#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu guard_sourcing ####################################### # Configure the target system for chroot. # Globals: # ERR_CHRT_MOUNTS # TARGET # VAR_CHROOT_ACTIVATED # VAR_NEED_RUN_IN_TARGET # Arguments: # None # Returns: # ERR_CHRT_MOUNTS # 0: on success ####################################### prepare_mounts() { ### Notes # This file mounts all necessary pseudo filesystems into the target root environment to enable chroot operations. # --rbind: recursive binding. # --make-rslave: In this case, the mount point is marked as 'slave'. # This means changes to the source mount (e.g., /proc) are propagated to the target mount (e.g., "${TARGET}/proc"). # Conversely, changes to the target mount are not propagated back to the source mount. # This mode is necessary to avoid problems with double or erroneous propagation effects in chroot or container environments. # # Some subdirectories (such as /dev/pts, /dev/shm, /sys/fs/cgroup) are remounted with more restrictive options # like 'noexec', 'nosuid', and 'nodev' to enhance security. This ensures they override the inherited bind-mounts and # enforce proper runtime behavior in the chroot. ### Declare Arrays, HashMaps, and Variables. declare -A HMP_SPECIAL_MOUNTS=( ["/dev"]="devtmpfs devtmpfs mode=0755,nosuid" # Base device node FS ["/dev/pts"]="devpts devpts noexec,nosuid" # Pseudoterminals ["/dev/shm"]="tmpfs tmpfs rw,nosuid,nodev" # Shared memory ["/dev/mqueue"]="mqueue mqueue rw,nosuid,nodev,noexec" # POSIX message queues ["/dev/hugepages"]="hugetlbfs hugetlbfs rw,nosuid,nodev" # Huge pages ["/proc"]="proc proc nosuid,noexec,nodev" # procfs ["/sys"]="sysfs sysfs nosuid,noexec,nodev" # sysfs ["/sys/fs/cgroup"]="cgroup2 cgroup2 rw,nosuid,nodev,noexec,relatime" # Unified cgroup2 ) declare var_path="" var_fs="" var_src="" var_opts="" for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do mkdir -p "${TARGET}${var_path}" done for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do IFS=" " read -r var_fs var_src var_opts <<< "${HMP_SPECIAL_MOUNTS[${var_path}]}" if mountpoint -q "${TARGET}${var_path}"; then do_log "info" "file_only" "4010() Skipped: '${TARGET}${var_path}' is already a mountpoint." continue fi if ! mount -t "${var_fs}" "${var_src}" "${TARGET}${var_path}" -o "${var_opts}"; then do_log "emergency" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${TARGET}${var_path} -o ${var_opts}] failed." return "${ERR_CHRT_MOUNTS}" fi do_log "info" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${TARGET}${var_path} -o ${var_opts}] successful." done if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then mkdir -p "${TARGET}/run" if ! mount --make-rslave --rbind /run "${TARGET}/run"; then do_log "emergency" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${TARGET}/run] failed." return "${ERR_CHRT_MOUNTS}" fi do_log "info" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${TARGET}/run] successful." fi if ! chroot_exec "${TARGET}" mkdir -p /etc/systemd/system/multi-user.target.wants; then do_log "emergency" "file_only" "4010() Command: [chroot_exec ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] failed." return "${ERR_CHRT_MOUNTS}" fi do_log "info" "file_only" "4010() Command: [chroot_exec ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] successful." mkdir -p "${TARGET}/media/cdrom0" # shellcheck disable=SC2034 declare -gx VAR_CHROOT_ACTIVATED="system" do_log "info" "file_only" "4010() Command: [declare -gx VAR_CHROOT_ACTIVATED=system]" guard_dir && return 0 } ### Prevents accidental 'unset -f'. # shellcheck disable=SC2034 readonly -f prepare_mounts # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh