diff options
| author | Serge Schneider <[email protected]> | 2016-11-14 23:55:45 +0000 |
|---|---|---|
| committer | Serge Schneider <[email protected]> | 2016-11-14 23:55:45 +0000 |
| commit | c4fb032d3b8e6113f4e2bc197442b01ed333968e (patch) | |
| tree | 6b7f5a2607a2b6e5feb45e76e20080746ec34de2 | |
| parent | db10424a9bb781bb28cfda94e8f647f88d382800 (diff) | |
Use capsh to ensure file capabilities aren't set
| -rwxr-xr-x | build.sh | 8 | ||||
| -rw-r--r-- | depends | 1 | ||||
| -rwxr-xr-x | export-image/01-set-sources/01-run.sh | 2 | ||||
| -rwxr-xr-x | export-image/03-finalise/01-run.sh | 2 | ||||
| -rw-r--r-- | scripts/common | 6 | ||||
| -rwxr-xr-x | stage0/01-configure-apt/00-run.sh | 2 | ||||
| -rwxr-xr-x | stage1/01-sys-tweaks/00-run.sh | 2 | ||||
| -rwxr-xr-x | stage1/02-net-tweaks/00-run.sh | 2 | ||||
| -rwxr-xr-x | stage2/01-sys-tweaks/01-run.sh | 8 | ||||
| -rwxr-xr-x | stage2/03-cleanup/00-run.sh | 2 | ||||
| -rwxr-xr-x | stage3/00-install-packages/01-run.sh | 2 | ||||
| -rwxr-xr-x | stage4/03-cleanup/00-run.sh | 2 |
12 files changed, 20 insertions, 19 deletions
@@ -7,7 +7,7 @@ run_sub_stage() for i in {00..99}; do if [ -f ${i}-debconf ]; then log "Begin ${SUB_STAGE_DIR}/${i}-debconf" - on_chroot sh -e - << EOF + on_chroot << EOF debconf-set-selections <<SELEOF `cat ${i}-debconf` SELEOF @@ -18,7 +18,7 @@ EOF log "Begin ${SUB_STAGE_DIR}/${i}-packages-nr" PACKAGES="$(sed -f "${SCRIPT_DIR}/remove-comments.sed" < ${i}-packages-nr)" if [ -n "$PACKAGES" ]; then - on_chroot sh -e - << EOF + on_chroot << EOF apt-get install --no-install-recommends -y $PACKAGES EOF fi @@ -28,7 +28,7 @@ EOF log "Begin ${SUB_STAGE_DIR}/${i}-packages" PACKAGES="$(sed -f "${SCRIPT_DIR}/remove-comments.sed" < ${i}-packages)" if [ -n "$PACKAGES" ]; then - on_chroot sh -e - << EOF + on_chroot << EOF apt-get install -y $PACKAGES EOF fi @@ -69,7 +69,7 @@ EOF fi if [ -f ${i}-run-chroot ]; then log "Begin ${SUB_STAGE_DIR}/${i}-run-chroot" - on_chroot sh -e - < ${i}-run-chroot + on_chroot < ${i}-run-chroot log "End ${SUB_STAGE_DIR}/${i}-run-chroot" fi done @@ -4,3 +4,4 @@ debootstrap kpartx zerofree pxz zip mkdosfs:dosfstools +capsh:libcap2-bin diff --git a/export-image/01-set-sources/01-run.sh b/export-image/01-set-sources/01-run.sh index 638b581..86dea2d 100755 --- a/export-image/01-set-sources/01-run.sh +++ b/export-image/01-set-sources/01-run.sh @@ -1,6 +1,6 @@ #!/bin/bash -e -on_chroot sh -e - <<EOF +on_chroot << EOF apt-get update apt-get -y dist-upgrade apt-get clean diff --git a/export-image/03-finalise/01-run.sh b/export-image/03-finalise/01-run.sh index c5a83c1..c64c92b 100755 --- a/export-image/03-finalise/01-run.sh +++ b/export-image/03-finalise/01-run.sh @@ -2,7 +2,7 @@ IMG_FILE="${STAGE_WORK_DIR}/${IMG_DATE}-${IMG_NAME}${IMG_SUFFIX}.img" -on_chroot sh -e - <<EOF +on_chroot << EOF /etc/init.d/fake-hwclock stop hardlink -t /usr/share/doc EOF diff --git a/scripts/common b/scripts/common index dd4a5f5..0920fb0 100644 --- a/scripts/common +++ b/scripts/common @@ -14,10 +14,10 @@ bootstrap(){ local BOOTSTRAP_CMD=debootstrap fi - ${BOOTSTRAP_CMD} --components=main,contrib,non-free \ + capsh --drop=cap_setfcap -- -c "${BOOTSTRAP_CMD} --components=main,contrib,non-free \ --arch armhf\ --no-check-gpg \ - $1 $2 $3 + $1 $2 $3" } export -f bootstrap @@ -80,7 +80,7 @@ on_chroot() { mount --bind /sys ${ROOTFS_DIR}/sys fi - chroot ${ROOTFS_DIR}/ "$@" + capsh --drop=cap_setfcap --chroot=${ROOTFS_DIR}/ -- "$@" } export -f on_chroot diff --git a/stage0/01-configure-apt/00-run.sh b/stage0/01-configure-apt/00-run.sh index 9b2bd2e..7966ef1 100755 --- a/stage0/01-configure-apt/00-run.sh +++ b/stage0/01-configure-apt/00-run.sh @@ -11,7 +11,7 @@ else fi on_chroot apt-key add - < files/raspberrypi.gpg.key -on_chroot sh -e - << EOF +on_chroot << EOF apt-get update apt-get dist-upgrade -y EOF diff --git a/stage1/01-sys-tweaks/00-run.sh b/stage1/01-sys-tweaks/00-run.sh index d710e5b..53a1b2b 100755 --- a/stage1/01-sys-tweaks/00-run.sh +++ b/stage1/01-sys-tweaks/00-run.sh @@ -5,7 +5,7 @@ install -m 644 files/noclear.conf ${ROOTFS_DIR}/etc/systemd/system/[email protected] install -m 744 files/policy-rc.d ${ROOTFS_DIR}/usr/sbin/policy-rc.d #TODO: Necessary in systemd? install -v -m 644 files/fstab ${ROOTFS_DIR}/etc/fstab -on_chroot sh -e - <<EOF +on_chroot << EOF if ! id -u pi >/dev/null 2>&1; then adduser --disabled-password --gecos "" pi fi diff --git a/stage1/02-net-tweaks/00-run.sh b/stage1/02-net-tweaks/00-run.sh index fd6609a..85b528f 100755 --- a/stage1/02-net-tweaks/00-run.sh +++ b/stage1/02-net-tweaks/00-run.sh @@ -4,6 +4,6 @@ install -m 644 files/ipv6.conf ${ROOTFS_DIR}/etc/modprobe.d/ipv6.conf install -m 644 files/interfaces ${ROOTFS_DIR}/etc/network/interfaces install -m 644 files/hostname ${ROOTFS_DIR}/etc/hostname -on_chroot sh -e - << EOF +on_chroot << EOF dpkg-divert --add --local /lib/udev/rules.d/75-persistent-net-generator.rules EOF diff --git a/stage2/01-sys-tweaks/01-run.sh b/stage2/01-sys-tweaks/01-run.sh index 515146f..8e2d149 100755 --- a/stage2/01-sys-tweaks/01-run.sh +++ b/stage2/01-sys-tweaks/01-run.sh @@ -10,7 +10,7 @@ install -m 644 files/ttyoutput.conf ${ROOTFS_DIR}/etc/systemd/system/rc-local. install -m 644 files/50raspi ${ROOTFS_DIR}/etc/apt/apt.conf.d/ -on_chroot sh -e - <<EOF +on_chroot << EOF systemctl disable hwclock.sh systemctl disable nfs-common systemctl disable rpcbind @@ -20,7 +20,7 @@ systemctl enable apply_noobs_os_config systemctl enable resize2fs_once EOF -on_chroot sh -e - << \EOF +on_chroot << \EOF for GRP in input spi i2c gpio; do groupadd -f -r $GRP done @@ -29,11 +29,11 @@ for GRP in adm dialout cdrom audio users sudo video games plugdev input gpio spi done EOF -on_chroot sh -e - <<EOF +on_chroot << EOF setupcon --force --save-only -v EOF -on_chroot sh -e - <<EOF +on_chroot << EOF usermod --pass='*' root EOF diff --git a/stage2/03-cleanup/00-run.sh b/stage2/03-cleanup/00-run.sh index 97bfb08..071a164 100755 --- a/stage2/03-cleanup/00-run.sh +++ b/stage2/03-cleanup/00-run.sh @@ -1,5 +1,5 @@ #!/bin/bash -e -on_chroot sh -e - <<EOF +on_chroot << EOF apt-get clean EOF diff --git a/stage3/00-install-packages/01-run.sh b/stage3/00-install-packages/01-run.sh index 7f90c9f..871f4bc 100755 --- a/stage3/00-install-packages/01-run.sh +++ b/stage3/00-install-packages/01-run.sh @@ -1,6 +1,6 @@ #!/bin/bash -e -on_chroot sh -e - <<EOF +on_chroot << EOF update-alternatives --install /usr/bin/x-www-browser \ x-www-browser /usr/bin/chromium-browser 86 update-alternatives --install /usr/bin/gnome-www-browser \ diff --git a/stage4/03-cleanup/00-run.sh b/stage4/03-cleanup/00-run.sh index 97bfb08..071a164 100755 --- a/stage4/03-cleanup/00-run.sh +++ b/stage4/03-cleanup/00-run.sh @@ -1,5 +1,5 @@ #!/bin/bash -e -on_chroot sh -e - <<EOF +on_chroot << EOF apt-get clean EOF |