From c4fb032d3b8e6113f4e2bc197442b01ed333968e Mon Sep 17 00:00:00 2001
From: Serge Schneider <serge@raspberrypi.org>
Date: Mon, 14 Nov 2016 23:55:45 +0000
Subject: [PATCH] Use capsh to ensure file capabilities aren't set

---
 build.sh                              | 8 ++++----
 depends                               | 1 +
 export-image/01-set-sources/01-run.sh | 2 +-
 export-image/03-finalise/01-run.sh    | 2 +-
 scripts/common                        | 6 +++---
 stage0/01-configure-apt/00-run.sh     | 2 +-
 stage1/01-sys-tweaks/00-run.sh        | 2 +-
 stage1/02-net-tweaks/00-run.sh        | 2 +-
 stage2/01-sys-tweaks/01-run.sh        | 8 ++++----
 stage2/03-cleanup/00-run.sh           | 2 +-
 stage3/00-install-packages/01-run.sh  | 2 +-
 stage4/03-cleanup/00-run.sh           | 2 +-
 12 files changed, 20 insertions(+), 19 deletions(-)

diff --git a/build.sh b/build.sh
index c6abdae..2656be8 100755
--- a/build.sh
+++ b/build.sh
@@ -7,7 +7,7 @@ run_sub_stage()
 	for i in {00..99}; do
 		if [ -f ${i}-debconf ]; then
 			log "Begin ${SUB_STAGE_DIR}/${i}-debconf"
-			on_chroot sh -e - << EOF
+			on_chroot << EOF
 debconf-set-selections <<SELEOF
 `cat ${i}-debconf`
 SELEOF
@@ -18,7 +18,7 @@ EOF
 			log "Begin ${SUB_STAGE_DIR}/${i}-packages-nr"
 			PACKAGES="$(sed -f "${SCRIPT_DIR}/remove-comments.sed" < ${i}-packages-nr)"
 			if [ -n "$PACKAGES" ]; then
-				on_chroot sh -e - << EOF
+				on_chroot << EOF
 apt-get install --no-install-recommends -y $PACKAGES
 EOF
 			fi
@@ -28,7 +28,7 @@ EOF
 			log "Begin ${SUB_STAGE_DIR}/${i}-packages"
 			PACKAGES="$(sed -f "${SCRIPT_DIR}/remove-comments.sed" < ${i}-packages)"
 			if [ -n "$PACKAGES" ]; then
-				on_chroot sh -e - << EOF
+				on_chroot << EOF
 apt-get install -y $PACKAGES
 EOF
 			fi
@@ -69,7 +69,7 @@ EOF
 		fi
 		if [ -f ${i}-run-chroot ]; then
 			log "Begin ${SUB_STAGE_DIR}/${i}-run-chroot"
-			on_chroot sh -e - < ${i}-run-chroot
+			on_chroot < ${i}-run-chroot
 			log "End ${SUB_STAGE_DIR}/${i}-run-chroot"
 		fi
 	done
diff --git a/depends b/depends
index 953e3db..b2b7b56 100644
--- a/depends
+++ b/depends
@@ -4,3 +4,4 @@ debootstrap
 kpartx zerofree
 pxz zip
 mkdosfs:dosfstools
+capsh:libcap2-bin
diff --git a/export-image/01-set-sources/01-run.sh b/export-image/01-set-sources/01-run.sh
index 638b581..86dea2d 100755
--- a/export-image/01-set-sources/01-run.sh
+++ b/export-image/01-set-sources/01-run.sh
@@ -1,6 +1,6 @@
 #!/bin/bash -e
 
-on_chroot sh -e - <<EOF
+on_chroot << EOF
 apt-get update
 apt-get -y dist-upgrade
 apt-get clean
diff --git a/export-image/03-finalise/01-run.sh b/export-image/03-finalise/01-run.sh
index c5a83c1..c64c92b 100755
--- a/export-image/03-finalise/01-run.sh
+++ b/export-image/03-finalise/01-run.sh
@@ -2,7 +2,7 @@
 
 IMG_FILE="${STAGE_WORK_DIR}/${IMG_DATE}-${IMG_NAME}${IMG_SUFFIX}.img"
 
-on_chroot sh -e - <<EOF
+on_chroot << EOF
 /etc/init.d/fake-hwclock stop
 hardlink -t /usr/share/doc
 EOF
diff --git a/scripts/common b/scripts/common
index dd4a5f5..0920fb0 100644
--- a/scripts/common
+++ b/scripts/common
@@ -14,10 +14,10 @@ bootstrap(){
 		local BOOTSTRAP_CMD=debootstrap
 	fi
 
-	${BOOTSTRAP_CMD} --components=main,contrib,non-free \
+	capsh --drop=cap_setfcap -- -c "${BOOTSTRAP_CMD} --components=main,contrib,non-free \
 		--arch armhf\
 		--no-check-gpg \
-		$1 $2 $3
+		$1 $2 $3"
 }
 export -f bootstrap
 
@@ -80,7 +80,7 @@ on_chroot() {
 		mount --bind /sys ${ROOTFS_DIR}/sys
 	fi
 
-	chroot ${ROOTFS_DIR}/ "$@"
+	capsh --drop=cap_setfcap --chroot=${ROOTFS_DIR}/ -- "$@"
 }
 export -f on_chroot
 
diff --git a/stage0/01-configure-apt/00-run.sh b/stage0/01-configure-apt/00-run.sh
index 9b2bd2e..7966ef1 100755
--- a/stage0/01-configure-apt/00-run.sh
+++ b/stage0/01-configure-apt/00-run.sh
@@ -11,7 +11,7 @@ else
 fi
 
 on_chroot apt-key add - < files/raspberrypi.gpg.key
-on_chroot sh -e - << EOF
+on_chroot << EOF
 apt-get update
 apt-get dist-upgrade -y
 EOF
diff --git a/stage1/01-sys-tweaks/00-run.sh b/stage1/01-sys-tweaks/00-run.sh
index d710e5b..53a1b2b 100755
--- a/stage1/01-sys-tweaks/00-run.sh
+++ b/stage1/01-sys-tweaks/00-run.sh
@@ -5,7 +5,7 @@ install -m 644 files/noclear.conf ${ROOTFS_DIR}/etc/systemd/system/getty@tty1.se
 install -m 744 files/policy-rc.d ${ROOTFS_DIR}/usr/sbin/policy-rc.d #TODO: Necessary in systemd?
 install -v -m 644 files/fstab ${ROOTFS_DIR}/etc/fstab
 
-on_chroot sh -e - <<EOF
+on_chroot << EOF
 if ! id -u pi >/dev/null 2>&1; then
 	adduser --disabled-password --gecos "" pi
 fi
diff --git a/stage1/02-net-tweaks/00-run.sh b/stage1/02-net-tweaks/00-run.sh
index fd6609a..85b528f 100755
--- a/stage1/02-net-tweaks/00-run.sh
+++ b/stage1/02-net-tweaks/00-run.sh
@@ -4,6 +4,6 @@ install -m 644 files/ipv6.conf ${ROOTFS_DIR}/etc/modprobe.d/ipv6.conf
 install -m 644 files/interfaces ${ROOTFS_DIR}/etc/network/interfaces
 install -m 644 files/hostname ${ROOTFS_DIR}/etc/hostname
 
-on_chroot sh -e - << EOF
+on_chroot << EOF
 dpkg-divert --add --local /lib/udev/rules.d/75-persistent-net-generator.rules
 EOF
diff --git a/stage2/01-sys-tweaks/01-run.sh b/stage2/01-sys-tweaks/01-run.sh
index 515146f..8e2d149 100755
--- a/stage2/01-sys-tweaks/01-run.sh
+++ b/stage2/01-sys-tweaks/01-run.sh
@@ -10,7 +10,7 @@ install -m 644 files/ttyoutput.conf			${ROOTFS_DIR}/etc/systemd/system/rc-local.
 install -m 644 files/50raspi				${ROOTFS_DIR}/etc/apt/apt.conf.d/
 
 
-on_chroot sh -e - <<EOF
+on_chroot << EOF
 systemctl disable hwclock.sh
 systemctl disable nfs-common
 systemctl disable rpcbind
@@ -20,7 +20,7 @@ systemctl enable apply_noobs_os_config
 systemctl enable resize2fs_once
 EOF
 
-on_chroot sh -e - << \EOF
+on_chroot << \EOF
 for GRP in input spi i2c gpio; do
 	groupadd -f -r $GRP
 done
@@ -29,11 +29,11 @@ for GRP in adm dialout cdrom audio users sudo video games plugdev input gpio spi
 done
 EOF
 
-on_chroot sh -e - <<EOF
+on_chroot << EOF
 setupcon --force --save-only -v
 EOF
 
-on_chroot sh -e - <<EOF
+on_chroot << EOF
 usermod --pass='*' root
 EOF
 
diff --git a/stage2/03-cleanup/00-run.sh b/stage2/03-cleanup/00-run.sh
index 97bfb08..071a164 100755
--- a/stage2/03-cleanup/00-run.sh
+++ b/stage2/03-cleanup/00-run.sh
@@ -1,5 +1,5 @@
 #!/bin/bash -e
 
-on_chroot sh -e - <<EOF
+on_chroot << EOF
 apt-get clean
 EOF
diff --git a/stage3/00-install-packages/01-run.sh b/stage3/00-install-packages/01-run.sh
index 7f90c9f..871f4bc 100755
--- a/stage3/00-install-packages/01-run.sh
+++ b/stage3/00-install-packages/01-run.sh
@@ -1,6 +1,6 @@
 #!/bin/bash -e
 
-on_chroot sh -e - <<EOF
+on_chroot << EOF
 update-alternatives --install /usr/bin/x-www-browser \
   x-www-browser /usr/bin/chromium-browser 86
 update-alternatives --install /usr/bin/gnome-www-browser \
diff --git a/stage4/03-cleanup/00-run.sh b/stage4/03-cleanup/00-run.sh
index 97bfb08..071a164 100755
--- a/stage4/03-cleanup/00-run.sh
+++ b/stage4/03-cleanup/00-run.sh
@@ -1,5 +1,5 @@
 #!/bin/bash -e
 
-on_chroot sh -e - <<EOF
+on_chroot << EOF
 apt-get clean
 EOF