Marc S. Weidner
9d1d6581b5
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 54s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
123 lines
4.6 KiB
Bash
123 lines
4.6 KiB
Bash
#!/bin/bash
|
|
# SPDX-Version: 3.0
|
|
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
|
|
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
|
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-FileType: SOURCE
|
|
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
|
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
|
# SPDX-PackageName: CISS.debian.installer
|
|
# SPDX-Security-Contact: security@coresecret.eu
|
|
|
|
guard_sourcing
|
|
|
|
#######################################
|
|
# Configure target system for chroot.
|
|
# Globals:
|
|
# ERR_CHRT_MOUNTS
|
|
# TARGET
|
|
# VAR_CHROOT_ACTIVATED
|
|
# VAR_NEED_RUN_IN_TARGET
|
|
# Arguments:
|
|
# None
|
|
# Returns:
|
|
# ERR_CHRT_MOUNTS
|
|
# 0: on success
|
|
#######################################
|
|
configure_system() {
|
|
|
|
### Notes
|
|
# This file mounts all necessary pseudo filesystems into the target root environment to enable chroot operations.
|
|
# --rbind: recursive binding.
|
|
# --make-rslave: In this case, the mount point is marked as 'slave'.
|
|
# This means changes to the source mount (e.g., /proc) are propagated to the target mount (e.g., "${TARGET}/proc").
|
|
# Conversely, changes to the target mount are not propagated back to the source mount.
|
|
# This mode is necessary to avoid problems with double or erroneous propagation effects in chroot or container environments.
|
|
#
|
|
# Some subdirectories (such as /dev/pts, /dev/shm, /sys/fs/cgroup) are remounted with more restrictive options
|
|
# like 'noexec', 'nosuid', and 'nodev' to enhance security. This ensures they override the inherited bind-mounts and
|
|
# enforce proper runtime behavior in the chroot.
|
|
|
|
### Declare Arrays, HashMaps, and Variables.
|
|
declare -A HMP_SPECIAL_MOUNTS=(
|
|
["/dev/pts"]="devpts devpts noexec,nosuid" ### Mount 'devpts' (used by pseudo-terminals).
|
|
["/dev/shm"]="tmpfs tmpfs rw,nosuid,nodev" ### Mount 'tmpfs' for '/dev/shm' (shared memory).
|
|
["/dev/mqueue"]="mqueue mqueue rw,nosuid,nodev,noexec" ### Mount 'mqueue' for POSIX message queues.
|
|
["/dev/hugepages"]="hugetlbfs hugetlbfs rw,nosuid,nodev" ### Mount 'hugetlbfs' (huge pages, may be unused but required on some 'archs').
|
|
["/sys/fs/cgroup"]="cgroup2 cgroup2 rw,nosuid,nodev,noexec,relatime" ### Mount unified 'cgroup2' hierarchy.
|
|
)
|
|
|
|
declare -a ary_mount=( "/proc" "/sys" "/dev" )
|
|
declare var_src="" var_dst="" var_path="" var_fs="" var_opts=""
|
|
|
|
for var_path in "${ary_mount[@]}" "${!HMP_SPECIAL_MOUNTS[@]}"; do
|
|
|
|
mkdir -p "${TARGET}${var_path}"
|
|
|
|
done
|
|
|
|
for var_src in "${ary_mount[@]}"; do
|
|
var_dst="${TARGET}${var_src}"
|
|
|
|
if ! mount --make-rslave --rbind "${var_src}" "${var_dst}"; then
|
|
|
|
do_log "emergency" "file_only" "4020() Command: [mount --make-rslave --rbind ${var_src} ${var_dst}] failed."
|
|
return "${ERR_CHRT_MOUNTS}"
|
|
|
|
fi
|
|
|
|
do_log "info" "file_only" "4020() Command: [mount --make-rslave --rbind ${var_src} ${var_dst}] successful."
|
|
|
|
done
|
|
|
|
if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then
|
|
|
|
mkdir -p "${TARGET}/run"
|
|
|
|
if ! mount --make-rslave --rbind /run "${TARGET}/run"; then
|
|
|
|
do_log "emergency" "file_only" "4020() Command: [mount --make-rslave --rbind /run ${TARGET}/run] failed."
|
|
return "${ERR_CHRT_MOUNTS}"
|
|
|
|
fi
|
|
|
|
do_log "info" "file_only" "4020() Command: [mount --make-rslave --rbind /run ${TARGET}/run] successful."
|
|
|
|
fi
|
|
|
|
for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
|
|
|
|
IFS=" " read -r var_fs var_src var_opts <<< "${HMP_SPECIAL_MOUNTS[${var_path}]}"
|
|
|
|
if ! mount -t "${var_fs}" "${var_src}" "${TARGET}${var_path}" -o "${var_opts}"; then
|
|
|
|
do_log "emergency" "file_only" "4020() Command: [mount -t ${var_fs} ${var_src} ${TARGET}${var_path} -o ${var_opts}] failed."
|
|
return "${ERR_CHRT_MOUNTS}"
|
|
|
|
else
|
|
|
|
do_log "info" "file_only" "4020() Command: [mount -t ${var_fs} ${var_src} ${TARGET}${var_path} -o ${var_opts}] successful."
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
if ! do_in_target "${TARGET}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
|
|
|
|
do_log "emergency" "file_only" "4020() Command: [do_in_target ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
|
|
return "${ERR_CHRT_MOUNTS}"
|
|
|
|
else
|
|
|
|
do_log "info" "file_only" "4020() Command: [do_in_target ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] successful."
|
|
|
|
fi
|
|
|
|
# shellcheck disable=SC2034
|
|
declare -gx VAR_CHROOT_ACTIVATED="system"
|
|
|
|
return 0
|
|
}
|
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|