container-bin-image (1845B)
1 {% extends "base" %} 2 {%- block body %} 3 #+{{pkg_install_name("busybox")}} 4 #+{{pkg_install_name("busybox-diffutils")}} 5 #+{{pkg_install_name("busybox-login")}} 6 #+{{pkg_install_name("execline")}} 7 #+{{pkg_install_name("s6")}} 8 #+{{pkg_install_name("ccx-utils")}} 9 #+{{pkg_install_name("applyuidgid-caps")}} 10 #+{{pkg_install_name("easyseccomp")}} 11 #+{{pkg_install_name("mlog")}} 12 #@sha256:{{files["default-policy.easyseccomp"]}}:default-policy.easyseccomp 13 14 img="$pthbs_destdir{{versions}}/$pthbs_package/container-bin-image" 15 mkdir -p "$img" 16 easyseccomp -i default-policy.easyseccomp -o "$img/seccomp-default.bpf" 17 easyseccomp -i default-policy.easyseccomp -d ALLOW_PTRACE -o "$img/seccomp-ptrace.bpf" 18 easyseccomp -i default-policy.easyseccomp -d ALLOW_SECCOMP -d ALLOW_LANDLOCK -o "$img/seccomp-build.bpf" 19 easyseccomp -i default-policy.easyseccomp -d ALLOW_PTRACE -d ALLOW_SETUID_SETGID -o "$img/seccomp-xpra.bpf" 20 easyseccomp -i default-policy.easyseccomp -d ALLOW_SETUID_SETGID -o "$img/seccomp-setuidgid.bpf" 21 cd "$img" 22 23 # first commands without argv0 aliases 24 for cmd in "${PATH%%:*}"/*; do 25 rp=$(realpath "$cmd") 26 base=$(basename "$rp") 27 if test $base = "${cmd##*/}"; then 28 if test -e "./$base"; then 29 printf "fatal: duplicate command file: '%s'\n" "$base" 30 exit 1 31 fi 32 cp -p "$rp" ./ 33 fi 34 done 35 36 # now alias using symlinks 37 for cmd in "${PATH%%:*}"/*; do 38 rp=$(realpath "$cmd") 39 base=$(basename "$rp") 40 if ! test $base = "${cmd##*/}"; then 41 if ! test -f "./$base"; then 42 cp -p "$rp" ./ 43 fi 44 ln -s "./$base" "./${cmd##*/}" 45 fi 46 done 47 48 for cmd in if busybox umount chpst spawn-pty ptsname applyuidgid-caps; do 49 if ! test -x "./$cmd"; then 50 printf "fatal: expected command not found: '%s'\n" "$cmd" 51 exit 1 52 fi 53 done 54 ./true 55 ./seccomp-run ./seccomp-default.bpf ./true 56 57 58 touch "$pthbs_destdir{{versions}}/$pthbs_package/.install-links" 59 {% endblock %}