mrrl

Minimal Reliable Reproducible Linux
git clone https://ccx.te2000.cz/git/mrrl
Log | Files | Refs | Submodules | README
commit 1002310afe7aefe2073febc47e4080cad20834be
parent 1b6ced6c983122ce2b131ed3fa60499b1f771192
Author: Jan Pobrislo <ccx@te2000.cz>
Date:   Mon,  8 Dec 2025 04:34:41 +0000

Namespace sanbox for root

Diffstat:

Mcommitlist.sha1 | 1+


Mfilelist.sha256 | 2+-


Mfiles/sandbox-rootns.in | 94++++++++++++++++++++++++++++++++++++++++++++++---------------------------------


Mtemplates/pkg/pthbs-sandbox-rootns | 30+++++++++++++++++++++++-------


Mtemplates/pkg/sandbox_rootfs | 3++-


Mvariants/ccx-x86_64/lnstools:bootstrap | 2+-


Mvariants/ccx-x86_64/pthbs-sandbox-rootns | 36++++++++++++++++++++++++++----------


Mvariants/ccx-x86_64/sandbox_rootfs | 2+-


Mvariants/ccx-x86_64/sandbox_rootns.environment | 8++++----


Mvariants/root-x86_64/lnstools:bootstrap | 2+-


Mvariants/root-x86_64/pthbs-sandbox-rootns | 36++++++++++++++++++++++++++----------


Mvariants/root-x86_64/sandbox_rootfs | 2+-


Mvariants/root-x86_64/sandbox_rootns.environment | 8++++----


13 files changed, 146 insertions(+), 80 deletions(-)

diff --git a/commitlist.sha1 b/commitlist.sha1
@@ -1772,6 +1772,7 @@ b80c36da9d70158f9a38cfb9af9bb58a323a5796  sources/libelf
 cf90fc56dcb91d473a08582239bfdf941ef1e10b  sources/libelf
 e12821ffb205f41fa8319ad109762a06e121c141  sources/libelf
 fd2af33bd4b64be5221116f85dcf4cd220eb9a1c  sources/libelf
+268faa95dd5b1470643e69dd575b8b121a5bd5df  sources/lnstools
 7fbfb934cdaa187a063a4df41498c06c46d4a6a9  sources/lnstools
 409db79b3e7e5fc6b73305471d9bbb6ac5c14036  sources/logincaps
 41039418205b48bda59372fb7c49453852853e8a  sources/logincaps
diff --git a/filelist.sha256 b/filelist.sha256
@@ -98,7 +98,7 @@ ff3ddd131d73fee6838b11a6c4773bdb85c5f60fdd4b9ac4120ced021c341417  files/noobjtoo
 c7d3e7ef077d7673567d2f0c34ba2ebd689dab1250286ab482a3064c73ff7d7c  files/s6_clone_newpid.patch.old
 64488d8562a4e98a3b299f095bb2550cff6a3d743dc2b9c5aaeea03e5b83ec33  files/s6_ftrigr_max.patch
 df0c24312e4941b1035a6292504fbf569f0f8b81b083835d7df84586decef25c  files/sandbox-rootns-python.in
-dd1170523688a25b8d8256b0677db6350d7a83791c4cc793e308bb586d6b6643  files/sandbox-rootns.in
+fb69a8edf20b3018c70dfea0a28924da229b9f43bcb4f3cdcf412a2821e32df3  files/sandbox-rootns.in
 37d93db7135d47852dbe763f1b18b3aeab142431a6f5268a17fc700387a326e4  files/strace-6.5-static.patch
 07c3c30dab68c905d5608124e729592a30b2c087f24e7b76940f5321786128b1  files/update-links
 664430d033e0b491a5ed90cb39cb17cddb57ac0be9f3f2bf014264f3c17d55df  files/user-env
diff --git a/files/sandbox-rootns.in b/files/sandbox-rootns.in
@@ -1,12 +1,12 @@
 #!shebang:execlineb -S0
 elquote:multisubstitute {
-	importas -iuS sandbox_pthbs_versions
-	importas -iuS sandbox_pthbs_workdir
-	importas -iuS sandbox_pthbs_pkgdir
-	importas -iuS sandbox_workdir
-	importas -iuS sandbox_envdir
-	importas -iuS pthbs_uid
-	importas -iuS pthbs_gid
+	elquote:importas -iuS sandbox_pthbs_versions
+	elquote:importas -iuS sandbox_pthbs_workdir  # this is the general work/ directory
+	elquote:importas -iuS sandbox_pthbs_pkgdir
+	elquote:importas -iuS sandbox_workdir  # this is job-specific subdirectory of work/
+	elquote:importas -iuS sandbox_envdir
+	elquote:importas -iuS pthbs_uid
+	elquote:importas -iuS pthbs_gid
 }
 elquote:if {
 	elquote:mkdir -p
@@ -14,42 +14,58 @@
 	${sandbox_workdir}/.tmp
 	${sandbox_workdir}/.shm
 }
-lns-pidns
-unshare -m -u -i  # new mount, UTS and IPC namespaces
-umask 0
-lns-tmpfs-chroot ${sandbox_pthbs_workdir}/root {
-	tar xpf elquote:root.tar
+elquote:lns-pidns
+elquote:unshare -m -u -i  # new mount, UTS and IPC namespaces
+elquote:umask 0
+elquote:lns-tmpfs-chroot ${sandbox_pthbs_workdir}/root {
+	elquote:if {
+		elquote:mkdir -p ./dev/shm ./tmp
+	}
+	elquote:if {
+		elquote:mount -o rbind ${sandbox_workdir}/.shm ./dev/shm
+	}
+	elquote:if {
+		elquote:mount -o rbind ${sandbox_workdir}/.tmp ./tmp
+	}
 }
-cd ${sandbox_pthbs_workdir}/root
+elquote:cd ${sandbox_pthbs_workdir}/root
 
-if {
-	mkdir -p .${sandbox_pthbs_versions}
+elquote:if {  # /versions
+	elquote:mkdir -p .${sandbox_pthbs_versions}
 }
-if {
-	elquote:mount -o rbind ${sandbox_pthbs_versions} .${sandbox_pthbs_versions}
+elquote:if {
+	elquote:mount -o ro,rbind ${sandbox_pthbs_versions} .${sandbox_pthbs_versions}
+}
+elquote:if {
+	elquote:mount -o ro,remount .${sandbox_pthbs_versions}
+}
+
+# --extra-mount=tmpfs:${sandbox_pthbs_workdir}
+
+elquote:if {  # mrrl/variants/pkgdir
+	elquote:mkdir -p .${sandbox_pthbs_pkgdir}
+}
+elquote:if {
+	elquote:mount -o ro,rbind ${sandbox_pthbs_pkgdir} .${sandbox_pthbs_pkgdir}
+}
+elquote:if {
+	elquote:mount -o ro,remount .${sandbox_pthbs_pkgdir}
+}
+
+elquote:if {  # mrrl/work/builddir.1234
+	elquote:mkdir -p .${sandbox_workdir}
+}
+elquote:if {
+	elquote:mount -o rw,rbind ${sandbox_workdir} .${sandbox_workdir}
 }
 
-exit 123  # TODO: rest of the script
-pivot_and_umount(r, r / 'oldroot', to_umount)
-os.setgid(gid)
-os.setuid(uid)
-os.chdir(settings.chdir)
-umask 022
-exec_command(settings.command)
+elquote:if {
+	elquote:tar xpf elquote:root.tar
+}
 
-export LNS_ROOT ${sandbox_pthbs_workdir}/root
-lns-mount-chroot 
-}
-lns-mounts-to-env
-${pthbs_cache}/venv/bin/python ${pthbs_source}/sandbox/ns_sandbox.py
---mode=root
---untar=elquote:root.tar
---chdir=${sandbox_workdir}
---versions=${sandbox_pthbs_versions}
---extra-mount=tmpfs:${sandbox_pthbs_workdir}
---extra-mount=ro_bind:${sandbox_pthbs_pkgdir}:${sandbox_pthbs_pkgdir}
---extra-mount=rw_bind:${sandbox_workdir}:${sandbox_workdir}
---extra-mount=rw_bind:${sandbox_workdir}/.tmp:/tmp
---
-${sandbox_pthbs_workdir}/root
+elquote:umask 022
+elquote:export UID $pthbs_uid
+elquote:export GID $pthbs_gid
+elquote:export GIDLIST $pthbs_gid
+elquote:lns-lockdown -U "" -C ${sandbox_workdir} . ./mnt/oldroot
 $@
diff --git a/templates/pkg/pthbs-sandbox-rootns b/templates/pkg/pthbs-sandbox-rootns
@@ -16,30 +16,46 @@ exe_name=sandbox-rootns
 
 # busybox
 prog_mkdir=$(which mkdir)
+prog_mount=$(which mount)
+prog_tar=$(which tar)
+prog_unshare=$(which unshare)
 
 # execline
+prog_cd=$(which cd)
 prog_execlineb=$(which execlineb)
-prog_multisubstitute=$(which multisubstitute)
+prog_export=$(which export)
 prog_if=$(which if)
+prog_importas=$(which importas)
+prog_multisubstitute=$(which multisubstitute)
+prog_umask=$(which umask)
 
 # lnstools
-prog_lns_lockdown=$(which lns-lockdown)
-prog_lns_envuidgid=$(which lns-envuidgid)
 prog_lns_applyuidgid=$(which lns-applyuidgid)
+prog_lns_envuidgid=$(which lns-envuidgid)
+prog_lns_lockdown=$(which lns-lockdown)
 prog_lns_pidns=$(which lns-pidns)
+prog_lns_tmpfs_chroot=$(which lns-tmpfs-chroot)
 
 rootfs="$pthbs_build_environment/pthbs/sandbox/root.tar"
 
 awk -f ./abspaths.awk ./${exe_name}.in >./${exe_name} \
 	root.tar="$rootfs" \
 	mkdir="$prog_mkdir" \
+	mount="$prog_mount" \
+	tar="$prog_tar" \
+	unshare="$prog_unshare" \
+	cd="$prog_cd" \
 	execlineb="$prog_execlineb" \
-	multisubstitute="$prog_multisubstitute" \
+	export="$prog_export" \
 	if="$prog_if" \
-	lns-lockdown="$prog_lns_lockdown" \
-	lns-envuidgid="$prog_lns_envuidgid" \
+	importas="$prog_importas" \
+	multisubstitute="$prog_multisubstitute" \
+	umask="$prog_umask" \
 	lns-applyuidgid="$prog_lns_applyuidgid" \
-	lns-pidns="$prog_lns_pidns"
+	lns-envuidgid="$prog_lns_envuidgid" \
+	lns-lockdown="$prog_lns_lockdown" \
+	lns-pidns="$prog_lns_pidns" \
+	lns-tmpfs-chroot="$prog_lns_tmpfs_chroot" \
 
 install -d "$dest/pthbs/sandbox"
 install -t "$dest/pthbs/sandbox" ./${exe_name}
diff --git a/templates/pkg/sandbox_rootfs b/templates/pkg/sandbox_rootfs
@@ -12,7 +12,8 @@
 #@sha256:{{ files["argv0exec.c"] }}:argv0exec.c
 {%- endblock package_deps -%}
 {% block build -%}
-mkdir -p root/bin root/dev root/proc
+{# mkdir -p root/dev root/proc -#}
+mkdir -p root/bin root/mnt/oldroot
 ln -v -s bin root/sbin
 ln -v -s . root/usr
 
diff --git a/variants/ccx-x86_64/lnstools:bootstrap b/variants/ccx-x86_64/lnstools:bootstrap
@@ -7,7 +7,7 @@
 #+skalibs.6fc6ef7789fd250fa44993a2c24dff3aeda14cf8886b0d6644d95a67b1579de9
 #+execline.97dcd338d1cd526ffe28a8cbb05849056cb77d98f2ba70113cf1197c070caf98
 #+libcap.b93516bd8ead46e80368c35df18e3f88afab6d5a4a82a6f766aa5c6bcb4ec025
-#@git:7fbfb934cdaa187a063a4df41498c06c46d4a6a9:lnstools
+#@git:268faa95dd5b1470643e69dd575b8b121a5bd5df:lnstools
 
 
 # - build script start -
diff --git a/variants/ccx-x86_64/pthbs-sandbox-rootns b/variants/ccx-x86_64/pthbs-sandbox-rootns
@@ -3,10 +3,10 @@
 #+busybox.d2459d82c53bbacce6fbdbf272b9caf844835248a72c6c2cdf8525229786b23f
 #+nawk.e751b8be76a2fb59a2fe374e1f55c7da47b14ef1154eb8614d12107e6d68e88d
 #+execline.97dcd338d1cd526ffe28a8cbb05849056cb77d98f2ba70113cf1197c070caf98
-#+lnstools.035f5c468ed643be121e402344e97e382d727b8920431390188209db9a46e468
-#+sandbox_rootfs.c754565b2f3b79d926cba67ebe2de66cba1f69a1e77e09ff1834ee48597ecf80
+#+lnstools.a887d561a99b6fc9e5969e9a962cca806a0d2246acd8aec7db7c5781b13d5075
+#+sandbox_rootfs.c0bb1b67393bb1c9ad4d66cd210409db15205c02b56626c3872365c0f37d88ad
 #@sha256:b85634a91129f85a5aad5cae51d4084dd7ce62544b5585f0899058576c16451f:abspaths.awk
-#@sha256:dd1170523688a25b8d8256b0677db6350d7a83791c4cc793e308bb586d6b6643:sandbox-rootns.in
+#@sha256:fb69a8edf20b3018c70dfea0a28924da229b9f43bcb4f3cdcf412a2821e32df3:sandbox-rootns.in
 
 # - build script start -
 
@@ -19,30 +19,46 @@ exe_name=sandbox-rootns
 
 # busybox
 prog_mkdir=$(which mkdir)
+prog_mount=$(which mount)
+prog_tar=$(which tar)
+prog_unshare=$(which unshare)
 
 # execline
+prog_cd=$(which cd)
 prog_execlineb=$(which execlineb)
-prog_multisubstitute=$(which multisubstitute)
+prog_export=$(which export)
 prog_if=$(which if)
+prog_importas=$(which importas)
+prog_multisubstitute=$(which multisubstitute)
+prog_umask=$(which umask)
 
 # lnstools
-prog_lns_lockdown=$(which lns-lockdown)
-prog_lns_envuidgid=$(which lns-envuidgid)
 prog_lns_applyuidgid=$(which lns-applyuidgid)
+prog_lns_envuidgid=$(which lns-envuidgid)
+prog_lns_lockdown=$(which lns-lockdown)
 prog_lns_pidns=$(which lns-pidns)
+prog_lns_tmpfs_chroot=$(which lns-tmpfs-chroot)
 
 rootfs="$pthbs_build_environment/pthbs/sandbox/root.tar"
 
 awk -f ./abspaths.awk ./${exe_name}.in >./${exe_name} \
 	root.tar="$rootfs" \
 	mkdir="$prog_mkdir" \
+	mount="$prog_mount" \
+	tar="$prog_tar" \
+	unshare="$prog_unshare" \
+	cd="$prog_cd" \
 	execlineb="$prog_execlineb" \
-	multisubstitute="$prog_multisubstitute" \
+	export="$prog_export" \
 	if="$prog_if" \
-	lns-lockdown="$prog_lns_lockdown" \
-	lns-envuidgid="$prog_lns_envuidgid" \
+	importas="$prog_importas" \
+	multisubstitute="$prog_multisubstitute" \
+	umask="$prog_umask" \
 	lns-applyuidgid="$prog_lns_applyuidgid" \
-	lns-pidns="$prog_lns_pidns"
+	lns-envuidgid="$prog_lns_envuidgid" \
+	lns-lockdown="$prog_lns_lockdown" \
+	lns-pidns="$prog_lns_pidns" \
+	lns-tmpfs-chroot="$prog_lns_tmpfs_chroot" \
 
 install -d "$dest/pthbs/sandbox"
 install -t "$dest/pthbs/sandbox" ./${exe_name}
diff --git a/variants/ccx-x86_64/sandbox_rootfs b/variants/ccx-x86_64/sandbox_rootfs
@@ -22,7 +22,7 @@ dest=${pthbs_destdir%/}${prefix}
 cd '.'
 
 
-mkdir -p root/bin root/dev root/proc
+mkdir -p root/bin root/mnt/oldroot
 ln -v -s bin root/sbin
 ln -v -s . root/usr
 
diff --git a/variants/ccx-x86_64/sandbox_rootns.environment b/variants/ccx-x86_64/sandbox_rootns.environment
@@ -1,4 +1,4 @@
 #!/usr/bin/env pthbs-build
-#+lnstools.035f5c468ed643be121e402344e97e382d727b8920431390188209db9a46e468
-#+sandbox_rootfs.c754565b2f3b79d926cba67ebe2de66cba1f69a1e77e09ff1834ee48597ecf80
-#+pthbs-sandbox-rootns.78b8c92fa7a2c1adfa4cebdb5ece470ce1c11b56e32257e09c354cd3b48507b8-
\ No newline at end of file
+#+lnstools.a887d561a99b6fc9e5969e9a962cca806a0d2246acd8aec7db7c5781b13d5075
+#+sandbox_rootfs.c0bb1b67393bb1c9ad4d66cd210409db15205c02b56626c3872365c0f37d88ad
+#+pthbs-sandbox-rootns.c3336b2aa6df48b6842e06085c9499d9de47336adcd7a0c2f66bd1ceb52e5c8d+
\ No newline at end of file
diff --git a/variants/root-x86_64/lnstools:bootstrap b/variants/root-x86_64/lnstools:bootstrap
@@ -7,7 +7,7 @@
 #+skalibs.894b810290c1c41e6115b0ab7fe9264c77096f7c8831e7073e12f60a58825b19
 #+execline.0eb0935639ed55b8948221824f1af13a1df21af537b12b7405e3bcf9441be47a
 #+libcap.694c788eed0aa82c02dd1f4150b1c8dcfcba50ffb61afb794b6269e90601a747
-#@git:7fbfb934cdaa187a063a4df41498c06c46d4a6a9:lnstools
+#@git:268faa95dd5b1470643e69dd575b8b121a5bd5df:lnstools
 
 
 # - build script start -
diff --git a/variants/root-x86_64/pthbs-sandbox-rootns b/variants/root-x86_64/pthbs-sandbox-rootns
@@ -3,10 +3,10 @@
 #+busybox.3dcaebb29d41a6922a969e285bb6fb556acdb34572e22917fb71c0420c060a4f
 #+nawk.f693cc9a360afa00381350243fad82275ec5781c1916597df5ee0072912dea37
 #+execline.0eb0935639ed55b8948221824f1af13a1df21af537b12b7405e3bcf9441be47a
-#+lnstools.e1272e557f8cb1824ad7b24aac76853ee9bb4665bbbd3be68fa3f29f8ece6f79
-#+sandbox_rootfs.0d57174a2594ff5b4c1d819961157f72d217387bbe8cd27056e082b6002676df
+#+lnstools.c43706cb2c2b3a200aafb3850fa845eeee8da9deda3065e56188c4bc5c1fdab7
+#+sandbox_rootfs.da56a3e9eb268605ab40d9a659cef6ae8381c4e1bb32fff6e71db1057cf0544a
 #@sha256:b85634a91129f85a5aad5cae51d4084dd7ce62544b5585f0899058576c16451f:abspaths.awk
-#@sha256:dd1170523688a25b8d8256b0677db6350d7a83791c4cc793e308bb586d6b6643:sandbox-rootns.in
+#@sha256:fb69a8edf20b3018c70dfea0a28924da229b9f43bcb4f3cdcf412a2821e32df3:sandbox-rootns.in
 
 # - build script start -
 
@@ -19,30 +19,46 @@ exe_name=sandbox-rootns
 
 # busybox
 prog_mkdir=$(which mkdir)
+prog_mount=$(which mount)
+prog_tar=$(which tar)
+prog_unshare=$(which unshare)
 
 # execline
+prog_cd=$(which cd)
 prog_execlineb=$(which execlineb)
-prog_multisubstitute=$(which multisubstitute)
+prog_export=$(which export)
 prog_if=$(which if)
+prog_importas=$(which importas)
+prog_multisubstitute=$(which multisubstitute)
+prog_umask=$(which umask)
 
 # lnstools
-prog_lns_lockdown=$(which lns-lockdown)
-prog_lns_envuidgid=$(which lns-envuidgid)
 prog_lns_applyuidgid=$(which lns-applyuidgid)
+prog_lns_envuidgid=$(which lns-envuidgid)
+prog_lns_lockdown=$(which lns-lockdown)
 prog_lns_pidns=$(which lns-pidns)
+prog_lns_tmpfs_chroot=$(which lns-tmpfs-chroot)
 
 rootfs="$pthbs_build_environment/pthbs/sandbox/root.tar"
 
 awk -f ./abspaths.awk ./${exe_name}.in >./${exe_name} \
 	root.tar="$rootfs" \
 	mkdir="$prog_mkdir" \
+	mount="$prog_mount" \
+	tar="$prog_tar" \
+	unshare="$prog_unshare" \
+	cd="$prog_cd" \
 	execlineb="$prog_execlineb" \
-	multisubstitute="$prog_multisubstitute" \
+	export="$prog_export" \
 	if="$prog_if" \
-	lns-lockdown="$prog_lns_lockdown" \
-	lns-envuidgid="$prog_lns_envuidgid" \
+	importas="$prog_importas" \
+	multisubstitute="$prog_multisubstitute" \
+	umask="$prog_umask" \
 	lns-applyuidgid="$prog_lns_applyuidgid" \
-	lns-pidns="$prog_lns_pidns"
+	lns-envuidgid="$prog_lns_envuidgid" \
+	lns-lockdown="$prog_lns_lockdown" \
+	lns-pidns="$prog_lns_pidns" \
+	lns-tmpfs-chroot="$prog_lns_tmpfs_chroot" \
 
 install -d "$dest/pthbs/sandbox"
 install -t "$dest/pthbs/sandbox" ./${exe_name}
diff --git a/variants/root-x86_64/sandbox_rootfs b/variants/root-x86_64/sandbox_rootfs
@@ -22,7 +22,7 @@ dest=${pthbs_destdir%/}${prefix}
 cd '.'
 
 
-mkdir -p root/bin root/dev root/proc
+mkdir -p root/bin root/mnt/oldroot
 ln -v -s bin root/sbin
 ln -v -s . root/usr
 
diff --git a/variants/root-x86_64/sandbox_rootns.environment b/variants/root-x86_64/sandbox_rootns.environment
@@ -1,4 +1,4 @@
 #!/usr/bin/env pthbs-build
-#+lnstools.e1272e557f8cb1824ad7b24aac76853ee9bb4665bbbd3be68fa3f29f8ece6f79
-#+sandbox_rootfs.0d57174a2594ff5b4c1d819961157f72d217387bbe8cd27056e082b6002676df
-#+pthbs-sandbox-rootns.745320039bda82045b29b13914c0b41c7a45e2b414b54d017db25410830a7091-
\ No newline at end of file
+#+lnstools.c43706cb2c2b3a200aafb3850fa845eeee8da9deda3065e56188c4bc5c1fdab7
+#+sandbox_rootfs.da56a3e9eb268605ab40d9a659cef6ae8381c4e1bb32fff6e71db1057cf0544a
+#+pthbs-sandbox-rootns.8b798f42b51f0308dd19c8365caf688f6a36456dd4f414f59d8e2a1e3723ed62+
\ No newline at end of file