Use capsh to ensure file capabilities aren't set
This commit is contained in:
Serge Schneider
parent
db10424a9b
commit
c4fb032d3b
12 changed files with 20 additions and 19 deletions
8
build.sh
8
build.sh
|
|
@ -7,7 +7,7 @@ run_sub_stage()
|
||||||
for i in {00..99}; do
|
for i in {00..99}; do
|
||||||
if [ -f ${i}-debconf ]; then
|
if [ -f ${i}-debconf ]; then
|
||||||
log "Begin ${SUB_STAGE_DIR}/${i}-debconf"
|
log "Begin ${SUB_STAGE_DIR}/${i}-debconf"
|
||||||
on_chroot sh -e - << EOF
|
on_chroot << EOF
|
||||||
debconf-set-selections <<SELEOF
|
debconf-set-selections <<SELEOF
|
||||||
`cat ${i}-debconf`
|
`cat ${i}-debconf`
|
||||||
SELEOF
|
SELEOF
|
||||||
|
|
@ -18,7 +18,7 @@ EOF
|
||||||
log "Begin ${SUB_STAGE_DIR}/${i}-packages-nr"
|
log "Begin ${SUB_STAGE_DIR}/${i}-packages-nr"
|
||||||
PACKAGES="$(sed -f "${SCRIPT_DIR}/remove-comments.sed" < ${i}-packages-nr)"
|
PACKAGES="$(sed -f "${SCRIPT_DIR}/remove-comments.sed" < ${i}-packages-nr)"
|
||||||
if [ -n "$PACKAGES" ]; then
|
if [ -n "$PACKAGES" ]; then
|
||||||
on_chroot sh -e - << EOF
|
on_chroot << EOF
|
||||||
apt-get install --no-install-recommends -y $PACKAGES
|
apt-get install --no-install-recommends -y $PACKAGES
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
@ -28,7 +28,7 @@ EOF
|
||||||
log "Begin ${SUB_STAGE_DIR}/${i}-packages"
|
log "Begin ${SUB_STAGE_DIR}/${i}-packages"
|
||||||
PACKAGES="$(sed -f "${SCRIPT_DIR}/remove-comments.sed" < ${i}-packages)"
|
PACKAGES="$(sed -f "${SCRIPT_DIR}/remove-comments.sed" < ${i}-packages)"
|
||||||
if [ -n "$PACKAGES" ]; then
|
if [ -n "$PACKAGES" ]; then
|
||||||
on_chroot sh -e - << EOF
|
on_chroot << EOF
|
||||||
apt-get install -y $PACKAGES
|
apt-get install -y $PACKAGES
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
@ -69,7 +69,7 @@ EOF
|
||||||
fi
|
fi
|
||||||
if [ -f ${i}-run-chroot ]; then
|
if [ -f ${i}-run-chroot ]; then
|
||||||
log "Begin ${SUB_STAGE_DIR}/${i}-run-chroot"
|
log "Begin ${SUB_STAGE_DIR}/${i}-run-chroot"
|
||||||
on_chroot sh -e - < ${i}-run-chroot
|
on_chroot < ${i}-run-chroot
|
||||||
log "End ${SUB_STAGE_DIR}/${i}-run-chroot"
|
log "End ${SUB_STAGE_DIR}/${i}-run-chroot"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
|
||||||
1
depends
1
depends
|
|
@ -4,3 +4,4 @@ debootstrap
|
||||||
kpartx zerofree
|
kpartx zerofree
|
||||||
pxz zip
|
pxz zip
|
||||||
mkdosfs:dosfstools
|
mkdosfs:dosfstools
|
||||||
|
capsh:libcap2-bin
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
#!/bin/bash -e
|
#!/bin/bash -e
|
||||||
|
|
||||||
on_chroot sh -e - <<EOF
|
on_chroot << EOF
|
||||||
apt-get update
|
apt-get update
|
||||||
apt-get -y dist-upgrade
|
apt-get -y dist-upgrade
|
||||||
apt-get clean
|
apt-get clean
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
IMG_FILE="${STAGE_WORK_DIR}/${IMG_DATE}-${IMG_NAME}${IMG_SUFFIX}.img"
|
IMG_FILE="${STAGE_WORK_DIR}/${IMG_DATE}-${IMG_NAME}${IMG_SUFFIX}.img"
|
||||||
|
|
||||||
on_chroot sh -e - <<EOF
|
on_chroot << EOF
|
||||||
/etc/init.d/fake-hwclock stop
|
/etc/init.d/fake-hwclock stop
|
||||||
hardlink -t /usr/share/doc
|
hardlink -t /usr/share/doc
|
||||||
EOF
|
EOF
|
||||||
|
|
|
||||||
|
|
@ -14,10 +14,10 @@ bootstrap(){
|
||||||
local BOOTSTRAP_CMD=debootstrap
|
local BOOTSTRAP_CMD=debootstrap
|
||||||
fi
|
fi
|
||||||
|
|
||||||
${BOOTSTRAP_CMD} --components=main,contrib,non-free \
|
capsh --drop=cap_setfcap -- -c "${BOOTSTRAP_CMD} --components=main,contrib,non-free \
|
||||||
--arch armhf\
|
--arch armhf\
|
||||||
--no-check-gpg \
|
--no-check-gpg \
|
||||||
$1 $2 $3
|
$1 $2 $3"
|
||||||
}
|
}
|
||||||
export -f bootstrap
|
export -f bootstrap
|
||||||
|
|
||||||
|
|
@ -80,7 +80,7 @@ on_chroot() {
|
||||||
mount --bind /sys ${ROOTFS_DIR}/sys
|
mount --bind /sys ${ROOTFS_DIR}/sys
|
||||||
fi
|
fi
|
||||||
|
|
||||||
chroot ${ROOTFS_DIR}/ "$@"
|
capsh --drop=cap_setfcap --chroot=${ROOTFS_DIR}/ -- "$@"
|
||||||
}
|
}
|
||||||
export -f on_chroot
|
export -f on_chroot
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -11,7 +11,7 @@ else
|
||||||
fi
|
fi
|
||||||
|
|
||||||
on_chroot apt-key add - < files/raspberrypi.gpg.key
|
on_chroot apt-key add - < files/raspberrypi.gpg.key
|
||||||
on_chroot sh -e - << EOF
|
on_chroot << EOF
|
||||||
apt-get update
|
apt-get update
|
||||||
apt-get dist-upgrade -y
|
apt-get dist-upgrade -y
|
||||||
EOF
|
EOF
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@ install -m 644 files/noclear.conf ${ROOTFS_DIR}/etc/systemd/system/getty@tty1.se
|
||||||
install -m 744 files/policy-rc.d ${ROOTFS_DIR}/usr/sbin/policy-rc.d #TODO: Necessary in systemd?
|
install -m 744 files/policy-rc.d ${ROOTFS_DIR}/usr/sbin/policy-rc.d #TODO: Necessary in systemd?
|
||||||
install -v -m 644 files/fstab ${ROOTFS_DIR}/etc/fstab
|
install -v -m 644 files/fstab ${ROOTFS_DIR}/etc/fstab
|
||||||
|
|
||||||
on_chroot sh -e - <<EOF
|
on_chroot << EOF
|
||||||
if ! id -u pi >/dev/null 2>&1; then
|
if ! id -u pi >/dev/null 2>&1; then
|
||||||
adduser --disabled-password --gecos "" pi
|
adduser --disabled-password --gecos "" pi
|
||||||
fi
|
fi
|
||||||
|
|
|
||||||
|
|
@ -4,6 +4,6 @@ install -m 644 files/ipv6.conf ${ROOTFS_DIR}/etc/modprobe.d/ipv6.conf
|
||||||
install -m 644 files/interfaces ${ROOTFS_DIR}/etc/network/interfaces
|
install -m 644 files/interfaces ${ROOTFS_DIR}/etc/network/interfaces
|
||||||
install -m 644 files/hostname ${ROOTFS_DIR}/etc/hostname
|
install -m 644 files/hostname ${ROOTFS_DIR}/etc/hostname
|
||||||
|
|
||||||
on_chroot sh -e - << EOF
|
on_chroot << EOF
|
||||||
dpkg-divert --add --local /lib/udev/rules.d/75-persistent-net-generator.rules
|
dpkg-divert --add --local /lib/udev/rules.d/75-persistent-net-generator.rules
|
||||||
EOF
|
EOF
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,7 @@ install -m 644 files/ttyoutput.conf ${ROOTFS_DIR}/etc/systemd/system/rc-local.
|
||||||
install -m 644 files/50raspi ${ROOTFS_DIR}/etc/apt/apt.conf.d/
|
install -m 644 files/50raspi ${ROOTFS_DIR}/etc/apt/apt.conf.d/
|
||||||
|
|
||||||
|
|
||||||
on_chroot sh -e - <<EOF
|
on_chroot << EOF
|
||||||
systemctl disable hwclock.sh
|
systemctl disable hwclock.sh
|
||||||
systemctl disable nfs-common
|
systemctl disable nfs-common
|
||||||
systemctl disable rpcbind
|
systemctl disable rpcbind
|
||||||
|
|
@ -20,7 +20,7 @@ systemctl enable apply_noobs_os_config
|
||||||
systemctl enable resize2fs_once
|
systemctl enable resize2fs_once
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
on_chroot sh -e - << \EOF
|
on_chroot << \EOF
|
||||||
for GRP in input spi i2c gpio; do
|
for GRP in input spi i2c gpio; do
|
||||||
groupadd -f -r $GRP
|
groupadd -f -r $GRP
|
||||||
done
|
done
|
||||||
|
|
@ -29,11 +29,11 @@ for GRP in adm dialout cdrom audio users sudo video games plugdev input gpio spi
|
||||||
done
|
done
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
on_chroot sh -e - <<EOF
|
on_chroot << EOF
|
||||||
setupcon --force --save-only -v
|
setupcon --force --save-only -v
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
on_chroot sh -e - <<EOF
|
on_chroot << EOF
|
||||||
usermod --pass='*' root
|
usermod --pass='*' root
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
#!/bin/bash -e
|
#!/bin/bash -e
|
||||||
|
|
||||||
on_chroot sh -e - <<EOF
|
on_chroot << EOF
|
||||||
apt-get clean
|
apt-get clean
|
||||||
EOF
|
EOF
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
#!/bin/bash -e
|
#!/bin/bash -e
|
||||||
|
|
||||||
on_chroot sh -e - <<EOF
|
on_chroot << EOF
|
||||||
update-alternatives --install /usr/bin/x-www-browser \
|
update-alternatives --install /usr/bin/x-www-browser \
|
||||||
x-www-browser /usr/bin/chromium-browser 86
|
x-www-browser /usr/bin/chromium-browser 86
|
||||||
update-alternatives --install /usr/bin/gnome-www-browser \
|
update-alternatives --install /usr/bin/gnome-www-browser \
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
#!/bin/bash -e
|
#!/bin/bash -e
|
||||||
|
|
||||||
on_chroot sh -e - <<EOF
|
on_chroot << EOF
|
||||||
apt-get clean
|
apt-get clean
|
||||||
EOF
|
EOF
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue