diff options
author | Luke T. Shumaker <lukeshu@parabola.nu> | 2024-02-20 23:46:59 -0700 |
---|---|---|
committer | Luke T. Shumaker <lukeshu@parabola.nu> | 2024-02-21 10:17:52 -0700 |
commit | 63d3993a320ee03c20da05d0e04ddbd3cc800335 (patch) | |
tree | 7be4a7f3ff29d34f43f9fe0116282d61b5fb9009 | |
parent | 9a0328490c2ea30d0eda470cb4da8da0030c96e9 (diff) |
fix: libremakepkg: Have startdir be RO unless the -W flag is passed to make it RW
A key aspect of libremakepkg is that it tries to be strict about many
things, in order to catch issues.
One issue is that sources are downloaded during build(), meaning that
they're missing from the .src.pkg.tar sourceball. So, by default
libremakepkg runs build() with networking disabled, to catch this
issue. If there is a problematic package, we have an -N flag to
enable networking, as an escape hatch; as we only have finite packager
time/effort.
One issue is when a package can't be rebuilt from the .src.pkg.tar
sourceball. If the PKGBUILD modifies itself, then it won't match
what's in the sourceball. This is what the
libremakepkg.bats:"libremakepkg does not run pkgver" test demonstrates
and tests-for; this failing demonstration testcase was added in
044b4e1 (test: libremakepkg: Add some failing tests [ci-skip],
2018-07-31, Luke Shumaker <lukeshu@lukeshu.com>). We solved by
mounting the $startdir read-only in 646ac02 (libremakepkg,chcleanup:
Be stricter about network access, 2018-08-03, Luke Shumaker
<lukeshu@lukeshu.com>). However, it turns out that this caused issues
for a few packages. So, this protection was reverted in a6f6ac4
(libremakepkg: fix building packages requring a rw startdir,
2019-05-17, Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>). This
is bad, it potentially lets many issues slip through undetected.
Instead, handle it like we do networking: Have the protection on by
default, say "PLEASE don't turn this off", but recognize the increased
cost in time and efforts and so provide the `-W` flag as an escape
hatch.
-rw-r--r-- | po/es/libretools.po | 5 | ||||
-rwxr-xr-x | src/chroot-tools/libremakepkg | 22 | ||||
-rw-r--r-- | test/cases/libremakepkg.bats | 11 | ||||
-rw-r--r-- | test/fixtures/libremakepkg/PKGBUILD-rwstartdir | 15 |
4 files changed, 49 insertions, 4 deletions
diff --git a/po/es/libretools.po b/po/es/libretools.po index 57a8e19..fbd4122 100644 --- a/po/es/libretools.po +++ b/po/es/libretools.po @@ -1072,6 +1072,11 @@ msgstr "No deshabilita la conexión a internet durante build() y " "package(). POR FAVOR no use esta opción al menos que tenga una razón " "en especial, su uso es una violación a la política de Parabola." +#: src/chroot-tools/libremakepkg:194 +msgid "Don't make the startdir read-only. PLEASE don't use this unless you " + "have a special reason, its use is a violation of Parabola policy." +msgstr "" + #: src/chroot-tools/libremakepkg:184 msgid "Repackage contents of the package without rebuilding" msgstr "Reempaqueta los contenidos del paquete sin recompilar" diff --git a/src/chroot-tools/libremakepkg b/src/chroot-tools/libremakepkg index 957e20b..d3dd160 100755 --- a/src/chroot-tools/libremakepkg +++ b/src/chroot-tools/libremakepkg @@ -5,7 +5,7 @@ set -euE # Copyright (C) 2010-2012 Nicolás Reynolds <fauno@parabola.nu> # Copyright (C) 2010-2012 Joshua Ismael Haase Hernández (xihh) <hahj87@gmail.com> # Copyright (C) 2012 Michał Masłowski <mtjm@mtjm.eu> -# Copyright (C) 2012-2015, 2017-2018 Luke Shumaker <lukeshu@parabola.nu> +# Copyright (C) 2012-2015, 2017-2018, 2024 Luke Shumaker <lukeshu@parabola.nu> # Copyright (C) 2019, 2024 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> # # License: GNU GPLv2+ @@ -37,6 +37,7 @@ umask 0022 readonly _indent="$(librelib chroot/indent)" readonly INCHROOT=$([[ -f /.arch-chroot ]] && echo true || echo false) NONET=true # can be changed with the -N flag +ROSTARTDIR=true # can be changed with the -W flag # {PKG,SRC,SRCPKG,LOG}DEST set at runtime by makepkg.conf # MAKEFLAGS, PACKAGER set at runtime by makepkg.conf # LIBREUSER, LIBREHOME are set by conf.sh @@ -125,11 +126,19 @@ build() ( local run_ynet=() local run_nnet=() if $INCHROOT; then - local _run=(sh -c "cd ${startdir@Q} && \$@" --) + if $ROSTARTDIR; then + local _run=(sh -c "mount --bind -o ro -- ${startdir@Q} ${startdir@Q} && cd ${startdir@Q} && \$@" --) + else + local _run=(sh -c "cd ${startdir@Q} && \$@" --) + fi run_ynet=(unshare --mount -- "${_run[@]}") run_nnet=(unshare --mount --net -- "${_run[@]}") else - librechroot_flags+=(-w "$startdir:/startdir") + if $ROSTARTDIR; then + librechroot_flags+=(-r "$startdir:/startdir") + else + librechroot_flags+=(-w "$startdir:/startdir") + fi run_ynet=(librechroot "${librechroot_flags[@]}" run) run_nnet=(librechroot "${librechroot_flags[@]}" -N run) fi @@ -182,6 +191,10 @@ usage() { build(), and package(). PLEASE don't use this unless you have a special reason, its use is a violation of Parabola policy." \ + '-W' "Don't make the startdir read-only. PLEASE + don't use this unless you have a special + reason, its use is a violation of Parabola + policy." \ '-R' 'Repackage contents of the package without rebuilding' \ "-S <$(_ SRCPKGFILE)>" 'Use an existing --allsource source-package' \ @@ -204,7 +217,7 @@ main() { local srcpkg='' # Parse command line options ########################################### - while getopts 'n:l:w:r:NRS:h' flag ; do + while getopts 'n:l:w:r:NWRS:h' flag ; do case "${flag}" in n) if $INCHROOT; then err_chflag "$flag"; else chroot=$OPTARG; fi;; @@ -213,6 +226,7 @@ main() { w|r) if $INCHROOT; then err_chflag "$flag"; else librechroot_flags+=(-$flag "$OPTARG"); fi;; N) NONET=false;; + W) ROSTARTDIR=false;; R) repack=true; makepkg_args+=(-R);; S) srcpkg=$OPTARG;; h) usage; exit $EXIT_SUCCESS;; diff --git a/test/cases/libremakepkg.bats b/test/cases/libremakepkg.bats index fa8aee3..34db6e3 100644 --- a/test/cases/libremakepkg.bats +++ b/test/cases/libremakepkg.bats @@ -244,6 +244,17 @@ teardown() { diff -u fixtures/libremakepkg/PKGBUILD-pkgver "$tmpdir/PKGBUILD" } +@test "libremakepkg has a flag to make startdir rw" { + require network sudo || skip + cp fixtures/libremakepkg/PKGBUILD-rwstartdir "$tmpdir/PKGBUILD" + cd "$tmpdir" + + not testsudo libremakepkg -l "$BATS_TEST_NAME" + not globfile libretools-rwstartdir-1.0-1-any.pkg.tar?(.!(sig|*.*)) + testsudo libremakepkg -l "$BATS_TEST_NAME" -W + globfile libretools-rwstartdir-1.0-1-any.pkg.tar?(.!(sig|*.*)) +} + @test "libremakepkg can re-use source-packages" { require network sudo || skip diff --git a/test/fixtures/libremakepkg/PKGBUILD-rwstartdir b/test/fixtures/libremakepkg/PKGBUILD-rwstartdir new file mode 100644 index 0000000..feadfa0 --- /dev/null +++ b/test/fixtures/libremakepkg/PKGBUILD-rwstartdir @@ -0,0 +1,15 @@ +pkgname='libretools-rwstartdir' +pkgver=1.0 +license=('GPL') +url='https://parabola.nu' + +pkgrel=1 +arch=(any) + +build() { + echo foo >"$startdir/file" +} + +package() { + install -Dm644 "$startdir/file" "$pkgdir/etc/file" +} |