Marc S. Weidner
7d599e8463
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m1s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
133 lines
5.0 KiB
Bash
133 lines
5.0 KiB
Bash
#!/bin/bash
|
|
# SPDX-Version: 3.0
|
|
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
|
|
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
|
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-FileType: SOURCE
|
|
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
|
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
|
# SPDX-PackageName: CISS.debian.installer
|
|
# SPDX-Security-Contact: security@coresecret.eu
|
|
|
|
guard_sourcing
|
|
|
|
#######################################
|
|
# Configure the target system for chroot.
|
|
# Globals:
|
|
# RECOVERY
|
|
# TARGET
|
|
# VAR_CHROOT_ACTIVATED
|
|
# VAR_NEED_RUN_IN_TARGET
|
|
# VAR_RUN_RECOVERY
|
|
# Arguments:
|
|
# None
|
|
# Returns:
|
|
# 0: on success
|
|
# ERR_CHRT_MOUNTS: on failure
|
|
#######################################
|
|
prepare_mounts() {
|
|
|
|
### Notes
|
|
# This function mounts all necessary pseudo filesystems into the target root environment to enable chroot operations.
|
|
# --rbind: recursive binding.
|
|
# --make-rslave: In this case, the mount point is marked as 'slave'.
|
|
# This means changes to the source mount (e.g., /proc) are propagated to the target mount (e.g., "${TARGET}/proc").
|
|
# Conversely, changes to the target mount are not propagated back to the source mount.
|
|
# This mode is necessary to avoid problems with double or erroneous propagation effects in chroot or container environments.
|
|
#
|
|
# Some subdirectories (such as /dev/pts, /dev/shm, /sys/fs/cgroup) are remounted with more restrictive options
|
|
# like 'noexec', 'nosuid', and 'nodev' to enhance security. This ensures they override the inherited bind-mounts and
|
|
# enforce proper runtime behavior in the chroot.
|
|
|
|
### Declare Arrays, HashMaps, and Variables.
|
|
declare -A HMP_SPECIAL_MOUNTS=(
|
|
["/dev"]="devtmpfs devtmpfs mode=0755,nosuid" # Base device node FS
|
|
["/dev/pts"]="devpts devpts noexec,nosuid" # Pseudoterminals
|
|
["/dev/shm"]="tmpfs tmpfs rw,nosuid,nodev" # Shared memory
|
|
["/dev/mqueue"]="mqueue mqueue rw,nosuid,nodev,noexec" # POSIX message queues
|
|
["/dev/hugepages"]="hugetlbfs hugetlbfs rw,nosuid,nodev" # Huge pages
|
|
["/proc"]="proc proc nosuid,noexec,nodev" # procfs
|
|
["/sys"]="sysfs sysfs nosuid,noexec,nodev" # sysfs
|
|
["/sys/fs/cgroup"]="cgroup2 cgroup2 rw,nosuid,nodev,noexec,relatime" # Unified cgroup2
|
|
)
|
|
|
|
declare var_path="" var_fs="" var_src="" var_opts=""
|
|
declare var_target="${TARGET}"
|
|
|
|
### Check for TARGET / RECOVERY.
|
|
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
|
|
|
|
for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
|
|
|
|
mkdir -p "${var_target}${var_path}"
|
|
|
|
done
|
|
|
|
for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
|
|
|
|
IFS=" " read -r var_fs var_src var_opts <<< "${HMP_SPECIAL_MOUNTS[${var_path}]}"
|
|
|
|
if mountpoint -q "${var_target}${var_path}"; then
|
|
|
|
do_log "info" "file_only" "4010() Skipped: '${var_target}${var_path}' is already a mountpoint."
|
|
continue
|
|
|
|
fi
|
|
|
|
if ! mount -t "${var_fs}" "${var_src}" "${var_target}${var_path}" -o "${var_opts}"; then
|
|
|
|
do_log "emergency" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${var_target}${var_path} -o ${var_opts}] failed."
|
|
return "${ERR_CHRT_MOUNTS}"
|
|
|
|
fi
|
|
|
|
do_log "info" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${var_target}${var_path} -o ${var_opts}] successful."
|
|
|
|
done
|
|
|
|
if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then
|
|
|
|
mkdir -p "${var_target}/run"
|
|
|
|
if ! mount --make-rslave --rbind /run "${var_target}/run"; then
|
|
|
|
do_log "emergency" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${var_target}/run] failed."
|
|
return "${ERR_CHRT_MOUNTS}"
|
|
|
|
fi
|
|
|
|
do_log "info" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${var_target}/run] successful."
|
|
|
|
fi
|
|
|
|
if ! chroot_exec "${var_target}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
|
|
|
|
do_log "emergency" "file_only" "4010() Command: [chroot_exec ${var_target} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
|
|
return "${ERR_CHRT_MOUNTS}"
|
|
|
|
fi
|
|
|
|
do_log "info" "file_only" "4010() Command: [chroot_exec ${var_target} mkdir -p /etc/systemd/system/multi-user.target.wants] successful."
|
|
|
|
mkdir -p "${var_target}/media/cdrom0"
|
|
|
|
if [[ "${VAR_RUN_RECOVERY}" == "false" ]]; then
|
|
|
|
declare -gx VAR_CHROOT_ACTIVATED="system"
|
|
do_log "info" "file_only" "4010() Command: [declare -gx VAR_CHROOT_ACTIVATED=system]"
|
|
|
|
elif [[ "${VAR_RUN_RECOVERY}" == "true" ]]; then
|
|
|
|
declare -gx VAR_CHROOT_ACTIVATED="recovery"
|
|
do_log "info" "file_only" "4010() Command: [declare -gx VAR_CHROOT_ACTIVATED=recovery]"
|
|
|
|
fi
|
|
|
|
guard_dir && return 0
|
|
}
|
|
### Prevents accidental 'unset -f'.
|
|
# shellcheck disable=SC2034
|
|
readonly -f prepare_mounts
|
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|