From 207fd60ad101c259620b039e9a8592b7fb69c8af Mon Sep 17 00:00:00 2001 From: Javier Marcet Date: Wed, 4 Mar 2020 10:08:08 +0100 Subject: [PATCH] schroot: new package to securely enter a chroot and run a command or login shell Signed-off-by: Javier Marcet --- admin/schroot/Config.in | 23 +++ admin/schroot/Makefile | 82 +++++++++ admin/schroot/files/schroot.init | 10 ++ admin/schroot/patches/01-openwrt.patch | 219 +++++++++++++++++++++++++ 4 files changed, 334 insertions(+) create mode 100644 admin/schroot/Config.in create mode 100644 admin/schroot/Makefile create mode 100755 admin/schroot/files/schroot.init create mode 100644 admin/schroot/patches/01-openwrt.patch diff --git a/admin/schroot/Config.in b/admin/schroot/Config.in new file mode 100644 index 000000000..3a1cdb141 --- /dev/null +++ b/admin/schroot/Config.in @@ -0,0 +1,23 @@ +menu "Configuration" + +config SCHROOT_BTRFS + bool "Enable support for btrfs snapshots" + select PACKAGE_btrfs-progs + default n + +config SCHROOT_LOOPBACK + bool "Enable support for loopback mounts" + select PACKAGE_losetup + default n + +config SCHROOT_LVM + bool "Enable support for LVM snapshots" + select PACKAGE_lvm2 + default n + +config SCHROOT_UUID + bool "Enable support for UUIDs" + select PACKAGE_libuuid + default n + +endmenu diff --git a/admin/schroot/Makefile b/admin/schroot/Makefile new file mode 100644 index 000000000..fdb81a324 --- /dev/null +++ b/admin/schroot/Makefile @@ -0,0 +1,82 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=schroot +PKG_VERSION:=1.6.10 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)_$(PKG_VERSION).orig.tar.xz +PKG_SOURCE_URL:=http://deb.debian.org/debian/pool/main/s/schroot +PKG_HASH:=3ce8dfd9cb97b099e4b6d4ccec421d6cc8c9ef84574681e928a12badb5643d0b + +PKG_MAINTAINER:=Javier Marcet +PKG_LICENSE:=GPL-3.0-only +PKG_LICENSE_FILES:=COPYING + +PKG_INSTALL:=1 +PKG_BUILD_PARALLEL:=1 +PKG_FIXUP:=autoreconf + +include $(INCLUDE_DIR)/nls.mk +include $(INCLUDE_DIR)/package.mk + +define Package/schroot + SECTION:=admin + CATEGORY:=Administration + TITLE:=Securely enter a chroot and run a command or login shell. + DEPENDS:=$(ICONV_DEPENDS) \ + +boost +boost-filesystem +boost-iostreams +boost-program_options +boost-regex \ + +SCHROOT_BTRFS:btrfs-progs \ + +SCHROOT_LOOPBACK:losetup \ + +SCHROOT_LVM:lvm2 \ + +SCHROOT_UUID:libuuid + URL:=https://salsa.debian.org/debian/schroot +endef + +define Package/schroot/description + Securely enter a chroot and run a command or login shell. +endef + +define Package/sudo/conffiles +/etc/schroot/ +endef + +define Package/schroot/config + source "$(SOURCE)/Config.in" +endef + +PKG_CONFIG_DEPENDS := \ + CONFIG_SCHROOT_BTRFS \ + CONFIG_SCHROOT_LOOPBACK \ + CONFIG_SCHROOT_LVM \ + CONFIG_SCHROOT_UUID + +CONFIGURE_ARGS += \ + $(if $(CONFIG_SCHROOT_BTRFS),--enable,--disable)-btrfs-snapshot \ + $(if $(CONFIG_SCHROOT_LOOPBACK),--enable,--disable)-loopback \ + $(if $(CONFIG_SCHROOT_LVM),--enable,--disable)-lvm-snapshot \ + $(if $(CONFIG_SCHROOT_UUID),--enable,--disable)-uuid \ + --enable-block-device \ + --enable-union \ + --disable-dchroot \ + --disable-dchroot-dsa \ + --disable-csbuild \ + --disable-debug \ + --disable-pam \ + --disable-doxygen \ + --disable-rpath + +define Package/schroot/install + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_SUID) $(PKG_INSTALL_DIR)/usr/bin/schroot $(1)/usr/bin/ + $(INSTALL_DIR) $(1)/etc/schroot + $(CP) -R $(PKG_INSTALL_DIR)/etc/schroot/* $(1)/etc/schroot + $(INSTALL_DIR) $(1)/usr/lib/schroot + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/libsbuild.* $(1)/usr/lib/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/schroot/* $(1)/usr/lib/schroot/ + $(INSTALL_DIR) $(1)/usr/share/schroot + $(CP) -R $(PKG_INSTALL_DIR)/usr/share/schroot/* $(1)/usr/share/schroot/ + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/schroot.init $(1)/etc/init.d/schroot +endef + +$(eval $(call BuildPackage,schroot)) diff --git a/admin/schroot/files/schroot.init b/admin/schroot/files/schroot.init new file mode 100755 index 000000000..aa37793a9 --- /dev/null +++ b/admin/schroot/files/schroot.init @@ -0,0 +1,10 @@ +#!/bin/sh /etc/rc.common + +START=94 + +start() { + [ -d /var/lib/schroot ] || { + mkdir -p /var/lib/schroot/mount /var/lib/schroot/session /var/lib/schroot/unpack /var/lib/schroot/union/overlay /var/lib/schroot/union/underlay + chmod 0700 /var/lib/schroot + } +} diff --git a/admin/schroot/patches/01-openwrt.patch b/admin/schroot/patches/01-openwrt.patch new file mode 100644 index 000000000..9b26b4722 --- /dev/null +++ b/admin/schroot/patches/01-openwrt.patch @@ -0,0 +1,219 @@ +--- ./configure.ac-orig 2019-12-09 12:56:45.217308628 +0100 ++++ ./configure.ac 2019-12-09 12:57:18.667492923 +0100 +@@ -284,22 +284,8 @@ if test -z "$DOXYGEN"; then + HAVE_DOXYGEN="no" + fi + HAVE_LVM="yes" +-AC_PATH_PROG([LVCREATE], [lvcreate], [], [$PATH:/sbin:/usr/sbin]) +-AC_PATH_PROG([LVREMOVE], [lvremove], [], [$PATH:/sbin:/usr/sbin]) +-if test -z "$LVCREATE" || test -z "$LVREMOVE"; then +- HAVE_LVM="no" +-fi + HAVE_BTRFS="yes" +-AC_PATH_PROG([BTRFS], [btrfs], [], [$PATH:/sbin:/usr/sbin]) +-AC_PATH_PROG([BTRFSCTL], [btrfsctl], [], [$PATH:/sbin:/usr/sbin]) +-if test -z "$BTRFS" || test -z "$BTRFSCTL"; then +- HAVE_BTRFS="no" +-fi + HAVE_LOOPBACK="yes" +-AC_PATH_PROG([LOSETUP], [losetup], [], [$PATH:/sbin:/usr/sbin]) +-if test -z "$LOSETUP"; then +- HAVE_LOOPBACK="no" +-fi + + + # Check for host platform +@@ -336,7 +322,6 @@ PKG_CHECK_MODULES([UUID], [uuid], + [HAVE_UUID=yes], + [HAVE_UUID=no]) + +-AM_PATH_CPPUNIT([1.10.0], [HAVE_CPPUNIT=yes]) + AM_CONDITIONAL([USE_UNIT_TESTS], [test -n "$HAVE_CPPUNIT"]) + + SCHROOT_CFLAGS="$UUID_CFLAGS" +@@ -688,42 +673,25 @@ if test "$BOOST_PROGRAM_OPTIONS_VALIDATI + fi + + dnl Note the use of quadrigraphs to quote [ and ] in regexes. +-AH_TEMPLATE(HAVE_REGEX_REGEX, [Set if the header file includes std::regex]) + AH_TEMPLATE(HAVE_BOOST_REGEX, [Set if the header file includes boost::regex]) +-AC_MSG_CHECKING([for std::regex]) +-define([testprog], [AC_LANG_PROGRAM([#include ], +- [std::regex foo("^foo@<:@bar@:>@$"); +- std::regex bar("^foo@<:@bar@:>@$", std::regex::extended); +- std::regex check("^@<:@^:/,.@:>@@<:@^:/,@:>@*$", std::regex::extended);])]) +-AC_RUN_IFELSE(testprog, +- [AC_MSG_RESULT([yes]) +- AC_DEFINE(HAVE_REGEX_REGEX, 1)], +- [dnl Check if std::regex is present but broken. +-define([testprog], [AC_LANG_PROGRAM([#include ], +- [std::regex foo("^foo@<:@bar@:>@$"); +- std::regex bar("^foo@<:@bar@:>@$", std::regex::extended);])]) ++AC_MSG_CHECKING([for boost::regex in -lboost_regex]) ++saved_LIBS="${LIBS}" ++LIBS="${saved_LIBS} -lboost_regex" ++define([testprog], [AC_LANG_PROGRAM([#include ], ++ [boost::regex("^foo@<:@bar@:>@$"); ++ boost::regex bar("^foo@<:@bar@:>@$", boost::regex::extended);])]) + AC_LINK_IFELSE(testprog, +- [AC_MSG_RESULT([broken])], +- [AC_MSG_RESULT([no])]) +- AC_MSG_CHECKING([for boost::regex in -lboost_regex]) +- saved_LIBS="${LIBS}" +- LIBS="${saved_LIBS} -lboost_regex" +- define([testprog], [AC_LANG_PROGRAM([#include ], +- [boost::regex("^foo@<:@bar@:>@$"); +- boost::regex bar("^foo@<:@bar@:>@$", boost::regex::extended);])]) +- AC_LINK_IFELSE(testprog, +- [AC_MSG_RESULT([yes]) +- AC_DEFINE(HAVE_BOOST_REGEX, 1) +- BOOST_LIBS="${BOOST_LIBS} -lboost_regex"], +- [LIBS="${saved_LIBS} -lboost_regex-mt" +- AC_LINK_IFELSE(testprog, +- [AC_MSG_RESULT([yes]) +- AC_DEFINE(HAVE_BOOST_REGEX, 1) +- BOOST_LIBS="${BOOST_LIBS} -lboost_regex-mt"], +- [AC_MSG_RESULT([no]) +- AC_MSG_FAILURE([libboost_regex (Boost C++ Libraries) is not installed, but is required by schroot])])]) +- LIBS="${saved_LIBS}" +-]) ++ [AC_MSG_RESULT([yes]) ++ AC_DEFINE(HAVE_BOOST_REGEX, 1) ++ BOOST_LIBS="${BOOST_LIBS} -lboost_regex"], ++ [LIBS="${saved_LIBS} -lboost_regex-mt" ++ AC_LINK_IFELSE(testprog, ++ [AC_MSG_RESULT([yes]) ++ AC_DEFINE(HAVE_BOOST_REGEX, 1) ++ BOOST_LIBS="${BOOST_LIBS} -lboost_regex-mt"], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_FAILURE([libboost_regex (Boost C++ Libraries) is not installed, but is required by schroot])])]) ++LIBS="${saved_LIBS}" + + AC_MSG_CHECKING([for boost::iostreams in -lboost_iostreams]) + saved_LIBS="${LIBS}" +--- ./bin/schroot-base/schroot-base-run.h-orig 2019-12-09 04:23:51.881428446 +0100 ++++ ./bin/schroot-base/schroot-base-run.h 2019-12-09 04:24:14.934887089 +0100 +@@ -61,8 +61,8 @@ namespace schroot_base + std::cout.imbue(std::locale()); + std::cerr.imbue(std::locale()); + +- bindtextdomain (SBUILD_MESSAGE_CATALOGUE, SCHROOT_LOCALE_DIR); +- textdomain (SBUILD_MESSAGE_CATALOGUE); ++ //bindtextdomain (SBUILD_MESSAGE_CATALOGUE, SCHROOT_LOCALE_DIR); ++ //textdomain (SBUILD_MESSAGE_CATALOGUE); + + typename options_type::ptr opts(new options_type); + main_type kit(opts); +--- ./sbuild/sbuild-feature.h-orig 2019-12-09 04:23:51.881428446 +0100 ++++ ./sbuild/sbuild-feature.h 2019-12-09 04:24:14.934887089 +0100 +@@ -24,6 +24,7 @@ + #include + + #include ++#include + + namespace sbuild + { +--- ./etc/setup.d/20copyfiles-orig 2018-11-03 14:26:12.000000000 +0100 ++++ ./etc/setup.d/20copyfiles 2019-12-09 13:56:45.277145648 +0100 +@@ -39,9 +39,9 @@ copy_file() + if [ -e "$2" ]; then + + # Device and inode +- da=$(/usr/bin/stat --format="%d %i" "$1") ++ da=$(/bin/stat --format="%d %i" "$1") + # This one can fail since it might not exist yet +- db=$(/usr/bin/stat --format="%d %i" "$2" 2>/dev/null || :) ++ db=$(/bin/stat --format="%d %i" "$2" 2>/dev/null || :) + + if [ "$da" = "$db" ]; then + COPY="false" +--- ./etc/setup.d/20nssdatabases-orig 2018-11-03 14:26:12.000000000 +0100 ++++ ./etc/setup.d/20nssdatabases 2019-12-09 13:57:34.397419039 +0100 +@@ -29,7 +29,7 @@ set -e + dup_nss() + { + info "Copying $1 database to $2" +- getent "$1" > "$2" ++ cat "/etc/$1" > "$2" + } + + if [ $STAGE = "setup-start" ] || [ $STAGE = "setup-recover" ]; then +@@ -42,9 +42,9 @@ if [ $STAGE = "setup-start" ] || [ $STAG + fi + + # Device and inode +- dr=$(/usr/bin/stat --format="%d %i" "/etc/$db") ++ dr=$(/bin/stat --format="%d %i" "/etc/$db") + # This one can fail since it might not exist yet +- dc=$(/usr/bin/stat --format="%d %i" "${CHROOT_PATH}/etc/$db" 2>/dev/null || :) ++ dc=$(/bin/stat --format="%d %i" "${CHROOT_PATH}/etc/$db" 2>/dev/null || :) + + # If the database inside and outside the chroot is the + # same, it's very likely that dup_nss would blank the +diff -X /home/jmarcet/.rsync-filter -pru ./etc/profile-templates/all/all/nssdatabases ./etc/profile-templates/all/all/nssdatabases +--- ./etc/profile-templates/all/all/nssdatabases 2018-11-03 14:26:12.000000000 +0100 ++++ ./etc/profile-templates/all/all/nssdatabases 2019-12-09 14:03:12.799297723 +0100 +@@ -4,4 +4,4 @@ + passwd + shadow +-group +-gshadow ++#group ++#gshadow +diff -X /home/jmarcet/.rsync-filter -pru ./etc/profile-templates/buildd/all/nssdatabases ./etc/profile-templates/buildd/all/nssdatabases +--- ./etc/profile-templates/buildd/all/nssdatabases 2018-11-03 14:26:12.000000000 +0100 ++++ ./etc/profile-templates/buildd/all/nssdatabases 2019-12-09 14:03:12.802631074 +0100 +@@ -4,4 +4,4 @@ + passwd + shadow +-group +-gshadow ++#group ++#gshadow +diff -X /home/jmarcet/.rsync-filter -pru ./etc/profile-templates/default/all/nssdatabases ./etc/profile-templates/default/all/nssdatabases +--- ./etc/profile-templates/default/all/nssdatabases 2018-11-03 14:26:12.000000000 +0100 ++++ ./etc/profile-templates/default/all/nssdatabases 2019-12-09 14:03:12.809297778 +0100 +@@ -1,4 +1,4 @@ + services + protocols +-networks ++#networks + hosts +diff -X /home/jmarcet/.rsync-filter -pru ./etc/profile-templates/desktop/all/nssdatabases ./etc/profile-templates/desktop/all/nssdatabases +--- ./etc/profile-templates/desktop/all/nssdatabases 2018-11-03 14:26:12.000000000 +0100 ++++ ./etc/profile-templates/desktop/all/nssdatabases 2019-12-09 14:03:12.812631129 +0100 +@@ -1,4 +1,4 @@ + services + protocols +-networks ++#networks + hosts +diff -X /home/jmarcet/.rsync-filter -pru ./etc/profile-templates/default/linux/fstab ./etc/profile-templates/default/linux/fstab +--- ./etc/profile-templates/default/linux/fstab 2018-11-03 14:26:12.000000000 +0100 ++++ ./etc/profile-templates/default/linux/fstab 2019-12-09 14:18:46.970887080 +0100 +@@ -7,7 +7,7 @@ + # to run additional services in the chroot. However, note that this + # may potentially cause undesirable behaviour on upgrades, such as + # killing services on the host. +-#/run /run none rw,bind 0 0 ++/run /run none rw,bind 0 0 + #/run/lock /run/lock none rw,bind 0 0 +-#/dev/shm /dev/shm none rw,bind 0 0 +-#/run/shm /run/shm none rw,bind 0 0 ++/tmp/shm /dev/shm none rw,bind 0 0 ++/tmp/shm /run/shm none rw,bind 0 0 +diff -X /home/jmarcet/.rsync-filter -pru ./etc/profile-templates/desktop/linux/fstab ./etc/profile-templates/desktop/linux/fstab +--- ./etc/profile-templates/desktop/linux/fstab 2018-11-03 14:26:12.000000000 +0100 ++++ ./etc/profile-templates/desktop/linux/fstab 2019-12-09 14:22:14.148555674 +0100 +@@ -12,7 +12,7 @@ + # to run additional services in the chroot. However, note that this + # may potentially cause undesirable behaviour on upgrades, such as + # killing services on the host. +-#/run /run none rw,bind 0 0 ++/run /run none rw,bind 0 0 + #/run/lock /run/lock none rw,bind 0 0 +-#/dev/shm /dev/shm none rw,bind 0 0 +-#/run/shm /run/shm none rw,bind 0 0 ++/tmp/shm /dev/shm none rw,bind 0 0 ++/tmp/shm /run/shm none rw,bind 0 0