safer/simpler uid/gid mapping w/ reduced build privs

This commit is contained in:
Lance Vick 2020-10-15 16:26:28 -07:00
parent 8a2ac4b000
commit 1badff2241
Signed by: lrvick
GPG Key ID: 8E47A1EC35A1551D
3 changed files with 26 additions and 53 deletions

View File

@ -111,7 +111,7 @@ sign: $(RELEASE_DIR)/*.rom $(RELEASE_DIR)/*.iso
.PHONY: shell .PHONY: shell
shell: shell:
$(docker) inspect "$(NAME)" \ $(docker) inspect "$(NAME)" \
&& $(docker) exec --interactive --tty "$(NAME)" shell \ && $(docker) exec --interactive --user=root --tty "$(NAME)" shell \
|| $(contain) shell || $(contain) shell
@ -119,7 +119,7 @@ shell:
menuconfig: menuconfig:
$(contain) menuconfig $(contain) menuconfig
.PHONY: menuconfig .PHONY: linux-menuconfig
linux-menuconfig: linux-menuconfig:
$(contain) linux-menuconfig $(contain) linux-menuconfig
@ -163,7 +163,6 @@ contain := \
--interactive \ --interactive \
--name "$(NAME)" \ --name "$(NAME)" \
--hostname "$(NAME)" \ --hostname "$(NAME)" \
--user $(userid):$(groupid) \
--env TARGET="$(TARGET)" \ --env TARGET="$(TARGET)" \
--env DEVICES="$(DEVICES)" \ --env DEVICES="$(DEVICES)" \
--env GIT_DATETIME="$(GIT_DATETIME)" \ --env GIT_DATETIME="$(GIT_DATETIME)" \
@ -172,7 +171,8 @@ contain := \
--env GIT_AUTHOR="$(GIT_AUTHOR)" \ --env GIT_AUTHOR="$(GIT_AUTHOR)" \
--env GIT_KEY="$(GIT_KEY)" \ --env GIT_KEY="$(GIT_KEY)" \
--env GIT_STATE="$(GIT_STATE)" \ --env GIT_STATE="$(GIT_STATE)" \
--security-opt seccomp=unconfined \ --env UID="$(shell id -u)" \
--env GID="$(shell id -g)" \
--volume $(PWD)/build:/home/build/build \ --volume $(PWD)/build:/home/build/build \
--volume $(PWD)/config:/home/build/config \ --volume $(PWD)/config:/home/build/config \
--volume $(PWD)/release:/home/build/release \ --volume $(PWD)/release:/home/build/release \

View File

@ -1,39 +1,4 @@
ARG DEBIAN_IMAGE_HASH=4ab3309ba955211d1db92f405be609942b595a720de789286376f030502ffd6f ARG DEBIAN_IMAGE_HASH=4ab3309ba955211d1db92f405be609942b595a720de789286376f030502ffd6f
ARG GOLANG_IMAGE_HASH=84349ee862d8bafff35e0d2bfd539da565b536b4dfce654773fc21a1db2da6d7
FROM golang@sha256:${GOLANG_IMAGE_HASH} as gotools
ARG FIXUID_GIT_REF="0ec93d22e52bde5b7326e84cb62fd26a3d20cead"
ARG OZZOCONFIG_GIT_REF="0ff174cf5aa6480026e0b40c14fd9cfb61c4abf6"
ARG JSONPREPROCESS_GIT_REF="a4e954386171be645f1eb7c41865d2624b69259d"
ARG TOML_GIT_REF="3012a1dbe2e4bd1391d42b32f0577cb7bbc7f005"
ARG YAMLV2_GIT_REF="51d6538a90f86fe93ac480b35f37b2be17fef232"
ARG GLIDE_GIT_REF="b94b39d657d8abcccba6545e148f1201aee6ffec"
RUN apk add bash git make
RUN printf "\
github.com/boxboat/fixuid.git github.com/boxboat/fixuid ${FIXUID_GIT_REF} \n\
github.com/go-ozzo/ozzo-config github.com/go-ozzo/ozzo-config ${OZZOCONFIG_GIT_REF} \n\
github.com/hnakamur/jsonpreprocess github.com/hnakamur/jsonpreprocess ${JSONPREPROCESS_GIT_REF} \n\
github.com/BurntSushi/toml github.com/BurntSushi/toml ${TOML_GIT_REF} \n\
github.com/go-yaml/yaml gopkg.in/yaml.v2 ${YAMLV2_GIT_REF} \n" \
> /go/src/repos
RUN echo ' \
set -o nounset -o pipefail -o errexit; \
cat /go/src/repos | while read -r line; do \
repo=$(echo $line | awk "{ print \$1 }"); \
folder=$(echo $line | awk "{ print \$2 }"); \
ref=$(echo $line | awk "{ print \$3 }"); \
git clone "https://${repo}" "/go/src/${folder}"; \
git -C "/go/src/${folder}" checkout ${ref}; \
done' \
| bash
RUN go build -o /usr/local/bin/fixuid github.com/boxboat/fixuid
FROM debian@sha256:${DEBIAN_IMAGE_HASH} as debian FROM debian@sha256:${DEBIAN_IMAGE_HASH} as debian
ENV DEBIAN_FRONTEND=noninteractive \ ENV DEBIAN_FRONTEND=noninteractive \
@ -43,14 +8,6 @@ ENV DEBIAN_FRONTEND=noninteractive \
HOME=/home/build \ HOME=/home/build \
PATH=/home/build/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PATH=/home/build/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
## Setup fixuid for mounting host-dirs with correct permissions during dev
COPY --from=gotools /usr/local/bin/ /usr/local/bin/
RUN chown root:root /usr/local/bin/fixuid \
&& chmod 4755 /usr/local/bin/fixuid \
&& mkdir -p /etc/fixuid \
&& printf "user: build\ngroup: build\npaths:\n - /\n - /home/build/build\n" > /etc/fixuid/config.yml
ENTRYPOINT ["/usr/local/bin/fixuid", "-q"]
ADD scripts/ /usr/local/bin/ ADD scripts/ /usr/local/bin/
## Install packages from packages.list with retry ## Install packages from packages.list with retry
@ -59,11 +16,6 @@ ADD config/container/packages.list /etc/apt/packages.list
ADD config/container/apt.conf /etc/apt/apt.conf ADD config/container/apt.conf /etc/apt/apt.conf
RUN apt-install RUN apt-install
## Create build user with sudo privs
RUN useradd -G plugdev,sudo -ms /bin/bash build \
&& chown -R build:build /home/build \
&& echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
WORKDIR /home/build WORKDIR /home/build
USER build ENTRYPOINT ["/usr/local/bin/host-env"]

21
scripts/host-env Executable file
View File

@ -0,0 +1,21 @@
#!/bin/bash
set -e
set -x
uid=${UID?}
gid=${GID?}
user=${USER:-"build"}
export HOME="/home/${user}"
groupadd -g "$gid" "${user}"
useradd \
-g "$gid" \
-u "$uid" \
-md "/home/${user}" \
-s /bin/bash \
"${user}"
mkdir -p "$HOME"
chown -R "$uid:$gid" "$HOME"
cd "$HOME"
setpriv --reuid="$uid" --regid="$gid" --init-groups "$@"