From ca819a23579114f57476a609314efbe7d1bf2aea Mon Sep 17 00:00:00 2001 From: "Jan Alexander Steffens (heftig)" Date: Wed, 20 Apr 2016 19:36:54 +0200 Subject: [PATCH] makechrootpkg: Simplify chroot preparation (v2) Copy both UID and primary GID of the invoker to the builduser. Mount srcdest and startdir read-write. v2: Fixed GnuPG keyring owner and moved running namcap from a heredoc to a function. --- makechrootpkg.in | 144 ++++++++++++++--------------------------------- 1 file changed, 43 insertions(+), 101 deletions(-) diff --git a/makechrootpkg.in b/makechrootpkg.in index 9cb25fc..9534c54 100644 --- a/makechrootpkg.in +++ b/makechrootpkg.in @@ -148,67 +148,38 @@ install_packages() { prepare_chroot() { $repack || rm -rf "$copydir/build" - mkdir -p "$copydir/build" - if ! grep -q 'BUILDDIR="/build"' "$copydir/etc/makepkg.conf"; then - echo 'BUILDDIR="/build"' >> "$copydir/etc/makepkg.conf" - fi - - # Read .makepkg.conf and gnupg pubring - if [[ -r $USER_HOME/.gnupg/pubring.kbx ]]; then - install -D "$USER_HOME/.gnupg/pubring.kbx" "$copydir/build/.gnupg/pubring.kbx" - fi - if [[ -r $USER_HOME/.gnupg/pubring.gpg ]]; then - install -D "$USER_HOME/.gnupg/pubring.gpg" "$copydir/build/.gnupg/pubring.gpg" - fi - - mkdir -p "$copydir/pkgdest" - if ! grep -q 'PKGDEST="/pkgdest"' "$copydir/etc/makepkg.conf"; then - echo 'PKGDEST="/pkgdest"' >> "$copydir/etc/makepkg.conf" - fi - - mkdir -p "$copydir/srcpkgdest" - if ! grep -q 'SRCPKGDEST="/srcpkgdest"' "$copydir/etc/makepkg.conf"; then - echo 'SRCPKGDEST="/srcpkgdest"' >> "$copydir/etc/makepkg.conf" - fi - - mkdir -p "$copydir/logdest" - if ! grep -q 'LOGDEST="/logdest"' "$copydir/etc/makepkg.conf"; then - echo 'LOGDEST="/logdest"' >> "$copydir/etc/makepkg.conf" - fi - - # These two get bind-mounted read-only - # XXX: makepkg dislikes having these dirs read-only, so separate them - mkdir -p "$copydir/startdir" "$copydir/startdir_host" - mkdir -p "$copydir/srcdest" "$copydir/srcdest_host" - if ! grep -q 'SRCDEST="/srcdest"' "$copydir/etc/makepkg.conf"; then - echo 'SRCDEST="/srcdest"' >> "$copydir/etc/makepkg.conf" - fi - - builduser_uid=${SUDO_UID:-$UID} + local builduser_uid="${SUDO_UID:-$UID}" + local builduser_gid="$(id -g "$builduser_uid")" + local install="install -o $builduser_uid -g $builduser_gid" + local x # We can't use useradd without chrooting, otherwise it invokes PAM modules # which we might not be able to load (i.e. when building i686 packages on # an x86_64 host). - printf 'builduser:x:%d:100:builduser:/build:/bin/bash\n' "$builduser_uid" >>"$copydir/etc/passwd" - chown -R "$builduser_uid" "$copydir"/{build,pkgdest,srcpkgdest,logdest,srcdest,startdir} + sed -e '/^builduser:/d' -i "$copydir"/etc/{passwd,group} + printf >>"$copydir/etc/group" 'builduser:x:%d:\n' $builduser_gid + printf >>"$copydir/etc/passwd" 'builduser:x:%d:%d:builduser:/build:/bin/bash\n' $builduser_uid $builduser_gid - if [[ -n $MAKEFLAGS ]]; then - sed -i '/^MAKEFLAGS=/d' "$copydir/etc/makepkg.conf" - echo "MAKEFLAGS='${MAKEFLAGS}'" >> "$copydir/etc/makepkg.conf" - fi + $install -d "$copydir"/{build,build/.gnupg,startdir,{pkg,srcpkg,src,log}dest} - if [[ -n $PACKAGER ]]; then - sed -i '/^PACKAGER=/d' "$copydir/etc/makepkg.conf" - echo "PACKAGER='${PACKAGER}'" >> "$copydir/etc/makepkg.conf" - fi + for x in .gnupg/pubring.{kbx,gpg}; do + [[ -r $USER_HOME/$x ]] || continue + $install -m 644 "$USER_HOME/$x" "$copydir/build/$x" + done + + sed -e '/^MAKEFLAGS=/d' -e '/^PACKAGER=/d' -i "$copydir/etc/makepkg.conf" + for x in BUILDDIR=/build PKGDEST=/pkgdest SRCPKGDEST=/srcpkgdest SRCDEST=/srcdest LOGDEST=/logdest \ + "MAKEFLAGS='$MAKEFLAGS'" "PACKAGER='$PACKAGER'" + do + grep -q "^$x" "$copydir/etc/makepkg.conf" && continue + echo "$x" >>"$copydir/etc/makepkg.conf" + done - if [[ ! -f $copydir/etc/sudoers.d/builduser-pacman ]]; then - cat > "$copydir/etc/sudoers.d/builduser-pacman" < "$copydir/etc/sudoers.d/builduser-pacman" <&1 | tee "/logdest/${pkgfile##*/}-namcap.log" -done -EOF + declare -f _chrootnamcap + printf '_chrootnamcap || exit\n' fi } >"$copydir/chrootbuild" chmod +x "$copydir/chrootbuild" } +# These functions aren't run in makechrootpkg, +# so no global variables +_chrootbuild() { + . /etc/profile + export HOME=/build + cd /startdir + sudo -u builduser makepkg "$@" +} + +_chrootnamcap() { + pacman -S --needed --noconfirm namcap + for pkgfile in /startdir/PKGBUILD /pkgdest/*; do + echo "Checking ${pkgfile##*/}" + sudo -u builduser namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log" + done +} + download_sources() { local builddir="$(mktemp -d)" chmod 1777 "$builddir" @@ -251,47 +234,6 @@ download_sources() { rm -rf $builddir } -_chrootbuild() { - # This function isn't run in makechrootpkg, - # so no global variables - - . /etc/profile - export HOME=/build - shopt -s nullglob - - # XXX: Workaround makepkg disliking read-only dirs - ln -sft /srcdest /srcdest_host/* - ln -sft /startdir /startdir_host/* - - # XXX: Keep bzr and svn sources writable - # Since makepkg 4.1.1 they get checked out via cp -a, copying the symlink - for dir in /srcdest /startdir; do - for vcs in bzr svn; do - cd "$dir" - for vcsdir in */.$vcs; do - rm "${vcsdir%/.$vcs}" - cp -a "${dir}_host/${vcsdir%/.$vcs}" . - chown -R builduser "${vcsdir%/.$vcs}" - done - done - done - - cd /startdir - - # XXX: Keep PKGBUILD writable for pkgver() - rm PKGBUILD* - cp /startdir_host/PKGBUILD* . - chown builduser PKGBUILD* - - # Safety check - if [[ ! -w PKGBUILD ]]; then - echo "Can't write to PKGBUILD!" - exit 1 - fi - - sudo -u builduser makepkg "$@" -} - move_products() { for pkgfile in "$copydir"/pkgdest/*; do chown "$src_owner" "$pkgfile" @@ -389,8 +331,8 @@ download_sources prepare_chroot if arch-nspawn "$copydir" \ - --bind-ro="$PWD:/startdir_host" \ - --bind-ro="$SRCDEST:/srcdest_host" \ + --bind="$PWD:/startdir" \ + --bind="$SRCDEST:/srcdest" \ "${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \ /chrootbuild then -- GitLab