diff --git a/docs/plan.md b/docs/plan.md index 3d12740..76b05c4 100644 --- a/docs/plan.md +++ b/docs/plan.md @@ -301,6 +301,9 @@ Current progress: - install-time storage layout application is now executed as a rendered privileged helper script under that policy instead of many scattered host-side privileged calls +- remaining image resize and raw-file install attach/detach paths now also run + through dedicated assembly privileged helper scripts, further shrinking the + host-side privileged call surface - network is disabled by default in these jailed paths - union assembly mounts are now much smaller and omit host `/etc` and `devfs` - direct block-device `system install` is now an explicit opt-in under the @@ -308,9 +311,10 @@ Current progress: Next likely steps: -- keep shrinking the privileged surface for image / installer / ISO assembly -- decide whether some remaining host-side image construction steps should move - behind a more explicit dedicated privileged helper or runner +- keep pushing filesystem/image construction toward file-backed or jailed helper + paths where practical +- decide whether any remaining assembly-time host assumptions should move behind + an even narrower dedicated helper or runner boundary ## Runtime / development / build separation diff --git a/modules/fruix/system/freebsd/media.scm b/modules/fruix/system/freebsd/media.scm index a2433c5..ef05dde 100644 --- a/modules/fruix/system/freebsd/media.scm +++ b/modules/fruix/system/freebsd/media.scm @@ -1065,9 +1065,9 @@ (installer-root-partition-label . ,installer-root-partition-label) (target-install . ,target-install-spec)))) -(define image-builder-version "5") +(define image-builder-version "6") (define install-builder-version "5") -(define installer-image-builder-version "6") +(define installer-image-builder-version "7") (define installer-iso-builder-version "7") (define* (operating-system-install-storage-layout os @@ -1431,22 +1431,24 @@ (define* (resize-gpt-image image disk-capacity #:key - (privileged-policy (default-assembly-privileged-policy))) + (privileged-policy (default-assembly-privileged-policy)) + metadata-file) (when disk-capacity (run-command "truncate" "-s" disk-capacity image) - (let ((md (assembly-privileged-command-output privileged-policy - 'mdconfig-attach - "mdconfig" "-a" "-t" "vnode" "-f" image))) - (dynamic-wind - (lambda () #t) - (lambda () - (run-assembly-privileged-command privileged-policy - 'gpart-recover - "gpart" "recover" (string-append "/dev/" md))) - (lambda () - (run-assembly-privileged-command privileged-policy - 'mdconfig-detach - "mdconfig" "-d" "-u" (string-drop md 2))))))) + (run-assembly-privileged-script + privileged-policy + "fruix-image-resize" + (string-append + "#!/bin/sh\n" + "set -eu\n" + "md=$(mdconfig -a -t vnode -f " (shell-quote image) ")\n" + "cleanup() {\n" + " mdconfig -d -u \"${md#md}\" >/dev/null 2>&1 || true\n" + "}\n" + "trap cleanup EXIT\n" + "gpart recover \"/dev/${md}\"\n") + #:operations '(mdconfig-attach gpart-recover mdconfig-detach) + #:metadata-file metadata-file))) (define* (install-operating-system os #:key @@ -1506,15 +1508,19 @@ (staging-metadata-relative-root "/var/lib/fruix/system/install/metadata") (assembly-privileged-policy-path (string-append staging-metadata-relative-root "/assembly-privileged-policy.scm")) + (raw-target-attach-metadata-path + (string-append staging-metadata-relative-root "/raw-target-attach.scm")) (rootfs-populate-metadata-path (string-append staging-metadata-relative-root "/rootfs-populate.scm")) (storage-apply-metadata-path (string-append staging-metadata-relative-root "/storage-apply.scm")) (rootfs-copy-metadata-path (string-append staging-metadata-relative-root "/rootfs-copy.scm")) (store-copy-metadata-path (string-append staging-metadata-relative-root "/store-copy.scm")) (assembly-privileged-policy-file (string-append rootfs assembly-privileged-policy-path)) (rootfs-populate-metadata-file (string-append rootfs rootfs-populate-metadata-path)) + (raw-target-attach-metadata-temp-file (string-append build-root "/raw-target-attach.scm")) (storage-apply-metadata-temp-file (string-append build-root "/storage-apply.scm")) (rootfs-copy-metadata-temp-file (string-append build-root "/rootfs-copy.scm")) (store-copy-metadata-temp-file (string-append build-root "/store-copy.scm")) + (target-md-file (string-append build-root "/target.md")) (target-device #f) (target-md #f) (effective-storage-layout #f) @@ -1539,11 +1545,24 @@ (mkdir-p (dirname target)) (delete-path-if-exists target) (run-command "truncate" "-s" disk-capacity target) - (let ((md (assembly-privileged-command-output privileged-policy - 'mdconfig-attach - "mdconfig" "-a" "-t" "vnode" "-f" target))) - (set! target-md md) - (set! target-device (string-append "/dev/" md)))) + (run-assembly-privileged-script + privileged-policy + "fruix-install-target-attach" + (string-append + "#!/bin/sh\n" + "set -eu\n" + "md=$(mdconfig -a -t vnode -f " (shell-quote target) ")\n" + "printf '%s\\n' \"$md\" > " (shell-quote target-md-file) "\n") + #:operations '(mdconfig-attach) + #:metadata-file raw-target-attach-metadata-temp-file) + (let ((md-lines (read-lines target-md-file))) + (unless (pair? md-lines) + (error "raw-file target attach helper did not record md device" + target + target-md-file)) + (let ((md (car md-lines))) + (set! target-md md) + (set! target-device (string-append "/dev/" md))))) ((block-device) (set! target-device target))) (set! effective-storage-layout @@ -1554,6 +1573,9 @@ #:privileged-policy privileged-policy #:metadata-file storage-apply-metadata-temp-file) 'plan)) + (install-metadata-file-into-mounted-root privileged-policy + raw-target-attach-metadata-temp-file + (string-append mnt-root raw-target-attach-metadata-path)) (install-metadata-file-into-mounted-root privileged-policy storage-apply-metadata-temp-file (string-append mnt-root storage-apply-metadata-path)) @@ -1609,6 +1631,8 @@ (realized-storage-layout . ,(realized-freebsd-storage-layout storage-plan)) (install-metadata-path . ,install-metadata-relative-path) (assembly-privileged-policy-path . ,assembly-privileged-policy-path) + (raw-target-attach-metadata-path . ,(and (eq? target-kind 'raw-file) + raw-target-attach-metadata-path)) (rootfs-populate-metadata-path . ,rootfs-populate-metadata-path) (storage-apply-metadata-path . ,storage-apply-metadata-path) (rootfs-copy-metadata-path . ,rootfs-copy-metadata-path) @@ -1707,6 +1731,7 @@ (assembly-privileged-policy-file (string-append image-store-path "/metadata/assembly-privileged-policy.scm")) (rootfs-populate-metadata-file (string-append image-store-path "/metadata/rootfs-populate.scm")) + (image-resize-metadata-file (string-append image-store-path "/metadata/image-resize.scm")) (image-rootfs-copy-metadata-file (string-append image-store-path "/metadata/image-rootfs-copy.scm")) (store-copy-metadata-file (string-append image-store-path "/metadata/store-copy.scm"))) (unless (file-exists? image-store-path) @@ -1721,6 +1746,7 @@ (assembly-privileged-policy-temp-file (string-append temp-output "/metadata/assembly-privileged-policy.scm")) (rootfs-populate-metadata-temp-file (string-append temp-output "/metadata/rootfs-populate.scm")) + (image-resize-metadata-temp-file (string-append temp-output "/metadata/image-resize.scm")) (image-rootfs-copy-metadata-temp-file (string-append temp-output "/metadata/image-rootfs-copy.scm")) (store-copy-metadata-temp-file (string-append temp-output "/metadata/store-copy.scm"))) (dynamic-wind @@ -1759,7 +1785,8 @@ "-p" (string-append "freebsd-ufs/" root-partition-label ":=" temp-root) "-o" temp-disk) (resize-gpt-image temp-disk disk-capacity - #:privileged-policy privileged-policy) + #:privileged-policy privileged-policy + #:metadata-file image-resize-metadata-temp-file) (mkdir-p temp-output) (write-assembly-privileged-policy-file assembly-privileged-policy-temp-file privileged-policy) @@ -1783,6 +1810,7 @@ (string-append temp-output "/.fruix-package") assembly-privileged-policy-temp-file rootfs-populate-metadata-temp-file + image-resize-metadata-temp-file image-rootfs-copy-metadata-temp-file store-copy-metadata-temp-file))) (rename-file temp-output image-store-path)) @@ -1795,6 +1823,7 @@ (root-image . ,root-image) (assembly-privileged-policy-file . ,assembly-privileged-policy-file) (rootfs-populate-metadata-file . ,rootfs-populate-metadata-file) + (image-resize-metadata-file . ,image-resize-metadata-file) (image-rootfs-copy-metadata-file . ,image-rootfs-copy-metadata-file) (store-copy-metadata-file . ,store-copy-metadata-file) (closure-path . ,closure-path) @@ -1914,6 +1943,8 @@ (string-append image-store-path "/metadata/installer-rootfs-populate.scm")) (target-rootfs-populate-metadata-file (string-append image-store-path "/metadata/target-rootfs-populate.scm")) + (image-resize-metadata-file + (string-append image-store-path "/metadata/image-resize.scm")) (installer-rootfs-copy-metadata-file (string-append image-store-path "/metadata/installer-rootfs-copy.scm")) (target-rootfs-copy-metadata-file @@ -1937,6 +1968,8 @@ (string-append temp-output "/metadata/installer-rootfs-populate.scm")) (target-rootfs-populate-metadata-temp-file (string-append temp-output "/metadata/target-rootfs-populate.scm")) + (image-resize-metadata-temp-file + (string-append temp-output "/metadata/image-resize.scm")) (installer-rootfs-copy-metadata-temp-file (string-append temp-output "/metadata/installer-rootfs-copy.scm")) (target-rootfs-copy-metadata-temp-file @@ -2010,7 +2043,8 @@ "-p" (string-append "freebsd-ufs/" installer-root-partition-label ":=" temp-root) "-o" temp-disk) (resize-gpt-image temp-disk disk-capacity - #:privileged-policy privileged-policy) + #:privileged-policy privileged-policy + #:metadata-file image-resize-metadata-temp-file) (mkdir-p temp-output) (write-assembly-privileged-policy-file assembly-privileged-policy-temp-file privileged-policy) @@ -2039,6 +2073,7 @@ assembly-privileged-policy-temp-file installer-rootfs-populate-metadata-temp-file target-rootfs-populate-metadata-temp-file + image-resize-metadata-temp-file installer-rootfs-copy-metadata-temp-file target-rootfs-copy-metadata-temp-file store-copy-metadata-temp-file))) @@ -2053,6 +2088,7 @@ (assembly-privileged-policy-file . ,assembly-privileged-policy-file) (installer-rootfs-populate-metadata-file . ,installer-rootfs-populate-metadata-file) (target-rootfs-populate-metadata-file . ,target-rootfs-populate-metadata-file) + (image-resize-metadata-file . ,image-resize-metadata-file) (installer-rootfs-copy-metadata-file . ,installer-rootfs-copy-metadata-file) (target-rootfs-copy-metadata-file . ,target-rootfs-copy-metadata-file) (store-copy-metadata-file . ,store-copy-metadata-file) diff --git a/scripts/fruix.scm b/scripts/fruix.scm index 9190c1e..fa51a43 100644 --- a/scripts/fruix.scm +++ b/scripts/fruix.scm @@ -452,6 +452,7 @@ Common options:\n\ (root_device . ,(assoc-ref result 'root-device)) (install_metadata_path . ,(assoc-ref result 'install-metadata-path)) (assembly_privileged_policy_path . ,(assoc-ref result 'assembly-privileged-policy-path)) + (raw_target_attach_metadata_path . ,(or (assoc-ref result 'raw-target-attach-metadata-path) "")) (rootfs_populate_metadata_path . ,(assoc-ref result 'rootfs-populate-metadata-path)) (storage_apply_metadata_path . ,(assoc-ref result 'storage-apply-metadata-path)) (rootfs_copy_metadata_path . ,(assoc-ref result 'rootfs-copy-metadata-path)) @@ -537,6 +538,7 @@ Common options:\n\ (root_image . ,(assoc-ref result 'root-image)) (assembly_privileged_policy_file . ,(assoc-ref result 'assembly-privileged-policy-file)) (rootfs_populate_metadata_file . ,(assoc-ref result 'rootfs-populate-metadata-file)) + (image_resize_metadata_file . ,(assoc-ref result 'image-resize-metadata-file)) (image_rootfs_copy_metadata_file . ,(assoc-ref result 'image-rootfs-copy-metadata-file)) (store_copy_metadata_file . ,(assoc-ref result 'store-copy-metadata-file)) (closure_path . ,(assoc-ref result 'closure-path)) @@ -605,6 +607,7 @@ Common options:\n\ (assembly_privileged_policy_file . ,(assoc-ref result 'assembly-privileged-policy-file)) (installer_rootfs_populate_metadata_file . ,(assoc-ref result 'installer-rootfs-populate-metadata-file)) (target_rootfs_populate_metadata_file . ,(assoc-ref result 'target-rootfs-populate-metadata-file)) + (image_resize_metadata_file . ,(assoc-ref result 'image-resize-metadata-file)) (installer_rootfs_copy_metadata_file . ,(assoc-ref result 'installer-rootfs-copy-metadata-file)) (target_rootfs_copy_metadata_file . ,(assoc-ref result 'target-rootfs-copy-metadata-file)) (store_copy_metadata_file . ,(assoc-ref result 'store-copy-metadata-file))