Mirror/pmbootstrap
1
0
Fork 1
mirror of https://gitlab.postmarketos.org/postmarketOS/pmbootstrap.git synced 2025-07-13 11:29:46 +03:00
Code Issues Wiki Activity
pmbootstrap/pmbootstrap.py
Casey Connolly be5e18cf99
unshare binfmt 
Rework how we handle binfmt_misc so it will work inside a user
namespace.

* Use a custom mountpoint (only accessible inside the mount namespace),
  this is the crux of the change, allowing us to mount it as non-root
  and avoid messing with any host configs too!
* No longer explicitly modprobe binfmt_misc, any modern system should
  probe it automatically when we try to mount it... I think so anyways
  heh

Signed-off-by: Casey Connolly <kcxt@postmarketos.org>
2025-05-30 21:29:27 +02:00

46 lines
1.3 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/env python3
# -*- encoding: UTF-8 -*-
# Copyright 2023 Oliver Smith
# SPDX-License-Identifier: GPL-3.0-or-later
# PYTHON_ARGCOMPLETE_OK
import sys
import pmb
import os
from pmb.init import sandbox
original_uid = os.geteuid()
sandbox.acquire_privileges(become_root=False)
# Unshare mount namespace
sandbox.unshare(sandbox.CLONE_NEWNS)
# sandbox.seccomp_suppress(chown=True)
# print("Caps: ")
# with open("/proc/self/status", "rb") as f:
# for line in f.readlines():
# if line.startswith(b"CapEff:"):
# print(line)
# print(f"cap_sys_admin: {sandbox.have_effective_cap(sandbox.CAP_SYS_ADMIN)}")
# print(f"single user: {sandbox.userns_has_single_user()}")
# We set up a very basic mount environment, where we just bind mount the host
# rootfs in. We can extend this in the future to isolate the pmb workdir but
# for now this is enough.
fsops = [
sandbox.BindOperation(
"/",
"/",
readonly=False,
required=True,
relative=False,
),
# Mount binfmt_misc at /tmp/pmb_binfmt_misc
sandbox.BinfmtOperation(pmb.config.binfmt_misc),
]
sandbox.setup_mounts(fsops)
# A convenience wrapper for running pmbootstrap from the git repository. This
# script is not part of the python packaging, so don't add more logic here!
if __name__ == "__main__":
sys.exit(pmb.main(original_uid=original_uid))
Reference in a new issue View git blame Copy permalink