summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPierre Schmitz <pierre@archlinux.de>2012-06-11 16:44:23 +0200
committerPierre Schmitz <pierre@archlinux.de>2012-06-11 16:44:23 +0200
commitc7cda4734292bca540402bb87d1a258f2e4a0eaa (patch)
treeec62895060bc21ecfdda88b777782779ce5a150b
parent41b39c3e78a8e1503cc7d93ce247bf8a64bb6932 (diff)
downloaddevtools-c7cda4734292bca540402bb87d1a258f2e4a0eaa.tar.gz
devtools-c7cda4734292bca540402bb87d1a258f2e4a0eaa.tar.xz
Enable signature checking within build environment
* bind /sys and /dev/pts from host * drop support for devtmpfs as it is no longer needed * add /run and /dev/rtc0 * clone own ipc, uts and mount namespaces for chroot * set localtime, timezone and locale within chroot environment * copy /etc/pacman.d/gnupg from host
-rw-r--r--makechrootpkg.in4
-rw-r--r--mkarchroot.in58
-rw-r--r--pacman-extra.conf8
-rw-r--r--pacman-gnome-unstable.conf9
-rw-r--r--pacman-kde-unstable.conf9
-rw-r--r--pacman-multilib-staging.conf17
-rw-r--r--pacman-multilib-testing.conf14
-rw-r--r--pacman-multilib.conf18
-rw-r--r--pacman-staging.conf12
-rw-r--r--pacman-testing.conf8
10 files changed, 96 insertions, 61 deletions
diff --git a/makechrootpkg.in b/makechrootpkg.in
index e06f46c..48675d7 100644
--- a/makechrootpkg.in
+++ b/makechrootpkg.in
@@ -258,15 +258,11 @@ nobody ALL = NOPASSWD: /usr/bin/pacman
EOF
chmod 440 "$copydir/etc/sudoers.d/nobody-pacman"
-# Set this system wide as makepkg will source /etc/profile before calling build()
-echo 'LANG=C' > "$copydir/etc/locale.conf"
-
# This is a little gross, but this way the script is recreated every time in the
# working copy
cat >"$copydir/chrootbuild" <<EOF
#!/bin/bash
. /etc/profile
-export LANG=C
export HOME=/build
cd /build
diff --git a/mkarchroot.in b/mkarchroot.in
index 3eb7464..1b02e0e 100644
--- a/mkarchroot.in
+++ b/mkarchroot.in
@@ -30,7 +30,6 @@ usage() {
echo ' -M <file> Location of a makepkg config file'
echo ' -n Do not copy config files into the chroot'
echo ' -c <dir> Set pacman cache. Default: /var/cache/pacman/pkg'
- echo ' -d Use devtmpfs instead of minimal /dev (tmpfs)'
echo ' -h This message'
exit 1
}
@@ -87,38 +86,40 @@ fi
# {{{ functions
chroot_mount() {
[[ -e "${working_dir}/sys" ]] || mkdir "${working_dir}/sys"
- mount -t sysfs sysfs "${working_dir}/sys"
+ mount -o bind /sys "${working_dir}/sys"
+ mount -o remount,ro,bind "${working_dir}/sys"
[[ -e "${working_dir}/proc" ]] || mkdir "${working_dir}/proc"
- mount -t proc proc "${working_dir}/proc"
+ mount -t proc proc -o nosuid,noexec,nodev "${working_dir}/proc"
+ mount -o bind /proc/sys "${working_dir}/proc/sys"
+ mount -o remount,ro,bind "${working_dir}/proc/sys"
[[ -e "${working_dir}/dev" ]] || mkdir "${working_dir}/dev"
- if [[ ${USE_DEVTMPFS} = "y" ]]; then
- mount -t devtmpfs dev "${working_dir}/dev" -o mode=0755,nosuid
- else
- mount -t tmpfs dev "${working_dir}/dev" -o mode=0755,size=10M,nosuid
- mknod -m 666 "${working_dir}/dev/null" c 1 3
- mknod -m 666 "${working_dir}/dev/zero" c 1 5
- mknod -m 600 "${working_dir}/dev/console" c 5 1
- mknod -m 644 "${working_dir}/dev/random" c 1 8
- mknod -m 644 "${working_dir}/dev/urandom" c 1 9
- mknod -m 666 "${working_dir}/dev/tty" c 5 0
- mknod -m 666 "${working_dir}/dev/ptmx" c 5 2
- mknod -m 666 "${working_dir}/dev/tty0" c 4 0
- mknod -m 666 "${working_dir}/dev/full" c 1 7
- ln -s /proc/kcore "${working_dir}/dev/core"
- ln -s /proc/self/fd "${working_dir}/dev/fd"
- ln -s /proc/self/fd/0 "${working_dir}/dev/stdin"
- ln -s /proc/self/fd/1 "${working_dir}/dev/stdout"
- ln -s /proc/self/fd/2 "${working_dir}/dev/stderr"
- fi
+ mount -t tmpfs dev "${working_dir}/dev" -o mode=0755,size=10M,nosuid,strictatime
+ mknod -m 666 "${working_dir}/dev/null" c 1 3
+ mknod -m 666 "${working_dir}/dev/zero" c 1 5
+ mknod -m 600 "${working_dir}/dev/console" c 5 1
+ mknod -m 644 "${working_dir}/dev/random" c 1 8
+ mknod -m 644 "${working_dir}/dev/urandom" c 1 9
+ mknod -m 666 "${working_dir}/dev/tty" c 5 0
+ mknod -m 666 "${working_dir}/dev/ptmx" c 5 2
+ mknod -m 666 "${working_dir}/dev/tty0" c 4 0
+ mknod -m 666 "${working_dir}/dev/full" c 1 7
+ mknod -m 666 "${working_dir}/dev/rtc0" c 254 0
+ ln -s /proc/kcore "${working_dir}/dev/core"
+ ln -s /proc/self/fd "${working_dir}/dev/fd"
+ ln -s /proc/self/fd/0 "${working_dir}/dev/stdin"
+ ln -s /proc/self/fd/1 "${working_dir}/dev/stdout"
+ ln -s /proc/self/fd/2 "${working_dir}/dev/stderr"
[[ -e "${working_dir}/dev/shm" ]] || mkdir "${working_dir}/dev/shm"
mount -t tmpfs shm "${working_dir}/dev/shm" -o nodev,nosuid,size=128M
[[ -e "${working_dir}/dev/pts" ]] || mkdir "${working_dir}/dev/pts"
- mount -t devpts devpts "${working_dir}/dev/pts" -o newinstance,ptmxmode=666
- mount -o bind "${working_dir}/dev/pts/ptmx" "${working_dir}/dev/ptmx"
+ mount -o bind /dev/pts "${working_dir}/dev/pts"
+
+ [[ -e "${working_dir}/run" ]] || mkdir "${working_dir}/run"
+ mount -t tmpfs tmpfs "${working_dir}/run" -o nodev,nosuid,strictatime,size=64M
[[ -e $cache_dir ]] || mkdir -p "${cache_dir}"
[[ -e "${working_dir}/${cache_dir}" ]] || mkdir -p "${working_dir}/${cache_dir}"
@@ -135,6 +136,7 @@ chroot_mount() {
copy_hostconf () {
cp /etc/resolv.conf "${working_dir}/etc/resolv.conf"
+ cp -a /etc/pacman.d/gnupg "${working_dir}/etc/pacman.d"
echo "Server = ${host_mirror}" > ${working_dir}/etc/pacman.d/mirrorlist
if [[ -n $pac_conf && $NOCOPY = 'n' ]]; then
@@ -147,12 +149,13 @@ copy_hostconf () {
}
chroot_umount () {
+ umount "${working_dir}/proc/sys"
umount "${working_dir}/proc"
umount "${working_dir}/sys"
- umount "${working_dir}/dev/ptmx"
umount "${working_dir}/dev/pts"
umount "${working_dir}/dev/shm"
umount "${working_dir}/dev"
+ umount "${working_dir}/run"
umount "${working_dir}/${cache_dir}"
[[ -n $host_mirror_path ]] && umount "${working_dir}/${host_mirror_path}"
}
@@ -184,7 +187,7 @@ if [[ -n $RUN ]]; then
chroot_mount
copy_hostconf
- eval chroot "${working_dir}" ${RUN}
+ eval unshare -mui -- chroot "${working_dir}" ${RUN}
# }}}
else
@@ -226,6 +229,9 @@ else
sed -i 's@^#\(en_US\|de_DE\)\(\.UTF-8\)@\1\2@' "${working_dir}/etc/locale.gen"
chroot "${working_dir}" /usr/sbin/locale-gen
fi
+ echo 'UTC' > "${working_dir}/etc/timezone"
+ ln -s /usr/share/zoneinfo/UTC "${working_dir}/etc/localtime"
+ echo 'LANG=C' > "${working_dir}/etc/locale.conf"
copy_hostconf
diff --git a/pacman-extra.conf b/pacman-extra.conf
index 0b1fea6..821f9a5 100644
--- a/pacman-extra.conf
+++ b/pacman-extra.conf
@@ -45,9 +45,6 @@ Architecture = auto
# keyring can then be populated with the keys of all official Arch Linux
# packagers with `pacman-key --populate archlinux`.
-# Signature checking does not work within our chroot
-SigLevel = Never
-
#
# REPOSITORIES
# - can be defined here or included from another file
@@ -72,18 +69,23 @@ SigLevel = Never
# after the header, and they will be used before the default mirrors.
#[testing]
+#SigLevel = PackageRequired
#Include = /etc/pacman.d/mirrorlist
[core]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[extra]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
#[community-testing]
+#SigLevel = PackageRequired
#Include = /etc/pacman.d/mirrorlist
[community]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
# An example of a custom package repository. See the pacman manpage for
diff --git a/pacman-gnome-unstable.conf b/pacman-gnome-unstable.conf
index 07495d0..9bdca63 100644
--- a/pacman-gnome-unstable.conf
+++ b/pacman-gnome-unstable.conf
@@ -45,9 +45,6 @@ Architecture = auto
# keyring can then be populated with the keys of all official Arch Linux
# packagers with `pacman-key --populate archlinux`.
-# Signature checking does not work within our chroot
-SigLevel = Never
-
#
# REPOSITORIES
# - can be defined here or included from another file
@@ -72,21 +69,27 @@ SigLevel = Never
# after the header, and they will be used before the default mirrors.
[gnome-unstable]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[testing]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[core]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[extra]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[community-testing]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[community]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
# An example of a custom package repository. See the pacman manpage for
diff --git a/pacman-kde-unstable.conf b/pacman-kde-unstable.conf
index c0e2e8e..1bec946 100644
--- a/pacman-kde-unstable.conf
+++ b/pacman-kde-unstable.conf
@@ -45,9 +45,6 @@ Architecture = auto
# keyring can then be populated with the keys of all official Arch Linux
# packagers with `pacman-key --populate archlinux`.
-# Signature checking does not work within our chroot
-SigLevel = Never
-
#
# REPOSITORIES
# - can be defined here or included from another file
@@ -72,21 +69,27 @@ SigLevel = Never
# after the header, and they will be used before the default mirrors.
[kde-unstable]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[testing]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[core]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[extra]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[community-testing]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[community]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
# An example of a custom package repository. See the pacman manpage for
diff --git a/pacman-multilib-staging.conf b/pacman-multilib-staging.conf
index dee241c..3d1ab75 100644
--- a/pacman-multilib-staging.conf
+++ b/pacman-multilib-staging.conf
@@ -45,9 +45,6 @@ Architecture = auto
# keyring can then be populated with the keys of all official Arch Linux
# packagers with `pacman-key --populate archlinux`.
-# Signature checking does not work within our chroot
-SigLevel = Never
-
#
# REPOSITORIES
# - can be defined here or included from another file
@@ -72,40 +69,50 @@ SigLevel = Never
# after the header, and they will be used before the default mirrors.
[staging]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[testing]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[core]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[extra]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[community-staging]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[community-testing]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[community]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
# If you want to run 32 bit applications on your x86_64 system,
-# enable the multilib repository here.
+# enable the multilib repositories as required here.
[multilib-staging]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[multilib-testing]
-#SigLevel = Optional TrustAll
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[multilib]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
# An example of a custom package repository. See the pacman manpage for
# tips on creating your own repositories.
#[custom]
+#SigLevel = Optional TrustAll
#Server = file:///home/custompkgs
diff --git a/pacman-multilib-testing.conf b/pacman-multilib-testing.conf
index e60a998..d24eb6c 100644
--- a/pacman-multilib-testing.conf
+++ b/pacman-multilib-testing.conf
@@ -45,9 +45,6 @@ Architecture = auto
# keyring can then be populated with the keys of all official Arch Linux
# packagers with `pacman-key --populate archlinux`.
-# Signature checking does not work within our chroot
-SigLevel = Never
-
#
# REPOSITORIES
# - can be defined here or included from another file
@@ -72,31 +69,38 @@ SigLevel = Never
# after the header, and they will be used before the default mirrors.
[testing]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[core]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[extra]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[community-testing]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[community]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
# If you want to run 32 bit applications on your x86_64 system,
-# enable the multilib repository here.
+# enable the multilib repositories as required here.
[multilib-testing]
-#SigLevel = Optional TrustAll
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[multilib]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
# An example of a custom package repository. See the pacman manpage for
# tips on creating your own repositories.
#[custom]
+#SigLevel = Optional TrustAll
#Server = file:///home/custompkgs
diff --git a/pacman-multilib.conf b/pacman-multilib.conf
index d83def4..8d10757 100644
--- a/pacman-multilib.conf
+++ b/pacman-multilib.conf
@@ -45,9 +45,6 @@ Architecture = auto
# keyring can then be populated with the keys of all official Arch Linux
# packagers with `pacman-key --populate archlinux`.
-# Signature checking does not work within our chroot
-SigLevel = Never
-
#
# REPOSITORIES
# - can be defined here or included from another file
@@ -72,28 +69,39 @@ SigLevel = Never
# after the header, and they will be used before the default mirrors.
#[testing]
+#SigLevel = PackageRequired
#Include = /etc/pacman.d/mirrorlist
[core]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[extra]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
#[community-testing]
+#SigLevel = PackageRequired
#Include = /etc/pacman.d/mirrorlist
[community]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
# If you want to run 32 bit applications on your x86_64 system,
-# enable the multilib repository here.
+# enable the multilib repositories as required here.
+
+#[multilib-testing]
+#SigLevel = PackageRequired
+#Include = /etc/pacman.d/mirrorlist
+
[multilib]
-#SigLevel = Optional TrustAll
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
# An example of a custom package repository. See the pacman manpage for
# tips on creating your own repositories.
#[custom]
+#SigLevel = Optional TrustAll
#Server = file:///home/custompkgs
diff --git a/pacman-staging.conf b/pacman-staging.conf
index 4a803a1..d4116e2 100644
--- a/pacman-staging.conf
+++ b/pacman-staging.conf
@@ -45,9 +45,6 @@ Architecture = auto
# keyring can then be populated with the keys of all official Arch Linux
# packagers with `pacman-key --populate archlinux`.
-# Signature checking does not work within our chroot
-SigLevel = Never
-
#
# REPOSITORIES
# - can be defined here or included from another file
@@ -72,29 +69,36 @@ SigLevel = Never
# after the header, and they will be used before the default mirrors.
[staging]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[testing]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[core]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[extra]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[community-staging]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[community-testing]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
-#SigLevel = Optional TrustAll
[community]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
# An example of a custom package repository. See the pacman manpage for
# tips on creating your own repositories.
#[custom]
+#SigLevel = Optional TrustAll
#Server = file:///home/custompkgs
diff --git a/pacman-testing.conf b/pacman-testing.conf
index a99b99d..353bdbb 100644
--- a/pacman-testing.conf
+++ b/pacman-testing.conf
@@ -45,9 +45,6 @@ Architecture = auto
# keyring can then be populated with the keys of all official Arch Linux
# packagers with `pacman-key --populate archlinux`.
-# Signature checking does not work within our chroot
-SigLevel = Never
-
#
# REPOSITORIES
# - can be defined here or included from another file
@@ -72,18 +69,23 @@ SigLevel = Never
# after the header, and they will be used before the default mirrors.
[testing]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[core]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[extra]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[community-testing]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
[community]
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
# An example of a custom package repository. See the pacman manpage for