From patchwork Thu Sep 25 06:54:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "cedric.hombourger@siemens.com" X-Patchwork-Id: 4378 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Thu, 25 Sep 2025 09:06:47 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-qk1-f192.google.com (mail-qk1-f192.google.com [209.85.222.192]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 58P76k4j002505 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 25 Sep 2025 09:06:46 +0200 Received: by mail-qk1-f192.google.com with SMTP id af79cd13be357-854bec86266sf212775085a.1 for ; Thu, 25 Sep 2025 00:06:46 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1758784000; cv=pass; d=google.com; s=arc-20240605; b=H2XZUnBUxE03eQaonnVKsMLQVSODZPWMrgfBThLkKbCvfbz4Ru+L2FVSZy7jSl1L9j JirT1CnLSWLNMYA3hkN5lOORWl2cPbmu+5hfyfdx8zo/+dyLM/bzzM2ccWmXTfPPklOB jSVl4fZcaN9WMm4Jgd5rx9jHzR0MxFqvLK6jvn3sllnCivdSyJsKV2tAJb9qWsh/ZL2O WURFkMSXxlx7NiZUbKkp3lrYun45XAzt1W9un56maWxtFBKyqIGJNlJzcHnRD0Ycj7Op 2MhO2vH0YX2JKUTWjrMa2AvZ4ruYhRiJ8Q95/ziLGes4oe8SZXQq2UslNZob3tpJ9K4L 7SRQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=PdYikJ2oKUaRRcraHjnVTE+lzeR3iyIQY8Cddkm2i8c=; fh=sSsAkDG1GCGTkDU+vUd6dlRqxF5vkeUm9ZHx0kWULhA=; b=a4WYpI0FXCvHLU082chf2B5Lue/W+gK1ft6s2uGABix4KhrPya7DXdxcq3UnyvVVON OFZzbhbJ9R4l5WKiG6cqbtkV6sr1YJ5yBs1cUtv1Ko10Pokmsaxntw/sFRdEHF/zf8DC /40xMk8TIzI1eXN+VJhu01HgZc7U0tCbL3I8dvK3PanIodT+4mplb/Lab42HO0IaD1mu QYxZgGLSXzCGGtuoofGpaZ8S85zPTk8KcEOaj5MHMHgPKtIc4tfLRKfGuqtHdlNLyDBJ gHOWniRw/pWF+CmDfP0XIoBSNtFxe6WQ0XiHstIgYqNdC07CNxyx4QC8wb2QpUGh1qMj PnuA==; darn=isar-build.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=JgnVmhrS; spf=pass (google.com: domain of fm-1212295-202509250654437bebb669bf000207ae-v_jj66@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-1212295-202509250654437bebb669bf000207ae-v_Jj66@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1758784000; x=1759388800; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=PdYikJ2oKUaRRcraHjnVTE+lzeR3iyIQY8Cddkm2i8c=; b=POB9ptRs30NJFILt/ehr+wecA0xfJsvP32lrvSCAOnEZA6SuThikoTZG8Kz0PlRiVt Vn1x8rCyiE5o/SATqN0VW0vP18jYav2FcRhmLOwjXfFaUIxDTlLqi8V0V5/3w/NYmdCT B1eX1dkYKTTPR0g+TU/3khI3jfbAJnBdYDaIX65STL2LRlQV3sXG0CgiNvA/l6wtjfUQ VK7gLUhuFcud3OF5XP6r/z9wRsDwWTxGSW5Gq9LHgIS2Nq2RH6YlagJ13ULw4ii5LnRt PJJERTdtBWEjLBWm0YjMnBWVhX1Y8EYfzMl/40HzgafJkAFVbXV7G7yX6PhPhHyiHizV f1Og== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758784000; x=1759388800; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=PdYikJ2oKUaRRcraHjnVTE+lzeR3iyIQY8Cddkm2i8c=; b=G31NC3VVq4uHlTKY7IAy16noanXwwEpkUcpBDRedGWbhZFxxKwWCxwoSc3zOGoH5qM kOj9vLkGW5EeBuP9Z+t8XZExpOW1EYHhaCpJBXZ5NOG6ve/RekOVsPy9qjshnT5miF0i Il9AqRvT3cDaDnfcFFWfjPWkyjapp3FFy4wU7i6aavGeVu48RTd2DwUIP+BrLBeoJMYo +EDx7cCm+1+iyDnPKFMnsh1dewUcXNh4G/EFSCvxjhsj5c7BniMBEE7SXAB4antBfELz NnBrzRm2xVEomGNJz1l9cljIyLcUruLTY/mW8tZPYjJkodk3ZQ4z+C/Hi6lLOrkMJ1Jz 8YcQ== X-Forwarded-Encrypted: i=2; AJvYcCV+5u/YwEuE5abxJohH82GfMcHGtsyhd4jg6LFrx7N7+HkGqqXnVWMRqw2BWgr4ZHHVXlit+AI=@isar-build.org X-Gm-Message-State: AOJu0YxnU8Ne0QxNCot7icwhAxdAdaSQ4Dcr03oFfXgKTf3/HCABItvA +MYNjIxr0T4bbkQxAncAxXRhEWWJrYc8OTqX/Ql5sh1GeUF03HZJeK+h X-Google-Smtp-Source: AGHT+IHkqBT/1nYJU5hG8M4aI0Y++bKiCPxdFR71CRamySXYZIGCnBnaiCDOCNVqQR4Eg9hBLNLrGw== X-Received: by 2002:a05:690c:930d:20b0:733:3aa3:674e with SMTP id 00721157ae682-763f87775efmr22951847b3.10.1758783286232; Wed, 24 Sep 2025 23:54:46 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h="ARHlJd7a2elMcIAngLuCKiaj0gF7N8fOEuGRBklIF55NDo+9zA==" Received: by 2002:a05:690e:2547:b0:5f3:b853:aca3 with SMTP id 956f58d0204a3-6361b58b7fcls225089d50.1.-pod-prod-06-us; Wed, 24 Sep 2025 23:54:45 -0700 (PDT) X-Received: by 2002:a05:690c:7485:b0:74b:e290:1e2e with SMTP id 00721157ae682-7640624f3a5mr21826197b3.52.1758783285071; Wed, 24 Sep 2025 23:54:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1758783285; cv=none; d=google.com; s=arc-20240605; b=GNgFDYD1rRf8kjnWdZoaFN+rVxlr3zTaQ5bvrak+LO5JBYXKa36jTUAuPJPXn7x+q2 nX4M9/yKaq9eoUwAW61mhGZ9OqfaHg9bmTAwr/e6F2N+qB8kQIlE4YK2vfRhpfeYhpLh NNtL1YKcXSDxNKyrioaN6/miqCsn19XbI0D9tg4fNom6Zon9fAigJD3pgURfESNS7wK+ RWI2K2M+mzCgd7szZ6BWo86AqGaKImNJbc1mirsAzGnTwZfllmIglTqqDTkQUxbr1MI4 +8OXNPNdae1TgE1oA/gu5t9sQTuvVmzVISmu/OSkiLfraWHg0mOnULzgb5l3i32VQx+3 hRSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=SJ4rAl5rQYFYautfdxrU6ErymrRU4/HpwhLTlztHuXk=; fh=GJh20mB+jF6oQ+me1R+hLO+vPKOaUsE8susJALlxkPc=; b=Y56S2WiUjEUyFuQS9wT9oylhFlXfCYPhwa2kPqi5JXuw217n8aXMb43ApTsL+Zy97s nM90L2tZryrO6asTfzVLiVd7PXxK+X5FofLdsfkiFBgtwcWgQU34LO/FmzM0PFxiCtxD jzI9QErKJThk+SDrmfTcoxPp+BSLquLiH4cg3ZvddrkFcx//6JBdXoQ1ulFqT0a2VXKy qtrpBEZ2ipM5HWcy26Hf+nRMExA406p7zTQquzDc2tq9+/5FcYd+yqZEbR3kXKgxEqyn JJHImnzUokOuzK9q3BMwJgI3cQGutl79OJ1xl+VHcc0n8fAUkP+NhYWllkNeVvT1AFKM umLw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=JgnVmhrS; spf=pass (google.com: domain of fm-1212295-202509250654437bebb669bf000207ae-v_jj66@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-1212295-202509250654437bebb669bf000207ae-v_Jj66@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net. [185.136.65.227]) by gmr-mx.google.com with ESMTPS id 00721157ae682-76724498746si161807b3.0.2025.09.24.23.54.44 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 Sep 2025 23:54:44 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1212295-202509250654437bebb669bf000207ae-v_jj66@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) client-ip=185.136.65.227; Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 202509250654437bebb669bf000207ae for ; Thu, 25 Sep 2025 08:54:43 +0200 X-Patchwork-Original-From: "'Cedric Hombourger' via isar-users" From: "cedric.hombourger@siemens.com" To: isar-users@googlegroups.com Cc: "cedric.hombourger@siemens.com" Subject: [PATCH v4 4/4] rootfs: do not get elevated privileges when downloading packages Date: Thu, 25 Sep 2025 08:54:24 +0200 Message-ID: <20250925065433.4180883-5-cedric.hombourger@siemens.com> In-Reply-To: <20250925065433.4180883-1-cedric.hombourger@siemens.com> References: <20250925065433.4180883-1-cedric.hombourger@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1212295:519-21489:flowmailer X-Original-Sender: cedric.hombourger@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=JgnVmhrS; spf=pass (google.com: domain of fm-1212295-202509250654437bebb669bf000207ae-v_jj66@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-1212295-202509250654437bebb669bf000207ae-v_Jj66@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Cedric Hombourger Reply-To: Cedric Hombourger Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= From: "cedric.hombourger@siemens.com" Use rootfs_cmd() to run "apt-get install --download-only" without sudo. This requires /var/cache/apt/archives/ to be writable by the build user: change ownership while populating that folder with previously downloaded packages (those in downloads/deb/). Signed-off-by: Cedric Hombourger --- meta/classes/deb-dl-dir.bbclass | 21 ++++++++++++++++++--- meta/classes/rootfs.bbclass | 16 +++++++++++++--- 2 files changed, 31 insertions(+), 6 deletions(-) diff --git a/meta/classes/deb-dl-dir.bbclass b/meta/classes/deb-dl-dir.bbclass index ea0ed3d2..16ccd426 100644 --- a/meta/classes/deb-dl-dir.bbclass +++ b/meta/classes/deb-dl-dir.bbclass @@ -107,9 +107,24 @@ dbg_pkgs_download() { deb_dl_dir_import() { export pc="${DEBDIR}/${2}" export rootfs="${1}" - sudo mkdir -p "${rootfs}"/var/cache/apt/archives/ + export uid=$(id -u) + export gid=$(id -g) + + # let our unprivileged user place downloaded packages in /var/cache/apt/archives/ + sudo -Es << ' EOSUDO' + mkdir -p "${rootfs}"/var/cache/apt/archives/partial/ + touch "${rootfs}"/var/cache/apt/archives/lock + chown -R ${uid}:${gid} "${rootfs}"/var/cache/apt/archives/ + EOSUDO + + # nothing to copy if download directory does not exist just yet [ ! -d "${pc}" ] && return 0 - flock -s "${pc}".lock sudo -Es << 'EOSUDO' + + # attempt to create hard-links for .deb files from downloads/ into + # /var/cache/apt/archives/ so apt will only download packages we + # have not yet downloaded. perform a regular copy whenever hard-links + # cannot be created + ( flock 9 set -e printenv | grep -q BB_VERBOSE_LOGS && set -x @@ -118,7 +133,7 @@ deb_dl_dir_import() { ln -Pf -t "${rootfs}"/var/cache/apt/archives/ "$p" 2>/dev/null || cp -n --no-preserve=owner -t "${rootfs}"/var/cache/apt/archives/ "$p" done -EOSUDO + ) 9>"${pc}".lock } deb_dl_dir_export() { diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass index f740c6e1..684d04c4 100644 --- a/meta/classes/rootfs.bbclass +++ b/meta/classes/rootfs.bbclass @@ -286,10 +286,20 @@ ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_download" rootfs_install_pkgs_download[weight] = "600" rootfs_install_pkgs_download[progress] = "custom:rootfs_progress.PkgsDownloadProgressHandler" rootfs_install_pkgs_download[isar-apt-lock] = "release-after" -rootfs_install_pkgs_download[network] = "${TASK_USE_NETWORK_AND_SUDO}" +rootfs_install_pkgs_download[network] = "${TASK_USE_NETWORK}" rootfs_install_pkgs_download() { - sudo -E chroot '${ROOTFSDIR}' \ - /usr/bin/apt-get ${ROOTFS_APT_ARGS} --download-only ${ROOTFS_PACKAGES} + mkdir -p "${WORKDIR}/dpkg" + + # Use our own dpkg lock files rather than those in the rootfs since we are not root + # (this is safe as there are no concurrent apt/dpkg operations for that rootfs) + touch "${WORKDIR}/dpkg/lock" "${WORKDIR}/dpkg/lock-frontend" + + # download packages using apt in a non-privileged namespace + rootfs_cmd --bind "${ROOTFSDIR}/var/cache/apt/archives" /var/cache/apt/archives \ + --bind "${WORKDIR}/dpkg/lock" /var/lib/dpkg/lock \ + --bind "${WORKDIR}/dpkg/lock-frontend" /var/lib/dpkg/lock-frontend \ + ${ROOTFSDIR} \ + -- /usr/bin/apt-get ${ROOTFS_APT_ARGS} --download-only ${ROOTFS_PACKAGES} } ROOTFS_INSTALL_COMMAND_BEFORE_EXPORT ??= ""