRZU+X
         F92pDNatDEF860PDW56jGFvRrWlry5hLImjzuYRxKdFa69quYXySdFnB6n9Sd44bvPsX
         9MGg==;
        dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=fm1 header.b=tvk9QJry;
       spf=pass (google.com: domain of
 fm-1212295-20250925065442d1e28865bc000207cb-wduftc@rts-flowmailer.siemens.com
 designates 185.136.64.226 as permitted sender)
 smtp.mailfrom=fm-1212295-20250925065442d1e28865bc000207cb-WDuFTc@rts-flowmailer.siemens.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
Received: from mta-64-226.siemens.flowmailer.net
 (mta-64-226.siemens.flowmailer.net. [185.136.64.226])
        by gmr-mx.google.com with ESMTPS id
 586e51a60fabf-363b4995370si42775fac.4.2025.09.24.23.54.44
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 24 Sep 2025 23:54:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 fm-1212295-20250925065442d1e28865bc000207cb-wduftc@rts-flowmailer.siemens.com
 designates 185.136.64.226 as permitted sender) client-ip=185.136.64.226;
Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id
 20250925065442d1e28865bc000207cb
        for <isar-users@googlegroups.com>;
        Thu, 25 Sep 2025 08:54:42 +0200
X-Patchwork-Original-From: "'Cedric Hombourger' via isar-users"
 <isar-users@googlegroups.com>
From: "cedric.hombourger@siemens.com" <cedric.hombourger@siemens.com>
To: isar-users@googlegroups.com
Cc: "cedric.hombourger@siemens.com" <cedric.hombourger@siemens.com>
Subject: [PATCH v4 1/4] rootfs: introduce wrapper to run commands against a
 rootfs
Date: Thu, 25 Sep 2025 08:54:21 +0200
Message-ID: <20250925065433.4180883-2-cedric.hombourger@siemens.com>
In-Reply-To: <20250925065433.4180883-1-cedric.hombourger@siemens.com>
References: <20250925065433.4180883-1-cedric.hombourger@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-1212295:519-21489:flowmailer
X-Original-Sender: cedric.hombourger@siemens.com
X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
 header.i=@siemens.com header.s=fm1 header.b=tvk9QJry;       spf=pass
 (google.com: domain of
 fm-1212295-20250925065442d1e28865bc000207cb-wduftc@rts-flowmailer.siemens.com
 designates 185.136.64.226 as permitted sender)
 smtp.mailfrom=fm-1212295-20250925065442d1e28865bc000207cb-WDuFTc@rts-flowmailer.siemens.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
X-Original-From: Cedric Hombourger <cedric.hombourger@siemens.com>
Reply-To: Cedric Hombourger <cedric.hombourger@siemens.com>
Precedence: list
Mailing-list: list isar-users@googlegroups.com;
 contact isar-users+owners@googlegroups.com
List-ID: <isar-users.googlegroups.com>
X-Spam-Checked-In-Group: isar-users@googlegroups.com
X-Google-Group-Id: 914930254986
List-Post: <https://groups.google.com/group/isar-users/post>,
 <mailto:isar-users@googlegroups.com>
List-Help: <https://groups.google.com/support/>,
 <mailto:isar-users+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/isar-users
List-Subscribe: <https://groups.google.com/group/isar-users/subscribe>,
 <mailto:isar-users+subscribe@googlegroups.com>
List-Unsubscribe: 
 <mailto:googlegroups-manage+914930254986+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/isar-users/subscribe>
X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,
	RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS
	autolearn=unavailable autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=

From: "cedric.hombourger@siemens.com" <cedric.hombourger@siemens.com>

"sudo chroot" is used in several places to run commands inside rootfs
directories constructed by Isar. There are cases where a command could
be used without elevated privileges as long as special folders such as
/isar-apt are mounted (they are often referenced as /isar-apt in
configuration files found in the target rootfs). For such cases,
bubblewrap may be used to create a non-privileged namespace (either
in a bare/native environment or within a docker/podman container)
where the command will be executed as if chroot had been used. The
rootfs may also be the host root file-system: this should however
be used with care to avoid host contamination problems (note: Isar
already relies on a number of host tools).

Signed-off-by: Cedric Hombourger <cedric.hombourger@siemens.com>
---
 RECIPE-API-CHANGELOG.md     |  8 +++++
 doc/user_manual.md          |  1 +
 meta/classes/rootfs.bbclass | 67 +++++++++++++++++++++++++++++++++++++
 3 files changed, 76 insertions(+)

diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
index 92e7811c..53e650d4 100644
--- a/RECIPE-API-CHANGELOG.md
+++ b/RECIPE-API-CHANGELOG.md
@@ -741,3 +741,11 @@ By setting `MS_TPM_20_REF_DIR` in an optee-ftpm recipe, it is now possible to
 use the new optee_ftpm code base from the OP-TEE project. That variable has to
 point to a subdir in `WORKDIR` which contains the unpacked ms-tpm-20-ref source
 code.
+
+### Require bubblewrap to run non-privileged commands with bind-mounts
+
+Isar occasionally needs to run commands within root file-systems that it
+builds and with several bind-mounts (e.g. /isar-apt). bubblewrap may be
+used in Isar classes instead of `sudo chroot` to avoid unecessary privilege
+elevations (when we "just" need to chroot but do not require root). It is
+pre-installed in kas-container version 4.8 (or later).
diff --git a/doc/user_manual.md b/doc/user_manual.md
index 67f91973..be89ce1d 100644
--- a/doc/user_manual.md
+++ b/doc/user_manual.md
@@ -75,6 +75,7 @@ Install the following packages:
 ```
 apt install \
   binfmt-support \
+  bubblewrap \
   bzip2 \
   mmdebstrap \
   arch-test \
diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
index ebe3bf4a..f740c6e1 100644
--- a/meta/classes/rootfs.bbclass
+++ b/meta/classes/rootfs.bbclass
@@ -34,6 +34,73 @@ export LANG = "C"
 export LANGUAGE = "C"
 export LC_ALL = "C"
 
+# Execute a command against a rootfs and with isar-apt bind-mounted.
+# Additional mounts may be specified using --bind <source> <target> and a
+# custom directory for the command to be executed with --chdir <dir>. The
+# command is assumed to follow the special "--" argument. This would replace
+# "sudo chroot" calls especially when a native command may be used instead of
+# chroot'ed command and without elevated privileges (the command will likely
+# take the rootfs as argument; e.g. apt-get -o Dir=${ROOTFSDIR}). If the
+# optional rootfs argument is omitted, the host rootfs will be used (e.g. to
+# run native commands): this should be used with care.
+#
+# Usage: rootfs_cmd [options] [rootfs] -- command
+#
+rootfs_cmd() {
+    set -- "$@"
+    bwrap_args="--bind ${REPO_ISAR_DIR}/${DISTRO} /isar-apt"
+    bwrap_binds=""
+    bwrap_rootfs=""
+
+    while [ "${#}" -gt "0" ] && [ "${1}" != "--" ]; do
+        case "${1}" in
+            --bind)
+                if [ "${#}" -lt "3" ]; then
+                    bbfatal "--bind requires two arguments"
+                fi
+                bwrap_binds="${bwrap_binds} --bind ${2} ${3}"
+                shift 3
+                ;;
+            --chdir)
+                if [ "${#}" -lt "2" ]; then
+                    bbfatal "${1} requires an argument"
+                fi
+                bwrap_args="${bwrap_args} ${1} ${2}"
+                shift 2
+                ;;
+            -*)
+                bbfatal "${1} is not a supported option!"
+                ;;
+            *)
+                if [ -z "${bwrap_rootfs}" ]; then
+                    bwrap_rootfs="${1}"
+                    shift
+                else
+                    bbfatal "unexpected argument '${1}'"
+                fi
+                ;;
+        esac
+    done
+
+    if [ -n "${bwrap_rootfs}" ]; then
+        bwrap_args="${bwrap_args} --bind ${bwrap_rootfs} /"
+    fi
+
+    if [ "${#}" -le "1" ] || [ "${1}" != "--" ]; then
+        bbfatal "no command specified (missing --)"
+    fi
+    shift  # remove "--", command and its arguments follows
+
+    for ro_d in bin etc lib lib64 sys usr var; do
+        [ -d ${bwrap_rootfs}/${ro_d} ] || continue
+        bwrap_args="${bwrap_args} --ro-bind ${bwrap_rootfs}/${ro_d} /${ro_d}"
+    done
+
+    bwrap --unshare-user --unshare-pid ${bwrap_args} \
+        --dev-bind /dev /dev --proc /proc --tmpfs /tmp \
+        ${bwrap_binds} -- "${@}"
+}
+
 rootfs_do_mounts[weight] = "3"
 rootfs_do_mounts() {
     sudo -s <<'EOSUDO'