Marc S. Weidner
7a9126defc
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m18s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
224 lines
7.0 KiB
Bash
224 lines
7.0 KiB
Bash
#!/bin/bash
|
|
# SPDX-Version: 3.0
|
|
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
|
|
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
|
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-FileType: SOURCE
|
|
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
|
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
|
# SPDX-PackageName: CISS.debian.installer
|
|
# SPDX-Security-Contact: security@coresecret.eu
|
|
|
|
guard_sourcing
|
|
|
|
#######################################
|
|
# Configure the target system for chroot.
|
|
# Globals:
|
|
# TARGET
|
|
# VAR_CHROOT_ACTIVATED
|
|
# VAR_CHROOT_SYS_MASK_HELPER
|
|
# VAR_NEED_RUN_IN_TARGET
|
|
# Arguments:
|
|
# None
|
|
# Returns:
|
|
# 0: on success
|
|
# ERR_CHRT_MOUNTS: on failure
|
|
#######################################
|
|
prepare_mounts() {
|
|
|
|
### Notes
|
|
# This function mounts all necessary pseudo filesystems into the target root environment to enable chroot operations.
|
|
# --rbind: recursive binding.
|
|
# --make-rslave: In this case, the mount point is marked as 'slave'.
|
|
# This means changes to the source mount (e.g., /proc) are propagated to the target mount (e.g., "${TARGET}/proc").
|
|
# Conversely, changes to the target mount are not propagated back to the source mount.
|
|
# This mode is necessary to avoid problems with double or erroneous propagation effects in chroot or container environments.
|
|
#
|
|
# Some subdirectories (such as /dev/pts, /dev/shm, /sys/fs/cgroup) are remounted with more restrictive options
|
|
# like 'noexec', 'nosuid', and 'nodev' to enhance security. This ensures they override the inherited bind-mounts and
|
|
# enforce proper runtime behavior in the chroot.
|
|
|
|
### Declare Arrays, HashMaps, and Variables.
|
|
declare -A HMP_SPECIAL_MOUNTS=(
|
|
["/dev"]="devtmpfs devtmpfs mode=0755,nosuid" # Base device node FS
|
|
["/dev/pts"]="devpts devpts noexec,nosuid" # Pseudoterminals
|
|
["/dev/shm"]="tmpfs tmpfs rw,nosuid,nodev" # Shared memory
|
|
["/dev/mqueue"]="mqueue mqueue rw,nosuid,nodev,noexec" # POSIX message queues
|
|
["/dev/hugepages"]="hugetlbfs hugetlbfs rw,nosuid,nodev" # Huge pages
|
|
["/proc"]="proc proc nosuid,noexec,nodev" # procfs
|
|
["/sys"]="sysfs sysfs nosuid,noexec,nodev" # sysfs
|
|
["/sys/fs/cgroup"]="cgroup2 cgroup2 rw,nosuid,nodev,noexec,relatime" # Unified cgroup2
|
|
)
|
|
|
|
declare var_path="" var_fs="" var_src="" var_opts=""
|
|
|
|
# shellcheck disable=SC2034
|
|
declare -g VAR_CHROOT_SYS_MASK_HELPER=""
|
|
# shellcheck disable=SC2034
|
|
VAR_CHROOT_SYS_MASK_HELPER=$(cat <<'EOF'
|
|
#-------------------------------------------------------------------------------
|
|
# Quick sys mask for initramfs build (minimalistic, idempotent)
|
|
# - No strict mountpoint probing; we just try and remember what worked.
|
|
# - Safe with 'set -e' because we branch on command success/failure.
|
|
|
|
cdi_sys_quick_enter() {
|
|
declare state="/run/.ciss_sysmask"
|
|
declare did_unmount_cg="0"
|
|
declare did_mask_sys="0"
|
|
|
|
echo "Inside chroot: cdi_sys_quick_enter() @ Start."
|
|
|
|
mkdir -p /run
|
|
mkdir -p /sys
|
|
|
|
# 1) Try to unmount 'cgroup2' (ok if it wasn't mounted).
|
|
if umount -l /sys/fs/cgroup 2>/dev/null; then
|
|
|
|
did_unmount_cg="1"
|
|
|
|
else
|
|
|
|
did_unmount_cg="0"
|
|
|
|
fi
|
|
|
|
# 2) Try to overlay '/sys' with a tiny read-only 'tmpfs' (mask host sysfs view).
|
|
if mount -t tmpfs -o ro,nosuid,nodev,noexec,mode=0555,size=1M tmpfs /sys 2>/dev/null; then
|
|
|
|
did_mask_sys="1"
|
|
|
|
else
|
|
|
|
did_mask_sys="0"
|
|
|
|
fi
|
|
|
|
printf 'MASK_SYS=%s\nUNMOUNTED_CG=%s\n' "${did_mask_sys}" "${did_unmount_cg}" >| "${state}"
|
|
|
|
echo "${state}"
|
|
|
|
echo "Inside chroot: cdi_sys_quick_enter() @ End."
|
|
|
|
return 0
|
|
}
|
|
|
|
cdi_sys_quick_leave() {
|
|
declare state="/run/.ciss_sysmask"
|
|
declare did_mask_sys="0"
|
|
declare did_unmount_cg="0"
|
|
|
|
echo "Inside chroot: cdi_sys_quick_leave() @ Start."
|
|
|
|
if [[ -f "${state}" ]]; then
|
|
|
|
# shellcheck disable=SC2155
|
|
declare did_mask_sys="$(grep -Eo '^MASK_SYS=[01]' "${state}" 2>/dev/null | cut -d= -f2 || printf '0')"
|
|
|
|
# shellcheck disable=SC2155
|
|
declare did_unmount_cg="$(grep -Eo '^UNMOUNTED_CG=[01]' "${state}" 2>/dev/null | cut -d= -f2 || printf '0')"
|
|
|
|
fi
|
|
|
|
# 1) Drop '/sys' mask only if we actually overlaid it.
|
|
if [[ "${did_mask_sys}" == "1" ]]; then
|
|
|
|
if ! umount -l /sys 2>/dev/null; then
|
|
|
|
printf 'WARN: could not unmount masked /sys (continuing)\n' >&2
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
# 2) Restore 'cgroup2' only if we unmounted it before.
|
|
if [[ "${did_unmount_cg}" == "1" ]]; then
|
|
|
|
mkdir -p /sys/fs/cgroup
|
|
|
|
if ! mount -t cgroup2 -o rw,nosuid,nodev,noexec,relatime cgroup2 /sys/fs/cgroup 2>/dev/null; then
|
|
|
|
printf 'WARN: could not remount cgroup2 (continuing)\n' >&2
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
rm -f -- "${state}"
|
|
|
|
echo "Inside chroot: cdi_sys_quick_leave() @ End."
|
|
|
|
return 0
|
|
}
|
|
#-------------------------------------------------------------------------------
|
|
EOF
|
|
)
|
|
|
|
for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
|
|
|
|
mkdir -p "${TARGET}${var_path}"
|
|
|
|
done
|
|
|
|
|
|
for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
|
|
|
|
IFS=" " read -r var_fs var_src var_opts <<< "${HMP_SPECIAL_MOUNTS[${var_path}]}"
|
|
|
|
if mountpoint -q "${TARGET}${var_path}"; then
|
|
|
|
do_log "info" "file_only" "4010() Skipped: '${TARGET}${var_path}' is already a mountpoint."
|
|
continue
|
|
|
|
fi
|
|
|
|
if ! mount -t "${var_fs}" "${var_src}" "${TARGET}${var_path}" -o "${var_opts}"; then
|
|
|
|
do_log "emergency" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${TARGET}${var_path} -o ${var_opts}] failed."
|
|
return "${ERR_CHRT_MOUNTS}"
|
|
|
|
fi
|
|
|
|
do_log "info" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${TARGET}${var_path} -o ${var_opts}] successful."
|
|
|
|
done
|
|
|
|
|
|
if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then
|
|
|
|
mkdir -p "${TARGET}/run"
|
|
|
|
if ! mount --make-rslave --rbind /run "${TARGET}/run"; then
|
|
|
|
do_log "emergency" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${TARGET}/run] failed."
|
|
return "${ERR_CHRT_MOUNTS}"
|
|
|
|
fi
|
|
|
|
do_log "info" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${TARGET}/run] successful."
|
|
|
|
fi
|
|
|
|
|
|
if ! chroot_exec "${TARGET}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
|
|
|
|
do_log "emergency" "file_only" "4010() Command: [chroot_exec ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
|
|
return "${ERR_CHRT_MOUNTS}"
|
|
|
|
fi
|
|
|
|
do_log "info" "file_only" "4010() Command: [chroot_exec ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] successful."
|
|
|
|
mkdir -p "${TARGET}/media/cdrom0"
|
|
|
|
# shellcheck disable=SC2034
|
|
declare -gx VAR_CHROOT_ACTIVATED="system"
|
|
do_log "info" "file_only" "4010() Command: [declare -gx VAR_CHROOT_ACTIVATED=system]"
|
|
|
|
guard_dir && return 0
|
|
}
|
|
### Prevents accidental 'unset -f'.
|
|
# shellcheck disable=SC2034
|
|
readonly -f prepare_mounts
|
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|