Compare commits

..

No commits in common. "57e0ecb20fcd86f38363d1cfbf82414704426f34" and "64ba5f822916790f3919eb31b2a36fa0760f89dd" have entirely different histories.

4 changed files with 30 additions and 116 deletions

View file

@ -1,2 +0,0 @@
Johannes Schauer Marin Rodrigues <josch@mister-muffin.de>
Johannes Schauer Marin Rodrigues <josch@mister-muffin.de> <j.schauer@email.de>

View file

@ -1,8 +1,3 @@
0.8.6 (2022-03-25)
------------------
- allow running root mode inside unshare mode
0.8.5 (2022-03-07) 0.8.5 (2022-03-07)
------------------ ------------------

View file

@ -127,7 +127,7 @@ if [ ! -e shared/hooks/eatmydata/customize.sh ] || [ hooks/eatmydata/customize.s
fi fi
fi fi
starttime= starttime=
total=183 total=182
skipped=0 skipped=0
runtests=0 runtests=0
i=1 i=1
@ -712,48 +712,7 @@ else
runtests=$((runtests+1)) runtests=$((runtests+1))
fi fi
# Same as above but this time we run mmdebstrap in root mode from inside print_header "mode=unshare,variant=apt: root without cap_sys_admin"
# an unshare chroot.
print_header "mode=root,variant=apt: root mode inside unshare chroot"
cat << END > shared/test.sh
#!/bin/sh
set -eu
export LC_ALL=C.UTF-8
if [ ! -e /mmdebstrap-testenv ]; then
echo "this test modifies the system and should only be run inside a container" >&2
exit 1
fi
[ "\$(whoami)" = "root" ]
adduser --gecos user --disabled-password user
sysctl -w kernel.unprivileged_userns_clone=1
cat << 'SCRIPT' > script.sh
#!/bin/sh
set -eu
rootfs="\$1"
mkdir -p "\$rootfs/mnt"
[ -e /usr/bin/mmdebstrap ] && cp -aT /usr/bin/mmdebstrap "\$rootfs/usr/bin/mmdebstrap"
[ -e ./mmdebstrap ] && cp -aT ./mmdebstrap "\$rootfs/mnt/mmdebstrap"
chroot "\$rootfs" env --chdir=/mnt \
$CMD --mode=root --variant=apt \
$DEFAULT_DIST /tmp/debian-chroot.tar $mirror
SCRIPT
chmod +x script.sh
runuser -u user -- $CMD --mode=unshare --variant=apt --include=perl,mount \
--customize-hook=./script.sh \
--customize-hook="download /tmp/debian-chroot.tar /tmp/debian-chroot.tar" \
$DEFAULT_DIST /dev/null $mirror
tar -tf /tmp/debian-chroot.tar | sort | diff -u tar1.txt -
rm /tmp/debian-chroot.tar script.sh
END
if [ "$HAVE_QEMU" = "yes" ]; then
./run_qemu.sh
runtests=$((runtests+1))
else
echo "HAVE_QEMU != yes -- Skipping test..." >&2
skipped=$((skipped+1))
fi
print_header "mode=root,variant=apt: root without cap_sys_admin"
cat << END > shared/test.sh cat << END > shared/test.sh
#!/bin/sh #!/bin/sh
set -eu set -eu

View file

@ -23,7 +23,7 @@
use strict; use strict;
use warnings; use warnings;
our $VERSION = '0.8.6'; our $VERSION = '0.8.5';
use English; use English;
use Getopt::Long; use Getopt::Long;
@ -1181,35 +1181,15 @@ sub run_chroot {
warning("skipping bind-mounting /sys because" warning("skipping bind-mounting /sys because"
. " /sys on the outside is not a directory"); . " /sys on the outside is not a directory");
} elsif ($options->{mode} eq 'root') { } elsif ($options->{mode} eq 'root') {
# we don't know whether we run in root mode inside an unshared
# user namespace or as real root so we first try the real mount and
# then fall back to mounting in a way that works in unshared mode
if (
0 == system(
'mount', '-t',
'sysfs', '-o',
'ro,nosuid,nodev,noexec', 'sys',
"$options->{root}/sys"
)
) {
push @cleanup_tasks, sub { push @cleanup_tasks, sub {
0 == system('umount', "$options->{root}/sys") 0 == system('umount', "$options->{root}/sys")
or warn "umount /sys failed: $?"; or warn "umount /sys failed: $?";
}; };
} elsif (
0 == system('mount', '-o', 'rbind', '/sys',
"$options->{root}/sys")) {
push @cleanup_tasks, sub {
# since we cannot write to /etc/mtab we need --no-mtab
# unmounting /sys only seems to be successful with --lazy
0 == system( 0 == system(
'umount', '--no-mtab', 'mount', '-t', 'sysfs',
'--lazy', "$options->{root}/sys" '-o', 'ro,nosuid,nodev,noexec', 'sys',
) or warn "umount /sys failed: $?"; "$options->{root}/sys"
}; ) or error "mount /sys failed: $?";
} else {
error "mount /sys failed: $?";
}
} elsif ($options->{mode} eq 'unshare') { } elsif ($options->{mode} eq 'unshare') {
# naturally we have to clean up after ourselves in sudo mode where # naturally we have to clean up after ourselves in sudo mode where
# we do a real mount. But we also need to unmount in unshare mode # we do a real mount. But we also need to unmount in unshare mode
@ -1256,15 +1236,6 @@ sub run_chroot {
warning("skipping bind-mounting /proc because" warning("skipping bind-mounting /proc because"
. " /proc on the outside is not a directory"); . " /proc on the outside is not a directory");
} elsif ($options->{mode} eq 'root') { } elsif ($options->{mode} eq 'root') {
# we don't know whether we run in root mode inside an unshared
# user namespace or as real root so we first try the real mount and
# then fall back to mounting in a way that works in unshared
if (
0 == system(
'mount', '-t', 'proc', '-o', 'ro', 'proc',
"$options->{root}/proc"
)
) {
push @cleanup_tasks, sub { push @cleanup_tasks, sub {
# some maintainer scripts mount additional stuff into /proc # some maintainer scripts mount additional stuff into /proc
# which we need to unmount beforehand # which we need to unmount beforehand
@ -1275,23 +1246,14 @@ sub run_chroot {
) { ) {
0 == system('umount', 0 == system('umount',
"$options->{root}/proc/sys/fs/binfmt_misc") "$options->{root}/proc/sys/fs/binfmt_misc")
or error or error "umount /proc/sys/fs/binfmt_misc failed: $?";
"umount /proc/sys/fs/binfmt_misc failed: $?";
} }
0 == system('umount', "$options->{root}/proc") 0 == system('umount', "$options->{root}/proc")
or error "umount /proc failed: $?"; or error "umount /proc failed: $?";
}; };
} elsif ( 0 == system('mount', '-t', 'proc', '-o', 'ro', 'proc',
0 == system('mount', '-t', 'proc', 'proc', "$options->{root}/proc")
"$options->{root}/proc")) { or error "mount /proc failed: $?";
push @cleanup_tasks, sub {
# since we cannot write to /etc/mtab we need --no-mtab
0 == system('umount', '--no-mtab', "$options->{root}/proc")
or error "umount /proc failed: $?";
};
} else {
error "mount /proc failed: $?";
}
} elsif ($options->{mode} eq 'unshare') { } elsif ($options->{mode} eq 'unshare') {
# naturally we have to clean up after ourselves in sudo mode where # naturally we have to clean up after ourselves in sudo mode where
# we do a real mount. But we also need to unmount in unshare mode # we do a real mount. But we also need to unmount in unshare mode