schroot: new package to securely enter a chroot and run a command or login shell

Signed-off-by: Javier Marcet <redacted>

diff --git a/admin/schroot/Config.in b/admin/schroot/Config.in
new file mode 100644 (file)
index 0000000..3a1cdb1
--- /dev/null
+++ b/admin/schroot/Config.in
@@ -0,0 +1,23 @@
+menu "Configuration"
+
+config SCHROOT_BTRFS
+       bool "Enable support for btrfs snapshots"
+       select PACKAGE_btrfs-progs
+       default n
+
+config SCHROOT_LOOPBACK
+       bool "Enable support for loopback mounts"
+       select PACKAGE_losetup
+       default n
+
+config SCHROOT_LVM
+       bool "Enable support for LVM snapshots"
+       select PACKAGE_lvm2
+       default n
+
+config SCHROOT_UUID
+       bool "Enable support for UUIDs"
+       select PACKAGE_libuuid
+       default n
+
+endmenu

diff --git a/admin/schroot/Makefile b/admin/schroot/Makefile
new file mode 100644 (file)
index 0000000..fdb81a3
--- /dev/null
+++ b/admin/schroot/Makefile
@@ -0,0 +1,82 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=schroot
+PKG_VERSION:=1.6.10
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)_$(PKG_VERSION).orig.tar.xz
+PKG_SOURCE_URL:=http://deb.debian.org/debian/pool/main/s/schroot
+PKG_HASH:=3ce8dfd9cb97b099e4b6d4ccec421d6cc8c9ef84574681e928a12badb5643d0b
+
+PKG_MAINTAINER:=Javier Marcet <javier@marcet.info>
+PKG_LICENSE:=GPL-3.0-only
+PKG_LICENSE_FILES:=COPYING
+
+PKG_INSTALL:=1
+PKG_BUILD_PARALLEL:=1
+PKG_FIXUP:=autoreconf
+
+include $(INCLUDE_DIR)/nls.mk
+include $(INCLUDE_DIR)/package.mk
+
+define Package/schroot
+  SECTION:=admin
+  CATEGORY:=Administration
+  TITLE:=Securely enter a chroot and run a command or login shell.
+  DEPENDS:=$(ICONV_DEPENDS) \
+       +boost +boost-filesystem +boost-iostreams +boost-program_options +boost-regex \
+       +SCHROOT_BTRFS:btrfs-progs \
+       +SCHROOT_LOOPBACK:losetup \
+       +SCHROOT_LVM:lvm2 \
+       +SCHROOT_UUID:libuuid
+  URL:=https://salsa.debian.org/debian/schroot
+endef
+
+define Package/schroot/description
+  Securely enter a chroot and run a command or login shell.
+endef
+
+define Package/sudo/conffiles
+/etc/schroot/
+endef
+
+define Package/schroot/config
+       source "$(SOURCE)/Config.in"
+endef
+
+PKG_CONFIG_DEPENDS := \
+       CONFIG_SCHROOT_BTRFS \
+       CONFIG_SCHROOT_LOOPBACK \
+       CONFIG_SCHROOT_LVM \
+       CONFIG_SCHROOT_UUID
+
+CONFIGURE_ARGS += \
+       $(if $(CONFIG_SCHROOT_BTRFS),--enable,--disable)-btrfs-snapshot \
+       $(if $(CONFIG_SCHROOT_LOOPBACK),--enable,--disable)-loopback \
+       $(if $(CONFIG_SCHROOT_LVM),--enable,--disable)-lvm-snapshot \
+       $(if $(CONFIG_SCHROOT_UUID),--enable,--disable)-uuid \
+       --enable-block-device \
+       --enable-union \
+       --disable-dchroot \
+       --disable-dchroot-dsa \
+       --disable-csbuild \
+       --disable-debug \
+       --disable-pam \
+       --disable-doxygen \
+       --disable-rpath
+
+define Package/schroot/install
+       $(INSTALL_DIR) $(1)/usr/bin
+       $(INSTALL_SUID) $(PKG_INSTALL_DIR)/usr/bin/schroot $(1)/usr/bin/
+       $(INSTALL_DIR) $(1)/etc/schroot
+       $(CP) -R $(PKG_INSTALL_DIR)/etc/schroot/* $(1)/etc/schroot
+       $(INSTALL_DIR) $(1)/usr/lib/schroot
+       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/libsbuild.* $(1)/usr/lib/
+       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/schroot/* $(1)/usr/lib/schroot/
+       $(INSTALL_DIR) $(1)/usr/share/schroot
+       $(CP) -R $(PKG_INSTALL_DIR)/usr/share/schroot/* $(1)/usr/share/schroot/
+       $(INSTALL_DIR) $(1)/etc/init.d
+       $(INSTALL_BIN) ./files/schroot.init $(1)/etc/init.d/schroot
+endef
+
+$(eval $(call BuildPackage,schroot))

diff --git a/admin/schroot/files/schroot.init b/admin/schroot/files/schroot.init
new file mode 100755 (executable)
index 0000000..aa37793
--- /dev/null
+++ b/admin/schroot/files/schroot.init
@@ -0,0 +1,10 @@
+#!/bin/sh /etc/rc.common
+
+START=94
+
+start() {
+       [ -d /var/lib/schroot ] || {
+               mkdir -p /var/lib/schroot/mount /var/lib/schroot/session /var/lib/schroot/unpack /var/lib/schroot/union/overlay /var/lib/schroot/union/underlay
+               chmod 0700 /var/lib/schroot
+       }
+}

diff --git a/admin/schroot/patches/01-openwrt.patch b/admin/schroot/patches/01-openwrt.patch
new file mode 100644 (file)
index 0000000..9b26b47
--- /dev/null
+++ b/admin/schroot/patches/01-openwrt.patch
@@ -0,0 +1,219 @@
+--- ./configure.ac-orig        2019-12-09 12:56:45.217308628 +0100
++++ ./configure.ac     2019-12-09 12:57:18.667492923 +0100
+@@ -284,22 +284,8 @@ if test -z "$DOXYGEN"; then
+   HAVE_DOXYGEN="no"
+ fi
+ HAVE_LVM="yes"
+-AC_PATH_PROG([LVCREATE], [lvcreate], [], [$PATH:/sbin:/usr/sbin])
+-AC_PATH_PROG([LVREMOVE], [lvremove], [], [$PATH:/sbin:/usr/sbin])
+-if test -z "$LVCREATE" || test -z "$LVREMOVE"; then
+-  HAVE_LVM="no"
+-fi
+ HAVE_BTRFS="yes"
+-AC_PATH_PROG([BTRFS], [btrfs], [], [$PATH:/sbin:/usr/sbin])
+-AC_PATH_PROG([BTRFSCTL], [btrfsctl], [], [$PATH:/sbin:/usr/sbin])
+-if test -z "$BTRFS" || test -z "$BTRFSCTL"; then
+-  HAVE_BTRFS="no"
+-fi
+ HAVE_LOOPBACK="yes"
+-AC_PATH_PROG([LOSETUP], [losetup], [], [$PATH:/sbin:/usr/sbin])
+-if test -z "$LOSETUP"; then
+-  HAVE_LOOPBACK="no"
+-fi
+ 
+ 
+ # Check for host platform
+@@ -336,7 +322,6 @@ PKG_CHECK_MODULES([UUID], [uuid],
+                   [HAVE_UUID=yes],
+                   [HAVE_UUID=no])
+ 
+-AM_PATH_CPPUNIT([1.10.0], [HAVE_CPPUNIT=yes])
+ AM_CONDITIONAL([USE_UNIT_TESTS], [test -n "$HAVE_CPPUNIT"])
+ 
+ SCHROOT_CFLAGS="$UUID_CFLAGS"
+@@ -688,42 +673,25 @@ if test "$BOOST_PROGRAM_OPTIONS_VALIDATI
+ fi
+ 
+ dnl Note the use of quadrigraphs to quote [ and ] in regexes.
+-AH_TEMPLATE(HAVE_REGEX_REGEX, [Set if the <regex> header file includes std::regex])
+ AH_TEMPLATE(HAVE_BOOST_REGEX, [Set if the <boost/regex.hpp> header file includes boost::regex])
+-AC_MSG_CHECKING([for std::regex])
+-define([testprog], [AC_LANG_PROGRAM([#include <regex>],
+-                                   [std::regex foo("^foo@<:@bar@:>@$");
+-                                    std::regex bar("^foo@<:@bar@:>@$", std::regex::extended);
+-                                    std::regex check("^@<:@^:/,.@:>@@<:@^:/,@:>@*$", std::regex::extended);])])
+-AC_RUN_IFELSE(testprog,
+-  [AC_MSG_RESULT([yes])
+-   AC_DEFINE(HAVE_REGEX_REGEX, 1)],
+-  [dnl Check if std::regex is present but broken.
+-define([testprog], [AC_LANG_PROGRAM([#include <regex>],
+-                                   [std::regex foo("^foo@<:@bar@:>@$");
+-                                    std::regex bar("^foo@<:@bar@:>@$", std::regex::extended);])])
++AC_MSG_CHECKING([for boost::regex in -lboost_regex])
++saved_LIBS="${LIBS}"
++LIBS="${saved_LIBS} -lboost_regex"
++define([testprog], [AC_LANG_PROGRAM([#include <boost/regex.hpp>],
++                                [boost::regex("^foo@<:@bar@:>@$");
++                                 boost::regex bar("^foo@<:@bar@:>@$", boost::regex::extended);])])
+ AC_LINK_IFELSE(testprog,
+-  [AC_MSG_RESULT([broken])],
+-  [AC_MSG_RESULT([no])])
+-   AC_MSG_CHECKING([for boost::regex in -lboost_regex])
+-   saved_LIBS="${LIBS}"
+-   LIBS="${saved_LIBS} -lboost_regex"
+-   define([testprog], [AC_LANG_PROGRAM([#include <boost/regex.hpp>],
+-                                   [boost::regex("^foo@<:@bar@:>@$");
+-                                    boost::regex bar("^foo@<:@bar@:>@$", boost::regex::extended);])])
+-   AC_LINK_IFELSE(testprog,
+-                  [AC_MSG_RESULT([yes])
+-                   AC_DEFINE(HAVE_BOOST_REGEX, 1)
+-                   BOOST_LIBS="${BOOST_LIBS} -lboost_regex"],
+-                  [LIBS="${saved_LIBS} -lboost_regex-mt"
+-                   AC_LINK_IFELSE(testprog,
+-                          [AC_MSG_RESULT([yes])
+-                           AC_DEFINE(HAVE_BOOST_REGEX, 1)
+-                           BOOST_LIBS="${BOOST_LIBS} -lboost_regex-mt"],
+-                          [AC_MSG_RESULT([no])
+-                    AC_MSG_FAILURE([libboost_regex (Boost C++ Libraries) is not installed, but is required by schroot])])])
+-   LIBS="${saved_LIBS}"
+-])
++               [AC_MSG_RESULT([yes])
++                AC_DEFINE(HAVE_BOOST_REGEX, 1)
++                BOOST_LIBS="${BOOST_LIBS} -lboost_regex"],
++               [LIBS="${saved_LIBS} -lboost_regex-mt"
++                AC_LINK_IFELSE(testprog,
++                       [AC_MSG_RESULT([yes])
++                        AC_DEFINE(HAVE_BOOST_REGEX, 1)
++                        BOOST_LIBS="${BOOST_LIBS} -lboost_regex-mt"],
++                       [AC_MSG_RESULT([no])
++                 AC_MSG_FAILURE([libboost_regex (Boost C++ Libraries) is not installed, but is required by schroot])])])
++LIBS="${saved_LIBS}"
+ 
+ AC_MSG_CHECKING([for boost::iostreams in -lboost_iostreams])
+ saved_LIBS="${LIBS}"
+--- ./bin/schroot-base/schroot-base-run.h-orig 2019-12-09 04:23:51.881428446 +0100
++++ ./bin/schroot-base/schroot-base-run.h      2019-12-09 04:24:14.934887089 +0100
+@@ -61,8 +61,8 @@ namespace schroot_base
+         std::cout.imbue(std::locale());
+         std::cerr.imbue(std::locale());
+ 
+-        bindtextdomain (SBUILD_MESSAGE_CATALOGUE, SCHROOT_LOCALE_DIR);
+-        textdomain (SBUILD_MESSAGE_CATALOGUE);
++        //bindtextdomain (SBUILD_MESSAGE_CATALOGUE, SCHROOT_LOCALE_DIR);
++        //textdomain (SBUILD_MESSAGE_CATALOGUE);
+ 
+         typename options_type::ptr opts(new options_type);
+         main_type kit(opts);
+--- ./sbuild/sbuild-feature.h-orig     2019-12-09 04:23:51.881428446 +0100
++++ ./sbuild/sbuild-feature.h  2019-12-09 04:24:14.934887089 +0100
+@@ -24,6 +24,7 @@
+ #include <string>
+ 
+ #include <boost/format.hpp>
++#include <libintl.h>
+ 
+ namespace sbuild
+ {
+--- ./etc/setup.d/20copyfiles-orig     2018-11-03 14:26:12.000000000 +0100
++++ ./etc/setup.d/20copyfiles  2019-12-09 13:56:45.277145648 +0100
+@@ -39,9 +39,9 @@ copy_file()
+         if [ -e "$2" ]; then
+ 
+             # Device and inode
+-            da=$(/usr/bin/stat --format="%d %i" "$1")
++            da=$(/bin/stat --format="%d %i" "$1")
+             # This one can fail since it might not exist yet
+-            db=$(/usr/bin/stat --format="%d %i" "$2" 2>/dev/null || :)
++            db=$(/bin/stat --format="%d %i" "$2" 2>/dev/null || :)
+ 
+             if [ "$da" = "$db" ]; then
+                 COPY="false"
+--- ./etc/setup.d/20nssdatabases-orig  2018-11-03 14:26:12.000000000 +0100
++++ ./etc/setup.d/20nssdatabases       2019-12-09 13:57:34.397419039 +0100
+@@ -29,7 +29,7 @@ set -e
+ dup_nss()
+ {
+     info "Copying $1 database to $2"
+-    getent "$1" > "$2"
++    cat "/etc/$1" > "$2"
+ }
+ 
+ if [ $STAGE = "setup-start" ] || [ $STAGE = "setup-recover" ]; then
+@@ -42,9 +42,9 @@ if [ $STAGE = "setup-start" ] || [ $STAG
+                 fi
+ 
+                 # Device and inode
+-                dr=$(/usr/bin/stat --format="%d %i" "/etc/$db")
++                dr=$(/bin/stat --format="%d %i" "/etc/$db")
+                 # This one can fail since it might not exist yet
+-                dc=$(/usr/bin/stat --format="%d %i" "${CHROOT_PATH}/etc/$db" 2>/dev/null || :)
++                dc=$(/bin/stat --format="%d %i" "${CHROOT_PATH}/etc/$db" 2>/dev/null || :)
+ 
+                 # If the database inside and outside the chroot is the
+                 # same, it's very likely that dup_nss would blank the
+diff -X /home/jmarcet/.rsync-filter -pru ./etc/profile-templates/all/all/nssdatabases ./etc/profile-templates/all/all/nssdatabases
+--- ./etc/profile-templates/all/all/nssdatabases       2018-11-03 14:26:12.000000000 +0100
++++ ./etc/profile-templates/all/all/nssdatabases       2019-12-09 14:03:12.799297723 +0100
+@@ -4,4 +4,4 @@
+ passwd
+ shadow
+-group
+-gshadow
++#group
++#gshadow
+diff -X /home/jmarcet/.rsync-filter -pru ./etc/profile-templates/buildd/all/nssdatabases ./etc/profile-templates/buildd/all/nssdatabases
+--- ./etc/profile-templates/buildd/all/nssdatabases    2018-11-03 14:26:12.000000000 +0100
++++ ./etc/profile-templates/buildd/all/nssdatabases    2019-12-09 14:03:12.802631074 +0100
+@@ -4,4 +4,4 @@
+ passwd
+ shadow
+-group
+-gshadow
++#group
++#gshadow
+diff -X /home/jmarcet/.rsync-filter -pru ./etc/profile-templates/default/all/nssdatabases ./etc/profile-templates/default/all/nssdatabases
+--- ./etc/profile-templates/default/all/nssdatabases   2018-11-03 14:26:12.000000000 +0100
++++ ./etc/profile-templates/default/all/nssdatabases   2019-12-09 14:03:12.809297778 +0100
+@@ -1,4 +1,4 @@
+ services
+ protocols
+-networks
++#networks
+ hosts
+diff -X /home/jmarcet/.rsync-filter -pru ./etc/profile-templates/desktop/all/nssdatabases ./etc/profile-templates/desktop/all/nssdatabases
+--- ./etc/profile-templates/desktop/all/nssdatabases   2018-11-03 14:26:12.000000000 +0100
++++ ./etc/profile-templates/desktop/all/nssdatabases   2019-12-09 14:03:12.812631129 +0100
+@@ -1,4 +1,4 @@
+ services
+ protocols
+-networks
++#networks
+ hosts
+diff -X /home/jmarcet/.rsync-filter -pru ./etc/profile-templates/default/linux/fstab ./etc/profile-templates/default/linux/fstab
+--- ./etc/profile-templates/default/linux/fstab        2018-11-03 14:26:12.000000000 +0100
++++ ./etc/profile-templates/default/linux/fstab        2019-12-09 14:18:46.970887080 +0100
+@@ -7,7 +7,7 @@
+ # to run additional services in the chroot.  However, note that this
+ # may potentially cause undesirable behaviour on upgrades, such as
+ # killing services on the host.
+-#/run           /run            none    rw,bind         0       0
++/run           /run            none    rw,bind         0       0
+ #/run/lock      /run/lock       none    rw,bind         0       0
+-#/dev/shm       /dev/shm        none    rw,bind         0       0
+-#/run/shm       /run/shm        none    rw,bind         0       0
++/tmp/shm       /dev/shm        none    rw,bind         0       0
++/tmp/shm       /run/shm        none    rw,bind         0       0
+diff -X /home/jmarcet/.rsync-filter -pru ./etc/profile-templates/desktop/linux/fstab ./etc/profile-templates/desktop/linux/fstab
+--- ./etc/profile-templates/desktop/linux/fstab        2018-11-03 14:26:12.000000000 +0100
++++ ./etc/profile-templates/desktop/linux/fstab        2019-12-09 14:22:14.148555674 +0100
+@@ -12,7 +12,7 @@
+ # to run additional services in the chroot.  However, note that this
+ # may potentially cause undesirable behaviour on upgrades, such as
+ # killing services on the host.
+-#/run           /run            none    rw,bind         0       0
++/run           /run            none    rw,bind         0       0
+ #/run/lock      /run/lock       none    rw,bind         0       0
+-#/dev/shm       /dev/shm        none    rw,bind         0       0
+-#/run/shm       /run/shm        none    rw,bind         0       0
++/tmp/shm       /dev/shm        none    rw,bind         0       0
++/tmp/shm       /run/shm        none    rw,bind         0       0