From c7cda4734292bca540402bb87d1a258f2e4a0eaa Mon Sep 17 00:00:00 2001 From: Pierre Schmitz Date: Mon, 11 Jun 2012 16:44:23 +0200 Subject: Enable signature checking within build environment * bind /sys and /dev/pts from host * drop support for devtmpfs as it is no longer needed * add /run and /dev/rtc0 * clone own ipc, uts and mount namespaces for chroot * set localtime, timezone and locale within chroot environment * copy /etc/pacman.d/gnupg from host --- makechrootpkg.in | 4 --- mkarchroot.in | 58 ++++++++++++++++++++++++-------------------- pacman-extra.conf | 8 +++--- pacman-gnome-unstable.conf | 9 ++++--- pacman-kde-unstable.conf | 9 ++++--- pacman-multilib-staging.conf | 17 +++++++++---- pacman-multilib-testing.conf | 14 +++++++---- pacman-multilib.conf | 18 ++++++++++---- pacman-staging.conf | 12 ++++++--- pacman-testing.conf | 8 +++--- 10 files changed, 96 insertions(+), 61 deletions(-) diff --git a/makechrootpkg.in b/makechrootpkg.in index e06f46c..48675d7 100644 --- a/makechrootpkg.in +++ b/makechrootpkg.in @@ -258,15 +258,11 @@ nobody ALL = NOPASSWD: /usr/bin/pacman EOF chmod 440 "$copydir/etc/sudoers.d/nobody-pacman" -# Set this system wide as makepkg will source /etc/profile before calling build() -echo 'LANG=C' > "$copydir/etc/locale.conf" - # This is a little gross, but this way the script is recreated every time in the # working copy cat >"$copydir/chrootbuild" < Location of a makepkg config file' echo ' -n Do not copy config files into the chroot' echo ' -c Set pacman cache. Default: /var/cache/pacman/pkg' - echo ' -d Use devtmpfs instead of minimal /dev (tmpfs)' echo ' -h This message' exit 1 } @@ -87,38 +86,40 @@ fi # {{{ functions chroot_mount() { [[ -e "${working_dir}/sys" ]] || mkdir "${working_dir}/sys" - mount -t sysfs sysfs "${working_dir}/sys" + mount -o bind /sys "${working_dir}/sys" + mount -o remount,ro,bind "${working_dir}/sys" [[ -e "${working_dir}/proc" ]] || mkdir "${working_dir}/proc" - mount -t proc proc "${working_dir}/proc" + mount -t proc proc -o nosuid,noexec,nodev "${working_dir}/proc" + mount -o bind /proc/sys "${working_dir}/proc/sys" + mount -o remount,ro,bind "${working_dir}/proc/sys" [[ -e "${working_dir}/dev" ]] || mkdir "${working_dir}/dev" - if [[ ${USE_DEVTMPFS} = "y" ]]; then - mount -t devtmpfs dev "${working_dir}/dev" -o mode=0755,nosuid - else - mount -t tmpfs dev "${working_dir}/dev" -o mode=0755,size=10M,nosuid - mknod -m 666 "${working_dir}/dev/null" c 1 3 - mknod -m 666 "${working_dir}/dev/zero" c 1 5 - mknod -m 600 "${working_dir}/dev/console" c 5 1 - mknod -m 644 "${working_dir}/dev/random" c 1 8 - mknod -m 644 "${working_dir}/dev/urandom" c 1 9 - mknod -m 666 "${working_dir}/dev/tty" c 5 0 - mknod -m 666 "${working_dir}/dev/ptmx" c 5 2 - mknod -m 666 "${working_dir}/dev/tty0" c 4 0 - mknod -m 666 "${working_dir}/dev/full" c 1 7 - ln -s /proc/kcore "${working_dir}/dev/core" - ln -s /proc/self/fd "${working_dir}/dev/fd" - ln -s /proc/self/fd/0 "${working_dir}/dev/stdin" - ln -s /proc/self/fd/1 "${working_dir}/dev/stdout" - ln -s /proc/self/fd/2 "${working_dir}/dev/stderr" - fi + mount -t tmpfs dev "${working_dir}/dev" -o mode=0755,size=10M,nosuid,strictatime + mknod -m 666 "${working_dir}/dev/null" c 1 3 + mknod -m 666 "${working_dir}/dev/zero" c 1 5 + mknod -m 600 "${working_dir}/dev/console" c 5 1 + mknod -m 644 "${working_dir}/dev/random" c 1 8 + mknod -m 644 "${working_dir}/dev/urandom" c 1 9 + mknod -m 666 "${working_dir}/dev/tty" c 5 0 + mknod -m 666 "${working_dir}/dev/ptmx" c 5 2 + mknod -m 666 "${working_dir}/dev/tty0" c 4 0 + mknod -m 666 "${working_dir}/dev/full" c 1 7 + mknod -m 666 "${working_dir}/dev/rtc0" c 254 0 + ln -s /proc/kcore "${working_dir}/dev/core" + ln -s /proc/self/fd "${working_dir}/dev/fd" + ln -s /proc/self/fd/0 "${working_dir}/dev/stdin" + ln -s /proc/self/fd/1 "${working_dir}/dev/stdout" + ln -s /proc/self/fd/2 "${working_dir}/dev/stderr" [[ -e "${working_dir}/dev/shm" ]] || mkdir "${working_dir}/dev/shm" mount -t tmpfs shm "${working_dir}/dev/shm" -o nodev,nosuid,size=128M [[ -e "${working_dir}/dev/pts" ]] || mkdir "${working_dir}/dev/pts" - mount -t devpts devpts "${working_dir}/dev/pts" -o newinstance,ptmxmode=666 - mount -o bind "${working_dir}/dev/pts/ptmx" "${working_dir}/dev/ptmx" + mount -o bind /dev/pts "${working_dir}/dev/pts" + + [[ -e "${working_dir}/run" ]] || mkdir "${working_dir}/run" + mount -t tmpfs tmpfs "${working_dir}/run" -o nodev,nosuid,strictatime,size=64M [[ -e $cache_dir ]] || mkdir -p "${cache_dir}" [[ -e "${working_dir}/${cache_dir}" ]] || mkdir -p "${working_dir}/${cache_dir}" @@ -135,6 +136,7 @@ chroot_mount() { copy_hostconf () { cp /etc/resolv.conf "${working_dir}/etc/resolv.conf" + cp -a /etc/pacman.d/gnupg "${working_dir}/etc/pacman.d" echo "Server = ${host_mirror}" > ${working_dir}/etc/pacman.d/mirrorlist if [[ -n $pac_conf && $NOCOPY = 'n' ]]; then @@ -147,12 +149,13 @@ copy_hostconf () { } chroot_umount () { + umount "${working_dir}/proc/sys" umount "${working_dir}/proc" umount "${working_dir}/sys" - umount "${working_dir}/dev/ptmx" umount "${working_dir}/dev/pts" umount "${working_dir}/dev/shm" umount "${working_dir}/dev" + umount "${working_dir}/run" umount "${working_dir}/${cache_dir}" [[ -n $host_mirror_path ]] && umount "${working_dir}/${host_mirror_path}" } @@ -184,7 +187,7 @@ if [[ -n $RUN ]]; then chroot_mount copy_hostconf - eval chroot "${working_dir}" ${RUN} + eval unshare -mui -- chroot "${working_dir}" ${RUN} # }}} else @@ -226,6 +229,9 @@ else sed -i 's@^#\(en_US\|de_DE\)\(\.UTF-8\)@\1\2@' "${working_dir}/etc/locale.gen" chroot "${working_dir}" /usr/sbin/locale-gen fi + echo 'UTC' > "${working_dir}/etc/timezone" + ln -s /usr/share/zoneinfo/UTC "${working_dir}/etc/localtime" + echo 'LANG=C' > "${working_dir}/etc/locale.conf" copy_hostconf diff --git a/pacman-extra.conf b/pacman-extra.conf index 0b1fea6..821f9a5 100644 --- a/pacman-extra.conf +++ b/pacman-extra.conf @@ -45,9 +45,6 @@ Architecture = auto # keyring can then be populated with the keys of all official Arch Linux # packagers with `pacman-key --populate archlinux`. -# Signature checking does not work within our chroot -SigLevel = Never - # # REPOSITORIES # - can be defined here or included from another file @@ -72,18 +69,23 @@ SigLevel = Never # after the header, and they will be used before the default mirrors. #[testing] +#SigLevel = PackageRequired #Include = /etc/pacman.d/mirrorlist [core] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [extra] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist #[community-testing] +#SigLevel = PackageRequired #Include = /etc/pacman.d/mirrorlist [community] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist # An example of a custom package repository. See the pacman manpage for diff --git a/pacman-gnome-unstable.conf b/pacman-gnome-unstable.conf index 07495d0..9bdca63 100644 --- a/pacman-gnome-unstable.conf +++ b/pacman-gnome-unstable.conf @@ -45,9 +45,6 @@ Architecture = auto # keyring can then be populated with the keys of all official Arch Linux # packagers with `pacman-key --populate archlinux`. -# Signature checking does not work within our chroot -SigLevel = Never - # # REPOSITORIES # - can be defined here or included from another file @@ -72,21 +69,27 @@ SigLevel = Never # after the header, and they will be used before the default mirrors. [gnome-unstable] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [testing] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [core] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [extra] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [community-testing] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [community] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist # An example of a custom package repository. See the pacman manpage for diff --git a/pacman-kde-unstable.conf b/pacman-kde-unstable.conf index c0e2e8e..1bec946 100644 --- a/pacman-kde-unstable.conf +++ b/pacman-kde-unstable.conf @@ -45,9 +45,6 @@ Architecture = auto # keyring can then be populated with the keys of all official Arch Linux # packagers with `pacman-key --populate archlinux`. -# Signature checking does not work within our chroot -SigLevel = Never - # # REPOSITORIES # - can be defined here or included from another file @@ -72,21 +69,27 @@ SigLevel = Never # after the header, and they will be used before the default mirrors. [kde-unstable] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [testing] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [core] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [extra] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [community-testing] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [community] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist # An example of a custom package repository. See the pacman manpage for diff --git a/pacman-multilib-staging.conf b/pacman-multilib-staging.conf index dee241c..3d1ab75 100644 --- a/pacman-multilib-staging.conf +++ b/pacman-multilib-staging.conf @@ -45,9 +45,6 @@ Architecture = auto # keyring can then be populated with the keys of all official Arch Linux # packagers with `pacman-key --populate archlinux`. -# Signature checking does not work within our chroot -SigLevel = Never - # # REPOSITORIES # - can be defined here or included from another file @@ -72,40 +69,50 @@ SigLevel = Never # after the header, and they will be used before the default mirrors. [staging] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [testing] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [core] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [extra] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [community-staging] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [community-testing] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [community] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist # If you want to run 32 bit applications on your x86_64 system, -# enable the multilib repository here. +# enable the multilib repositories as required here. [multilib-staging] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [multilib-testing] -#SigLevel = Optional TrustAll +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [multilib] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist # An example of a custom package repository. See the pacman manpage for # tips on creating your own repositories. #[custom] +#SigLevel = Optional TrustAll #Server = file:///home/custompkgs diff --git a/pacman-multilib-testing.conf b/pacman-multilib-testing.conf index e60a998..d24eb6c 100644 --- a/pacman-multilib-testing.conf +++ b/pacman-multilib-testing.conf @@ -45,9 +45,6 @@ Architecture = auto # keyring can then be populated with the keys of all official Arch Linux # packagers with `pacman-key --populate archlinux`. -# Signature checking does not work within our chroot -SigLevel = Never - # # REPOSITORIES # - can be defined here or included from another file @@ -72,31 +69,38 @@ SigLevel = Never # after the header, and they will be used before the default mirrors. [testing] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [core] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [extra] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [community-testing] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [community] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist # If you want to run 32 bit applications on your x86_64 system, -# enable the multilib repository here. +# enable the multilib repositories as required here. [multilib-testing] -#SigLevel = Optional TrustAll +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [multilib] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist # An example of a custom package repository. See the pacman manpage for # tips on creating your own repositories. #[custom] +#SigLevel = Optional TrustAll #Server = file:///home/custompkgs diff --git a/pacman-multilib.conf b/pacman-multilib.conf index d83def4..8d10757 100644 --- a/pacman-multilib.conf +++ b/pacman-multilib.conf @@ -45,9 +45,6 @@ Architecture = auto # keyring can then be populated with the keys of all official Arch Linux # packagers with `pacman-key --populate archlinux`. -# Signature checking does not work within our chroot -SigLevel = Never - # # REPOSITORIES # - can be defined here or included from another file @@ -72,28 +69,39 @@ SigLevel = Never # after the header, and they will be used before the default mirrors. #[testing] +#SigLevel = PackageRequired #Include = /etc/pacman.d/mirrorlist [core] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [extra] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist #[community-testing] +#SigLevel = PackageRequired #Include = /etc/pacman.d/mirrorlist [community] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist # If you want to run 32 bit applications on your x86_64 system, -# enable the multilib repository here. +# enable the multilib repositories as required here. + +#[multilib-testing] +#SigLevel = PackageRequired +#Include = /etc/pacman.d/mirrorlist + [multilib] -#SigLevel = Optional TrustAll +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist # An example of a custom package repository. See the pacman manpage for # tips on creating your own repositories. #[custom] +#SigLevel = Optional TrustAll #Server = file:///home/custompkgs diff --git a/pacman-staging.conf b/pacman-staging.conf index 4a803a1..d4116e2 100644 --- a/pacman-staging.conf +++ b/pacman-staging.conf @@ -45,9 +45,6 @@ Architecture = auto # keyring can then be populated with the keys of all official Arch Linux # packagers with `pacman-key --populate archlinux`. -# Signature checking does not work within our chroot -SigLevel = Never - # # REPOSITORIES # - can be defined here or included from another file @@ -72,29 +69,36 @@ SigLevel = Never # after the header, and they will be used before the default mirrors. [staging] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [testing] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [core] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [extra] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [community-staging] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [community-testing] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist -#SigLevel = Optional TrustAll [community] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist # An example of a custom package repository. See the pacman manpage for # tips on creating your own repositories. #[custom] +#SigLevel = Optional TrustAll #Server = file:///home/custompkgs diff --git a/pacman-testing.conf b/pacman-testing.conf index a99b99d..353bdbb 100644 --- a/pacman-testing.conf +++ b/pacman-testing.conf @@ -45,9 +45,6 @@ Architecture = auto # keyring can then be populated with the keys of all official Arch Linux # packagers with `pacman-key --populate archlinux`. -# Signature checking does not work within our chroot -SigLevel = Never - # # REPOSITORIES # - can be defined here or included from another file @@ -72,18 +69,23 @@ SigLevel = Never # after the header, and they will be used before the default mirrors. [testing] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [core] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [extra] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [community-testing] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [community] +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist # An example of a custom package repository. See the pacman manpage for -- cgit v1.2.3-70-g09d2