Commit graph

963 commits

Author SHA1 Message Date
Benjamin Drung
0378c101bb
Pass extended attributes (excluding system) to tar2sqfs
/bin/ping (from iputils-ping) uses the security capabilities to allow
users to use the program:

```
$ getcap /bin/ping
/bin/ping cap_net_raw=ep
```

Debian testing/unstable images (variant important) contain security and
system attributes:

```
$ mmdebstrap --variant=important bullseye root.tar
$ tar --xattrs --xattrs-include='*' -vv -tf root.tar | grep -B 1 '^ '
-rwxr-xr-x* 0/0           77432 2021-02-02 18:49 ./bin/ping
  x: 20 security.capability
--
drwxr-sr-x* 0/102             0 2021-05-07 15:10 ./var/log/journal/
  x: 44 system.posix_acl_access
  x: 44 system.posix_acl_default
```

When generating a squashfs image with mmdebstrap 0.7.5-2, these security
capabilities are lost. Example for building a squashfs image in a
minimal Debian unstable schroot:

```
$ apt install -y mmdebstrap squashfs-tools-ng
$ mmdebstrap --variant=important buster root.squashfs
$ rdsquashfs -x /bin/ping root.squashfs
$
```

tar2sqfs from squashfs-tools-ng 1.0.4-1 supports encoding extended
attributes from the namespace `user`, `trusted`, and `security` (see
`include/sqfs/xattr.h`). GNU tar (version 1.34) supports these three
namespaces plus the namespace `system`.

Passing extended attributes from the `system` namespace to tar2sqfs will
produce an error:

```
ERROR: squashfs does not support xattr prefix of system.posix_acl_default
```

So pass the extended attributes to tar2sqfs, but exclude the `system`
namespace. Then ping will keep its security attributes:

```
$ rdsquashfs -x /bin/ping root.squashfs
security.capability=0x0100000200200000000000000000000000000000
```

Closes: 
Signed-off-by: Benjamin Drung <benjamin.drung@ionos.com>
2021-05-17 21:43:10 +02:00
88a031477a
add --skip=cleanup/apt/lists and --skip=cleanup/apt/cache 2021-05-09 20:44:02 +02:00
Vagrant Cascadian
c51fb24c7b
Use all cores when compressing with zstd. 2021-05-09 17:32:04 +02:00
236b84a486
tarfilter: add --pax-exclude and --pax-include to strip extended attributes because tar2sqfs only supports user.*, trusted.* and security.* 2021-05-07 09:39:40 +02:00
bd5d3c3dab
tarfilter: remove leftover debugging statement 2021-05-07 09:20:36 +02:00
ebfac91738
also choose null format if stdout is /dev/null and check whether major and minor number of /dev/null are as expected to avoid false positives 2021-05-04 15:01:53 +02:00
ccd4b5c163
gpg: handle ASCII-armored keyrings as well
gpg command "--list-keys" requires input files to be passed with
option "--keyring" and each file must match type "public keyring v4"
while gpg command "--show-keys" doesn't require extra options and
handles also ASCII-armored public keyrings as well.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2021-04-25 22:33:37 +03:00
Helmut Grohne
2767b051bc
implement --format=null 2021-03-25 07:04:14 +01:00
4c17f36072
better document the TMPDIR env var 2021-03-08 19:33:51 +01:00
4cd69d444a
coverage.sh: let cover output to stderr to prevent wrong message output order 2021-03-08 19:33:24 +01:00
4cd547286c
coverage.sh: sysvinit-utils also works with chrootless 2021-03-08 19:32:53 +01:00
65070e23da
coverage.sh: add more docs for chrootless essential test 2021-03-08 19:32:19 +01:00
5a3d1ab5c4
Rework /dev, /sys, /proc mounting
- assume all entries in @devfiles to be in /dev
 - allow for /dev, /sys and /proc not to exist in the target and print warning
 - allow for /dev entries as well as /sys and /proc not to exist on the outside
 - simplify umount by storing special options in @umountopts
 - remove superfluous checks for root and unshare mode
 - make sure /dev entries are less than 100 chars in size for tar
2021-03-08 08:04:35 +01:00
d52eaa4814
instead of checking for defined-ness and then comparing with the empty string, we can just use 'length' which returns undef if its argument is undef 2021-03-08 07:54:04 +01:00
270fd09b43
update copyright information 2021-03-08 07:52:14 +01:00
d5c8a85ace
document problems with chrootless mode in man page 2021-02-23 12:50:18 +01:00
ecbc10794c
warn if --dpkgopt is used in chrootless mode because of 2021-02-23 12:49:46 +01:00
49f464e7da
create /etc/dpkg/dpkg.cfg.d/ if --dpkgopt is used 2021-02-23 12:49:26 +01:00
bbf12c221d
tarfilter: fixup last commit by formatting with black 2021-02-22 13:45:55 +01:00
Benjamin Drung
043ab3bbf0
tarfilter: Compile prefix pattern only once
According to Debian bug , mmtarfilter has a slow performance with
many path exclusions. The execution can be speed up if the regular
expression is only compiled once instead of every time in the hot loop.

Signed-off-by: Benjamin Drung <benjamin.drung@cloud.ionos.com>
2021-02-22 13:15:16 +01:00
5fd1ca62d9
coverage.sh: don't attempt deleting non-existant directory 2021-02-19 14:40:20 +01:00
067daaf4c2
also run unshare with --propagation unchanged in root mode 2021-02-19 12:53:14 +01:00
Josh Triplett
f8fc7d9bbf
Fix typo in hook directory example 2021-02-06 18:58:30 +01:00
976cc9c1c4
release 0.7.5 2021-02-06 14:46:37 +01:00
276363c2a1
coverage.sh: remove chroot directories 2021-02-06 14:46:37 +01:00
0009e62b3e
coverage.sh: do not run cap_sys_admin test under lxc 2021-02-06 14:46:37 +01:00
73cd7cd2e8
run unshare --mount with --propagation unchanged to prevent 'cannot change root filesystem propagation' when running mmdebstrap from inside a chroot 2021-02-06 10:11:53 +01:00
Trent W. Buck
f976dabb51
add examples/twb 2021-02-06 10:10:17 +01:00
39167dbc30
expose hook name to hooks via MMDEBSTRAP_HOOK environment variable 2021-02-06 09:18:05 +01:00
8a4f4d90ab
remove example showing mmdebstrap as debootstrap replacement for sbuild-createchroot as it doesn't work in unshare mode 2021-02-04 17:47:40 +01:00
e1e0df7799
skip emulation check for extract variant 2021-02-04 17:47:10 +01:00
c740b01dc8
unset TMPDIR in hooks because there is no value that works inside as well as outside the chroot 2021-02-04 17:46:39 +01:00
0595c5c220
add new suite name trixie 2021-02-04 17:43:33 +01:00
7a43ff89dc
improve dpkg and apt version parsing 2021-02-04 17:42:40 +01:00
aaa7c14275
hooks/setup00-merged-usr.sh: add rationale 2021-02-04 17:40:35 +01:00
4e658549f0
coverage.sh: clean up some additional files 2021-02-04 17:39:50 +01:00
d9633d05fe
release 0.7.4 2021-01-16 00:33:40 +01:00
7bd733fb8b
In root mode, check whether it's possible to mount
- even if the user is root, they might not have permission to mount
 - check for CAP_SYS_ADMIN and unshare --mount before proceeding
 - allow one to disable the check with --skip=check/canmount
 - this is useful in container environments like docker
2021-01-13 18:40:29 +01:00
205f5c2692
document how to use mmdebstrap to create a docker chroot 2021-01-13 18:08:04 +01:00
4693034138
allow unshare as root user
- this is useful when you are already root and want the benefits of
   unsharing the mount namespace to prevent messing up your system
 - if the unshare mode is used as root, the user namespace is not unshared
   anymore and newuidmap, setuid and friends are not called anymore
 - if the unshare mode is used as non-root test if the user namespace can be
   unshared, otherwise test if the mount namespace can be unshared
2021-01-13 16:15:59 +01:00
0f6741d01a
coverage.sh: allow to run on stable 2021-01-11 13:28:18 +01:00
ea6bbc1d9c
got closed and the default of kernel.unprivileged_userns_clone changed to 1 2021-01-09 19:44:39 +01:00
62bcf3261e
do not run an additional env command inside the chroot 2021-01-09 19:44:00 +01:00
7ff3f53fb9
apt 2.1.16 fixed immediate configure 2021-01-09 19:43:15 +01:00
ac21074243
set MMDEBSTRAP_APT_CONFIG, MMDEBSTRAP_MODE and MMDEBSTRAP_HOOKSOCK for hook scripts 2021-01-09 19:41:59 +01:00
Josh Triplett
5a7dbc10c7
Optimize mmtarfilter to handle many path exclusions
mmtarfilter uses fnmatch to handle path exclusions and inclusions.
Python's fnmatch handles shell patterns by translating them to regular
expressions, with a 256-entry LRU cache. With more than 256 path
exclusions or inclusions, this LRU cache no longer works, and every
invocation of fnmatch on every file in every package will re-translate
and re-compile a regular expression, resulting in much worse
performance.

Translate all the shell patterns to regular expressions once. For an
mmdebstrap invocation with around 500 path filters, this speeds up
mmdebstrap by more than a minute.
2021-01-06 14:58:10 +01:00
9484107392
set PATH if it's unset or empty 2021-01-06 11:49:29 +01:00
8c42daad92
README.md: update benchmark numbers with new debootstrap 2021-01-06 11:49:14 +01:00
2d03a81997
coverage.sh: reenabling tests because bugs got fixed
- systemd didn't get fixed but somehow the order matches again (bug )
 - python is installable again (bug )
 - apt immediate configure was not fixed but src:glibc changed to not
   trigger the bug anymore (bugs ,  and )
2021-01-06 11:33:37 +01:00
0dc8321094
coverage.sh: the output of getcap differs depending on the version 2021-01-06 11:19:15 +01:00