Move remaining assembly privilege paths behind scripts

This commit is contained in:
2026-04-13 08:55:52 +02:00
parent 52808502ef
commit 56a335b624
3 changed files with 69 additions and 26 deletions
+7 -3
View File
@@ -301,6 +301,9 @@ Current progress:
- install-time storage layout application is now executed as a rendered
privileged helper script under that policy instead of many scattered host-side
privileged calls
- remaining image resize and raw-file install attach/detach paths now also run
through dedicated assembly privileged helper scripts, further shrinking the
host-side privileged call surface
- network is disabled by default in these jailed paths
- union assembly mounts are now much smaller and omit host `/etc` and `devfs`
- direct block-device `system install` is now an explicit opt-in under the
@@ -308,9 +311,10 @@ Current progress:
Next likely steps:
- keep shrinking the privileged surface for image / installer / ISO assembly
- decide whether some remaining host-side image construction steps should move
behind a more explicit dedicated privileged helper or runner
- keep pushing filesystem/image construction toward file-backed or jailed helper
paths where practical
- decide whether any remaining assembly-time host assumptions should move behind
an even narrower dedicated helper or runner boundary
## Runtime / development / build separation
+59 -23
View File
@@ -1065,9 +1065,9 @@
(installer-root-partition-label . ,installer-root-partition-label)
(target-install . ,target-install-spec))))
(define image-builder-version "5")
(define image-builder-version "6")
(define install-builder-version "5")
(define installer-image-builder-version "6")
(define installer-image-builder-version "7")
(define installer-iso-builder-version "7")
(define* (operating-system-install-storage-layout os
@@ -1431,22 +1431,24 @@
(define* (resize-gpt-image image disk-capacity
#:key
(privileged-policy (default-assembly-privileged-policy)))
(privileged-policy (default-assembly-privileged-policy))
metadata-file)
(when disk-capacity
(run-command "truncate" "-s" disk-capacity image)
(let ((md (assembly-privileged-command-output privileged-policy
'mdconfig-attach
"mdconfig" "-a" "-t" "vnode" "-f" image)))
(dynamic-wind
(lambda () #t)
(lambda ()
(run-assembly-privileged-command privileged-policy
'gpart-recover
"gpart" "recover" (string-append "/dev/" md)))
(lambda ()
(run-assembly-privileged-command privileged-policy
'mdconfig-detach
"mdconfig" "-d" "-u" (string-drop md 2)))))))
(run-assembly-privileged-script
privileged-policy
"fruix-image-resize"
(string-append
"#!/bin/sh\n"
"set -eu\n"
"md=$(mdconfig -a -t vnode -f " (shell-quote image) ")\n"
"cleanup() {\n"
" mdconfig -d -u \"${md#md}\" >/dev/null 2>&1 || true\n"
"}\n"
"trap cleanup EXIT\n"
"gpart recover \"/dev/${md}\"\n")
#:operations '(mdconfig-attach gpart-recover mdconfig-detach)
#:metadata-file metadata-file)))
(define* (install-operating-system os
#:key
@@ -1506,15 +1508,19 @@
(staging-metadata-relative-root "/var/lib/fruix/system/install/metadata")
(assembly-privileged-policy-path
(string-append staging-metadata-relative-root "/assembly-privileged-policy.scm"))
(raw-target-attach-metadata-path
(string-append staging-metadata-relative-root "/raw-target-attach.scm"))
(rootfs-populate-metadata-path (string-append staging-metadata-relative-root "/rootfs-populate.scm"))
(storage-apply-metadata-path (string-append staging-metadata-relative-root "/storage-apply.scm"))
(rootfs-copy-metadata-path (string-append staging-metadata-relative-root "/rootfs-copy.scm"))
(store-copy-metadata-path (string-append staging-metadata-relative-root "/store-copy.scm"))
(assembly-privileged-policy-file (string-append rootfs assembly-privileged-policy-path))
(rootfs-populate-metadata-file (string-append rootfs rootfs-populate-metadata-path))
(raw-target-attach-metadata-temp-file (string-append build-root "/raw-target-attach.scm"))
(storage-apply-metadata-temp-file (string-append build-root "/storage-apply.scm"))
(rootfs-copy-metadata-temp-file (string-append build-root "/rootfs-copy.scm"))
(store-copy-metadata-temp-file (string-append build-root "/store-copy.scm"))
(target-md-file (string-append build-root "/target.md"))
(target-device #f)
(target-md #f)
(effective-storage-layout #f)
@@ -1539,11 +1545,24 @@
(mkdir-p (dirname target))
(delete-path-if-exists target)
(run-command "truncate" "-s" disk-capacity target)
(let ((md (assembly-privileged-command-output privileged-policy
'mdconfig-attach
"mdconfig" "-a" "-t" "vnode" "-f" target)))
(set! target-md md)
(set! target-device (string-append "/dev/" md))))
(run-assembly-privileged-script
privileged-policy
"fruix-install-target-attach"
(string-append
"#!/bin/sh\n"
"set -eu\n"
"md=$(mdconfig -a -t vnode -f " (shell-quote target) ")\n"
"printf '%s\\n' \"$md\" > " (shell-quote target-md-file) "\n")
#:operations '(mdconfig-attach)
#:metadata-file raw-target-attach-metadata-temp-file)
(let ((md-lines (read-lines target-md-file)))
(unless (pair? md-lines)
(error "raw-file target attach helper did not record md device"
target
target-md-file))
(let ((md (car md-lines)))
(set! target-md md)
(set! target-device (string-append "/dev/" md)))))
((block-device)
(set! target-device target)))
(set! effective-storage-layout
@@ -1554,6 +1573,9 @@
#:privileged-policy privileged-policy
#:metadata-file storage-apply-metadata-temp-file)
'plan))
(install-metadata-file-into-mounted-root privileged-policy
raw-target-attach-metadata-temp-file
(string-append mnt-root raw-target-attach-metadata-path))
(install-metadata-file-into-mounted-root privileged-policy
storage-apply-metadata-temp-file
(string-append mnt-root storage-apply-metadata-path))
@@ -1609,6 +1631,8 @@
(realized-storage-layout . ,(realized-freebsd-storage-layout storage-plan))
(install-metadata-path . ,install-metadata-relative-path)
(assembly-privileged-policy-path . ,assembly-privileged-policy-path)
(raw-target-attach-metadata-path . ,(and (eq? target-kind 'raw-file)
raw-target-attach-metadata-path))
(rootfs-populate-metadata-path . ,rootfs-populate-metadata-path)
(storage-apply-metadata-path . ,storage-apply-metadata-path)
(rootfs-copy-metadata-path . ,rootfs-copy-metadata-path)
@@ -1707,6 +1731,7 @@
(assembly-privileged-policy-file
(string-append image-store-path "/metadata/assembly-privileged-policy.scm"))
(rootfs-populate-metadata-file (string-append image-store-path "/metadata/rootfs-populate.scm"))
(image-resize-metadata-file (string-append image-store-path "/metadata/image-resize.scm"))
(image-rootfs-copy-metadata-file (string-append image-store-path "/metadata/image-rootfs-copy.scm"))
(store-copy-metadata-file (string-append image-store-path "/metadata/store-copy.scm")))
(unless (file-exists? image-store-path)
@@ -1721,6 +1746,7 @@
(assembly-privileged-policy-temp-file
(string-append temp-output "/metadata/assembly-privileged-policy.scm"))
(rootfs-populate-metadata-temp-file (string-append temp-output "/metadata/rootfs-populate.scm"))
(image-resize-metadata-temp-file (string-append temp-output "/metadata/image-resize.scm"))
(image-rootfs-copy-metadata-temp-file (string-append temp-output "/metadata/image-rootfs-copy.scm"))
(store-copy-metadata-temp-file (string-append temp-output "/metadata/store-copy.scm")))
(dynamic-wind
@@ -1759,7 +1785,8 @@
"-p" (string-append "freebsd-ufs/" root-partition-label ":=" temp-root)
"-o" temp-disk)
(resize-gpt-image temp-disk disk-capacity
#:privileged-policy privileged-policy)
#:privileged-policy privileged-policy
#:metadata-file image-resize-metadata-temp-file)
(mkdir-p temp-output)
(write-assembly-privileged-policy-file assembly-privileged-policy-temp-file
privileged-policy)
@@ -1783,6 +1810,7 @@
(string-append temp-output "/.fruix-package")
assembly-privileged-policy-temp-file
rootfs-populate-metadata-temp-file
image-resize-metadata-temp-file
image-rootfs-copy-metadata-temp-file
store-copy-metadata-temp-file)))
(rename-file temp-output image-store-path))
@@ -1795,6 +1823,7 @@
(root-image . ,root-image)
(assembly-privileged-policy-file . ,assembly-privileged-policy-file)
(rootfs-populate-metadata-file . ,rootfs-populate-metadata-file)
(image-resize-metadata-file . ,image-resize-metadata-file)
(image-rootfs-copy-metadata-file . ,image-rootfs-copy-metadata-file)
(store-copy-metadata-file . ,store-copy-metadata-file)
(closure-path . ,closure-path)
@@ -1914,6 +1943,8 @@
(string-append image-store-path "/metadata/installer-rootfs-populate.scm"))
(target-rootfs-populate-metadata-file
(string-append image-store-path "/metadata/target-rootfs-populate.scm"))
(image-resize-metadata-file
(string-append image-store-path "/metadata/image-resize.scm"))
(installer-rootfs-copy-metadata-file
(string-append image-store-path "/metadata/installer-rootfs-copy.scm"))
(target-rootfs-copy-metadata-file
@@ -1937,6 +1968,8 @@
(string-append temp-output "/metadata/installer-rootfs-populate.scm"))
(target-rootfs-populate-metadata-temp-file
(string-append temp-output "/metadata/target-rootfs-populate.scm"))
(image-resize-metadata-temp-file
(string-append temp-output "/metadata/image-resize.scm"))
(installer-rootfs-copy-metadata-temp-file
(string-append temp-output "/metadata/installer-rootfs-copy.scm"))
(target-rootfs-copy-metadata-temp-file
@@ -2010,7 +2043,8 @@
"-p" (string-append "freebsd-ufs/" installer-root-partition-label ":=" temp-root)
"-o" temp-disk)
(resize-gpt-image temp-disk disk-capacity
#:privileged-policy privileged-policy)
#:privileged-policy privileged-policy
#:metadata-file image-resize-metadata-temp-file)
(mkdir-p temp-output)
(write-assembly-privileged-policy-file assembly-privileged-policy-temp-file
privileged-policy)
@@ -2039,6 +2073,7 @@
assembly-privileged-policy-temp-file
installer-rootfs-populate-metadata-temp-file
target-rootfs-populate-metadata-temp-file
image-resize-metadata-temp-file
installer-rootfs-copy-metadata-temp-file
target-rootfs-copy-metadata-temp-file
store-copy-metadata-temp-file)))
@@ -2053,6 +2088,7 @@
(assembly-privileged-policy-file . ,assembly-privileged-policy-file)
(installer-rootfs-populate-metadata-file . ,installer-rootfs-populate-metadata-file)
(target-rootfs-populate-metadata-file . ,target-rootfs-populate-metadata-file)
(image-resize-metadata-file . ,image-resize-metadata-file)
(installer-rootfs-copy-metadata-file . ,installer-rootfs-copy-metadata-file)
(target-rootfs-copy-metadata-file . ,target-rootfs-copy-metadata-file)
(store-copy-metadata-file . ,store-copy-metadata-file)
+3
View File
@@ -452,6 +452,7 @@ Common options:\n\
(root_device . ,(assoc-ref result 'root-device))
(install_metadata_path . ,(assoc-ref result 'install-metadata-path))
(assembly_privileged_policy_path . ,(assoc-ref result 'assembly-privileged-policy-path))
(raw_target_attach_metadata_path . ,(or (assoc-ref result 'raw-target-attach-metadata-path) ""))
(rootfs_populate_metadata_path . ,(assoc-ref result 'rootfs-populate-metadata-path))
(storage_apply_metadata_path . ,(assoc-ref result 'storage-apply-metadata-path))
(rootfs_copy_metadata_path . ,(assoc-ref result 'rootfs-copy-metadata-path))
@@ -537,6 +538,7 @@ Common options:\n\
(root_image . ,(assoc-ref result 'root-image))
(assembly_privileged_policy_file . ,(assoc-ref result 'assembly-privileged-policy-file))
(rootfs_populate_metadata_file . ,(assoc-ref result 'rootfs-populate-metadata-file))
(image_resize_metadata_file . ,(assoc-ref result 'image-resize-metadata-file))
(image_rootfs_copy_metadata_file . ,(assoc-ref result 'image-rootfs-copy-metadata-file))
(store_copy_metadata_file . ,(assoc-ref result 'store-copy-metadata-file))
(closure_path . ,(assoc-ref result 'closure-path))
@@ -605,6 +607,7 @@ Common options:\n\
(assembly_privileged_policy_file . ,(assoc-ref result 'assembly-privileged-policy-file))
(installer_rootfs_populate_metadata_file . ,(assoc-ref result 'installer-rootfs-populate-metadata-file))
(target_rootfs_populate_metadata_file . ,(assoc-ref result 'target-rootfs-populate-metadata-file))
(image_resize_metadata_file . ,(assoc-ref result 'image-resize-metadata-file))
(installer_rootfs_copy_metadata_file . ,(assoc-ref result 'installer-rootfs-copy-metadata-file))
(target_rootfs_copy_metadata_file . ,(assoc-ref result 'target-rootfs-copy-metadata-file))
(store_copy_metadata_file . ,(assoc-ref result 'store-copy-metadata-file))