some tests to only use nsjail

progandy · progandy · commit 75823a1221d3 · 2020-04-30T12:38:38.000+02:00
diff --git a/repro.in b/repro.in
@@ -16,37 +16,75 @@ trap "{ rm -r $IMGDIRECTORY; }" EXIT
 
 DIFFOSCOPE="diffoscope"
 
+function get_subguids() {
+	local user=$(id -u)
+	local subuids
+	local subgids
+	while IFS=: read uid start count ; do
+		if [[ $user == $(id -u $uid) ]] ; then
+			subuids="1:$start:$count"
+			break
+		fi
+	done </etc/subuid
+	while IFS=: read uid start count ; do
+		if [[ $user == $(id -u $uid) ]] ; then
+			subgids="1:$start:$count"
+			break
+		fi
+	done </etc/subgid
+	[[ $subuids && $subgids ]] || return 1
+	printf " --uid_mapping %s --gid_mapping %s " "$subuids" "$subgids"
+}
+
+# Desc: Enter a user namespace with virtual privileges
+function become_rootless() {
+	((rootless_userns)) || return
+	((__REPRO_NSJAIL == 1)) && return
+	local subguids=$(get_subguids)
+	if (($?)) ; then
+		error "Your user has no subuids or subgids"
+		exit 1
+	fi
+	exec nsjail -Mo --quiet --skip_setsid \
+	            --disable_clone_newnet --disable_clone_newpid \
+	            --disable_rlimit --disable_proc --keep_caps \
+	            --chroot / --cwd "$(pwd)" --rw \
+	            --uid 0 --gid 0 $subguids \
+	            --keep_env  -E '__REPRO_NSJAIL=1' -- "${orig_argv[@]}"
+	#exec become-root unshare --mount "${orig_argv[@]}"
+}
+
 # Desc: Escalates privileges
 orig_argv=("$0" "$@")
 src_owner=${SUDO_USER:-$USER}
 function check_root() {
 	(( EUID == 0 )) && return
-	if ((rootless_userns)); then
-		exec become-root unshare --mount "${orig_argv[@]}"
-	elif type -P sudo >/dev/null; then
+	if type -P sudo >/dev/null; then
 		exec sudo -- "${orig_argv[@]}"
 	else
 		exec su root -c "$(printf ' %q' "${orig_argv[@]}")"
 	fi
 }
 
 function require_userns_tools() {
-	if command -v become-root >/dev/null \
+	#if command -v become-root >/dev/null \
+	if command -v unshare >/dev/null \
 		&& command -v nsjail >/dev/null \
 		&& command -v fuse-overlayfs >/dev/null
 	then
 		return 0
 	fi
-	warning "nsjail, fuse-overlayfs and become-root are necessary for rootless operation"
-	warning "https://github.com/giuseppe/become-root"
+	warning "nsjail, fuse-overlayfs and unshare (util-linux) are necessary for rootless operation"
+	#warning "nsjail, fuse-overlayfs and become-root are necessary for rootless operation"
+	#warning "https://github.com/giuseppe/become-root"
 	warning "https://github.com/containers/fuse-overlayfs"
 	warning "https://github.com/google/nsjail"
 	return 1
 }
 
 function mountoverlay() {
 	if ((rootless_userns)); then
-		fuse-overlayfs "$@"
+		~/Projekte/fuse-overlayfs/fuse-overlayfs "$@"
 	else
 		mount -t overlayfs overlayfs "$@"
 	fi
@@ -61,7 +99,11 @@ function umountoverlay() {
 
 # Use a private gpg keyring
 function gpg() {
+	local res
   command gpg --homedir="$BUILDDIRECTORY/gnupg" "$@"
+	res=$?
+	gpgconf --homedir="$BUILDDIRECTORY/gnupg" --kill gpg-agent
+	return $res
 }
 
 function init_gnupg() {
@@ -257,14 +299,19 @@ function init_chroot(){
         exec_container root pacman -R arch-install-scripts --noconfirm
         exec_container root locale-gen
 
-        printf 'builduser ALL = NOPASSWD: /usr/bin/pacman\n' > "$BUILDDIRECTORY"/root/etc/sudoers.d/builduser-pacman
+        printf '%s\n\n' 'Defaults preserve_groups' \
+				              'builduser ALL = NOPASSWD: /usr/bin/pacman' \
+				        > "$BUILDDIRECTORY"/root/etc/sudoers.d/builduser-pacman
         exec_container root useradd -m -G wheel -s /bin/bash -d /build builduser
         echo "keyserver-options auto-key-retrieve" | install -Dm644 /dev/stdin "$BUILDDIRECTORY/root"/build/.gnupg/gpg.conf
         exec_container root chown -R builduser /build/.gnupg
     else
         printf 'Server = %s\n' "$HOSTMIRROR" > "$BUILDDIRECTORY"/root/etc/pacman.d/mirrorlist
         exec_container root pacman -Syu --noconfirm
     fi
+    exec_container root gpgconf --homedir="/etc/pacman.d/gnupg" --kill gpg-agent
+		# FIXME: Why is this necessary?
+		rm -f "$BUILDDIRECTORY"/root/etc/pacman.d/gnupg/S.gpg-agent{,.browser,.extra,.ssh}
 
     trap - ERR INT
 }
@@ -390,6 +437,7 @@ Usage:
 General Options:
  -h                           Print this help message
  -d                           Run diffoscope if packages are not reproducible
+ -r                           Run without root privileges in nsjail containers
 __END__
 }
 
@@ -420,6 +468,7 @@ while getopts :hdorC:P:M: arg; do
         d) run_diffoscope=1;;
         r) rootless_userns=1;
            require_userns_tools || exit 1
+					 become_rootless
            # TODO: better detection for valid writable build directory
            [[ $BUILDDIRECTORY == /var/lib/repro ]] && BUILDDIRECTORY="${XDG_CACHE_HOME:-$HOME/.cache}/archlinux-repro"
            ;;
