scripts: Use tmpfs for /var/tmp, not the host's /tmp
We don't want to expose the host's `/tmp` since that means scripts could potentially find things like the X11 socket or whatever. To debug things better, add a quick bash script to run bwrap like the C code does. Perhaps down the line we can add `rpm-ostree internals run-bwrap` or so. Closes: #647 Approved by: jlebon
This commit is contained in:
parent
b364357f60
commit
22048b25a7
22
scripts/bwrap-script-shell.sh
Executable file
22
scripts/bwrap-script-shell.sh
Executable file
@ -0,0 +1,22 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Run a shell (or program) like how rpm-ostree would run RPM scriptlets. Useful
|
||||||
|
# for quickly testing changes to the script environment.
|
||||||
|
rootfs=$1
|
||||||
|
shift
|
||||||
|
cd ${rootfs}
|
||||||
|
# ⚠⚠⚠ If you change this, also update src/libpriv/rpmostree-scripts.c ⚠⚠⚠
|
||||||
|
BWRAP_ARGV="--dev /dev --proc /proc --dir /tmp --chdir / \
|
||||||
|
--unshare-pid --unshare-net --unshare-uts \
|
||||||
|
--unshare-ipc --unshare-cgroup-try \
|
||||||
|
"
|
||||||
|
for src in /sys/{block,bus,class,dev}; do
|
||||||
|
BWRAP_ARGV="$BWRAP_ARGV --ro-bind $src $src"
|
||||||
|
done
|
||||||
|
for src in lib{,32,64} bin sbin; do
|
||||||
|
if test -L $src; then
|
||||||
|
BWRAP_ARGV="$BWRAP_ARGV --symlink usr/$src $src"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
BWRAP_ARGV="$BWRAP_ARGV --ro-bind usr /usr --ro-bind ./var /var --bind ./usr/etc /etc --tmpfs /var/tmp"
|
||||||
|
echo exec bwrap $BWRAP_ARGV "$@"
|
||||||
|
exec env PS1='bwrap$ ' bwrap $BWRAP_ARGV "$@"
|
@ -192,6 +192,7 @@ rpmostree_bwrap_new (int rootfs_fd,
|
|||||||
ret->rootfs_fd = rootfs_fd;
|
ret->rootfs_fd = rootfs_fd;
|
||||||
ret->argv = g_ptr_array_new_with_free_func (g_free);
|
ret->argv = g_ptr_array_new_with_free_func (g_free);
|
||||||
|
|
||||||
|
/* ⚠⚠⚠ If you change this, also update scripts/bwrap-script-shell.sh ⚠⚠⚠ */
|
||||||
rpmostree_bwrap_append_bwrap_argv (ret,
|
rpmostree_bwrap_append_bwrap_argv (ret,
|
||||||
WITH_BUBBLEWRAP_PATH,
|
WITH_BUBBLEWRAP_PATH,
|
||||||
"--dev", "/dev",
|
"--dev", "/dev",
|
||||||
|
@ -186,11 +186,16 @@ run_script_in_bwrap_container (int rootfs_fd,
|
|||||||
else
|
else
|
||||||
created_var_tmp = TRUE;
|
created_var_tmp = TRUE;
|
||||||
|
|
||||||
|
/* ⚠⚠⚠ If you change this, also update scripts/bwrap-script-shell.sh ⚠⚠⚠ */
|
||||||
|
|
||||||
|
/* We just did a ro bind mount over /var above. However we want a writable
|
||||||
|
* var/tmp, so we need to tmpfs mount on top of it. See also
|
||||||
|
* https://github.com/projectatomic/bubblewrap/issues/182
|
||||||
|
*/
|
||||||
bwrap = rpmostree_bwrap_new (rootfs_fd, RPMOSTREE_BWRAP_MUTATE_ROFILES, error,
|
bwrap = rpmostree_bwrap_new (rootfs_fd, RPMOSTREE_BWRAP_MUTATE_ROFILES, error,
|
||||||
/* Scripts can see a /var with compat links like alternatives */
|
/* Scripts can see a /var with compat links like alternatives */
|
||||||
"--ro-bind", "./var", "/var",
|
"--ro-bind", "./var", "/var",
|
||||||
/* But no need to access persistent /tmp, so make it /tmp */
|
"--tmpfs", "/var/tmp",
|
||||||
"--bind", "/tmp", "/var/tmp",
|
|
||||||
/* Allow RPM scripts to change the /etc defaults; note we use bind
|
/* Allow RPM scripts to change the /etc defaults; note we use bind
|
||||||
* to ensure symlinks work, see https://github.com/projectatomic/rpm-ostree/pull/640 */
|
* to ensure symlinks work, see https://github.com/projectatomic/rpm-ostree/pull/640 */
|
||||||
"--bind", "./usr/etc", "/etc",
|
"--bind", "./usr/etc", "/etc",
|
||||||
|
@ -26,6 +26,10 @@ groupadd -r scriptpkg1
|
|||||||
%posttrans
|
%posttrans
|
||||||
# Firewalld; https://github.com/projectatomic/rpm-ostree/issues/638
|
# Firewalld; https://github.com/projectatomic/rpm-ostree/issues/638
|
||||||
. /etc/os-release || :
|
. /etc/os-release || :
|
||||||
|
# See https://github.com/projectatomic/rpm-ostree/pull/647
|
||||||
|
for path in /tmp /var/tmp; do
|
||||||
|
if test -f ${path}/file-in-host-tmp-not-for-scripts; then echo "found file from host /tmp"; exit 1; fi
|
||||||
|
done
|
||||||
|
|
||||||
%install
|
%install
|
||||||
mkdir -p %{buildroot}/usr/bin
|
mkdir -p %{buildroot}/usr/bin
|
||||||
|
@ -31,6 +31,8 @@ vm_send_test_repo
|
|||||||
# make sure the package is not already layered
|
# make sure the package is not already layered
|
||||||
vm_assert_layered_pkg scriptpkg1 absent
|
vm_assert_layered_pkg scriptpkg1 absent
|
||||||
|
|
||||||
|
# See scriptpkg1.spec
|
||||||
|
vm_cmd touch /tmp/file-in-host-tmp-not-for-scripts
|
||||||
vm_rpmostree pkg-add scriptpkg1
|
vm_rpmostree pkg-add scriptpkg1
|
||||||
echo "ok pkg-add scriptpkg1"
|
echo "ok pkg-add scriptpkg1"
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user