#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu guard_sourcing ####################################### # Configure target system for chroot. # Globals: # ERR_CHRT_MOUNTS # TARGET # VAR_CHROOT_ACTIVATED # VAR_NEED_RUN_IN_TARGET # Arguments: # None # Returns: # ERR_CHRT_MOUNTS # 0: on success ####################################### configure_system() { ### Notes # This file mounts all necessary pseudo filesystems into the target root environment to enable chroot operations. # --rbind: recursive binding. # --make-rslave: In this case, the mount point is marked as 'slave'. # This means changes to the source mount (e.g., /proc) are propagated to the target mount (e.g., "${TARGET}/proc"). # Conversely, changes to the target mount are not propagated back to the source mount. # This mode is necessary to avoid problems with double or erroneous propagation effects in chroot or container environments. # # Some subdirectories (such as /dev/pts, /dev/shm, /sys/fs/cgroup) are remounted with more restrictive options # like 'noexec', 'nosuid', and 'nodev' to enhance security. This ensures they override the inherited bind-mounts and # enforce proper runtime behavior in the chroot. ### Declare Arrays, HashMaps, and Variables. declare -A HMP_SPECIAL_MOUNTS=( ["/dev/pts"]="devpts devpts noexec,nosuid" ### Mount 'devpts' (used by pseudo-terminals). ["/dev/shm"]="tmpfs tmpfs rw,nosuid,nodev" ### Mount 'tmpfs' for '/dev/shm' (shared memory). ["/dev/mqueue"]="mqueue mqueue rw,nosuid,nodev,noexec" ### Mount 'mqueue' for POSIX message queues. ["/dev/hugepages"]="hugetlbfs hugetlbfs rw,nosuid,nodev" ### Mount 'hugetlbfs' (huge pages, may be unused but required on some 'archs'). ["/sys/fs/cgroup"]="cgroup2 cgroup2 rw,nosuid,nodev,noexec,relatime" ### Mount unified 'cgroup2' hierarchy. ) declare -a ary_mount=( "/proc" "/sys" "/dev" ) declare var_src="" var_dst="" var_path="" var_fs="" var_opts="" for var_path in "${ary_mount[@]}" "${!HMP_SPECIAL_MOUNTS[@]}"; do mkdir -p "${TARGET}${var_path}" done for var_src in "${ary_mount[@]}"; do var_dst="${TARGET}${var_src}" if ! mount --make-rslave --rbind "${var_src}" "${var_dst}"; then do_log "emergency" "file_only" "4020() Command: [mount --make-rslave --rbind ${var_src} ${var_dst}] failed." return "${ERR_CHRT_MOUNTS}" fi do_log "info" "file_only" "4020() Command: [mount --make-rslave --rbind ${var_src} ${var_dst}] successful." done if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then mkdir -p "${TARGET}/run" if ! mount --make-rslave --rbind /run "${TARGET}/run"; then do_log "emergency" "file_only" "4020() Command: [mount --make-rslave --rbind /run ${TARGET}/run] failed." return "${ERR_CHRT_MOUNTS}" fi do_log "info" "file_only" "4020() Command: [mount --make-rslave --rbind /run ${TARGET}/run] successful." fi for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do IFS=" " read -r var_fs var_src var_opts <<< "${HMP_SPECIAL_MOUNTS[${var_path}]}" if ! mount -t "${var_fs}" "${var_src}" "${TARGET}${var_path}" -o "${var_opts}"; then do_log "emergency" "file_only" "4020() Command: [mount -t ${var_fs} ${var_src} ${TARGET}${var_path} -o ${var_opts}] failed." return "${ERR_CHRT_MOUNTS}" else do_log "info" "file_only" "4020() Command: [mount -t ${var_fs} ${var_src} ${TARGET}${var_path} -o ${var_opts}] successful." fi done if ! do_in_target "${TARGET}" mkdir -p /etc/systemd/system/multi-user.target.wants; then do_log "emergency" "file_only" "4020() Command: [do_in_target ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] failed." return "${ERR_CHRT_MOUNTS}" else do_log "info" "file_only" "4020() Command: [do_in_target ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] successful." fi # shellcheck disable=SC2034 declare -gx VAR_CHROOT_ACTIVATED="system" return 0 } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh