Use capsh to ensure file capabilities aren't set

This commit is contained in:
Serge Schneider 2016-11-14 23:55:45 +00:00
parent db10424a9b
commit c4fb032d3b
12 changed files with 20 additions and 19 deletions

View File

@ -7,7 +7,7 @@ run_sub_stage()
for i in {00..99}; do for i in {00..99}; do
if [ -f ${i}-debconf ]; then if [ -f ${i}-debconf ]; then
log "Begin ${SUB_STAGE_DIR}/${i}-debconf" log "Begin ${SUB_STAGE_DIR}/${i}-debconf"
on_chroot sh -e - << EOF on_chroot << EOF
debconf-set-selections <<SELEOF debconf-set-selections <<SELEOF
`cat ${i}-debconf` `cat ${i}-debconf`
SELEOF SELEOF
@ -18,7 +18,7 @@ EOF
log "Begin ${SUB_STAGE_DIR}/${i}-packages-nr" log "Begin ${SUB_STAGE_DIR}/${i}-packages-nr"
PACKAGES="$(sed -f "${SCRIPT_DIR}/remove-comments.sed" < ${i}-packages-nr)" PACKAGES="$(sed -f "${SCRIPT_DIR}/remove-comments.sed" < ${i}-packages-nr)"
if [ -n "$PACKAGES" ]; then if [ -n "$PACKAGES" ]; then
on_chroot sh -e - << EOF on_chroot << EOF
apt-get install --no-install-recommends -y $PACKAGES apt-get install --no-install-recommends -y $PACKAGES
EOF EOF
fi fi
@ -28,7 +28,7 @@ EOF
log "Begin ${SUB_STAGE_DIR}/${i}-packages" log "Begin ${SUB_STAGE_DIR}/${i}-packages"
PACKAGES="$(sed -f "${SCRIPT_DIR}/remove-comments.sed" < ${i}-packages)" PACKAGES="$(sed -f "${SCRIPT_DIR}/remove-comments.sed" < ${i}-packages)"
if [ -n "$PACKAGES" ]; then if [ -n "$PACKAGES" ]; then
on_chroot sh -e - << EOF on_chroot << EOF
apt-get install -y $PACKAGES apt-get install -y $PACKAGES
EOF EOF
fi fi
@ -69,7 +69,7 @@ EOF
fi fi
if [ -f ${i}-run-chroot ]; then if [ -f ${i}-run-chroot ]; then
log "Begin ${SUB_STAGE_DIR}/${i}-run-chroot" log "Begin ${SUB_STAGE_DIR}/${i}-run-chroot"
on_chroot sh -e - < ${i}-run-chroot on_chroot < ${i}-run-chroot
log "End ${SUB_STAGE_DIR}/${i}-run-chroot" log "End ${SUB_STAGE_DIR}/${i}-run-chroot"
fi fi
done done

View File

@ -4,3 +4,4 @@ debootstrap
kpartx zerofree kpartx zerofree
pxz zip pxz zip
mkdosfs:dosfstools mkdosfs:dosfstools
capsh:libcap2-bin

View File

@ -1,6 +1,6 @@
#!/bin/bash -e #!/bin/bash -e
on_chroot sh -e - <<EOF on_chroot << EOF
apt-get update apt-get update
apt-get -y dist-upgrade apt-get -y dist-upgrade
apt-get clean apt-get clean

View File

@ -2,7 +2,7 @@
IMG_FILE="${STAGE_WORK_DIR}/${IMG_DATE}-${IMG_NAME}${IMG_SUFFIX}.img" IMG_FILE="${STAGE_WORK_DIR}/${IMG_DATE}-${IMG_NAME}${IMG_SUFFIX}.img"
on_chroot sh -e - <<EOF on_chroot << EOF
/etc/init.d/fake-hwclock stop /etc/init.d/fake-hwclock stop
hardlink -t /usr/share/doc hardlink -t /usr/share/doc
EOF EOF

View File

@ -14,10 +14,10 @@ bootstrap(){
local BOOTSTRAP_CMD=debootstrap local BOOTSTRAP_CMD=debootstrap
fi fi
${BOOTSTRAP_CMD} --components=main,contrib,non-free \ capsh --drop=cap_setfcap -- -c "${BOOTSTRAP_CMD} --components=main,contrib,non-free \
--arch armhf\ --arch armhf\
--no-check-gpg \ --no-check-gpg \
$1 $2 $3 $1 $2 $3"
} }
export -f bootstrap export -f bootstrap
@ -80,7 +80,7 @@ on_chroot() {
mount --bind /sys ${ROOTFS_DIR}/sys mount --bind /sys ${ROOTFS_DIR}/sys
fi fi
chroot ${ROOTFS_DIR}/ "$@" capsh --drop=cap_setfcap --chroot=${ROOTFS_DIR}/ -- "$@"
} }
export -f on_chroot export -f on_chroot

View File

@ -11,7 +11,7 @@ else
fi fi
on_chroot apt-key add - < files/raspberrypi.gpg.key on_chroot apt-key add - < files/raspberrypi.gpg.key
on_chroot sh -e - << EOF on_chroot << EOF
apt-get update apt-get update
apt-get dist-upgrade -y apt-get dist-upgrade -y
EOF EOF

View File

@ -5,7 +5,7 @@ install -m 644 files/noclear.conf ${ROOTFS_DIR}/etc/systemd/system/getty@tty1.se
install -m 744 files/policy-rc.d ${ROOTFS_DIR}/usr/sbin/policy-rc.d #TODO: Necessary in systemd? install -m 744 files/policy-rc.d ${ROOTFS_DIR}/usr/sbin/policy-rc.d #TODO: Necessary in systemd?
install -v -m 644 files/fstab ${ROOTFS_DIR}/etc/fstab install -v -m 644 files/fstab ${ROOTFS_DIR}/etc/fstab
on_chroot sh -e - <<EOF on_chroot << EOF
if ! id -u pi >/dev/null 2>&1; then if ! id -u pi >/dev/null 2>&1; then
adduser --disabled-password --gecos "" pi adduser --disabled-password --gecos "" pi
fi fi

View File

@ -4,6 +4,6 @@ install -m 644 files/ipv6.conf ${ROOTFS_DIR}/etc/modprobe.d/ipv6.conf
install -m 644 files/interfaces ${ROOTFS_DIR}/etc/network/interfaces install -m 644 files/interfaces ${ROOTFS_DIR}/etc/network/interfaces
install -m 644 files/hostname ${ROOTFS_DIR}/etc/hostname install -m 644 files/hostname ${ROOTFS_DIR}/etc/hostname
on_chroot sh -e - << EOF on_chroot << EOF
dpkg-divert --add --local /lib/udev/rules.d/75-persistent-net-generator.rules dpkg-divert --add --local /lib/udev/rules.d/75-persistent-net-generator.rules
EOF EOF

View File

@ -10,7 +10,7 @@ install -m 644 files/ttyoutput.conf ${ROOTFS_DIR}/etc/systemd/system/rc-local.
install -m 644 files/50raspi ${ROOTFS_DIR}/etc/apt/apt.conf.d/ install -m 644 files/50raspi ${ROOTFS_DIR}/etc/apt/apt.conf.d/
on_chroot sh -e - <<EOF on_chroot << EOF
systemctl disable hwclock.sh systemctl disable hwclock.sh
systemctl disable nfs-common systemctl disable nfs-common
systemctl disable rpcbind systemctl disable rpcbind
@ -20,7 +20,7 @@ systemctl enable apply_noobs_os_config
systemctl enable resize2fs_once systemctl enable resize2fs_once
EOF EOF
on_chroot sh -e - << \EOF on_chroot << \EOF
for GRP in input spi i2c gpio; do for GRP in input spi i2c gpio; do
groupadd -f -r $GRP groupadd -f -r $GRP
done done
@ -29,11 +29,11 @@ for GRP in adm dialout cdrom audio users sudo video games plugdev input gpio spi
done done
EOF EOF
on_chroot sh -e - <<EOF on_chroot << EOF
setupcon --force --save-only -v setupcon --force --save-only -v
EOF EOF
on_chroot sh -e - <<EOF on_chroot << EOF
usermod --pass='*' root usermod --pass='*' root
EOF EOF

View File

@ -1,5 +1,5 @@
#!/bin/bash -e #!/bin/bash -e
on_chroot sh -e - <<EOF on_chroot << EOF
apt-get clean apt-get clean
EOF EOF

View File

@ -1,6 +1,6 @@
#!/bin/bash -e #!/bin/bash -e
on_chroot sh -e - <<EOF on_chroot << EOF
update-alternatives --install /usr/bin/x-www-browser \ update-alternatives --install /usr/bin/x-www-browser \
x-www-browser /usr/bin/chromium-browser 86 x-www-browser /usr/bin/chromium-browser 86
update-alternatives --install /usr/bin/gnome-www-browser \ update-alternatives --install /usr/bin/gnome-www-browser \

View File

@ -1,5 +1,5 @@
#!/bin/bash -e #!/bin/bash -e
on_chroot sh -e - <<EOF on_chroot << EOF
apt-get clean apt-get clean
EOF EOF