forked from dnschneid/crouton
/
enter-chroot
executable file
·555 lines (500 loc) · 18.6 KB
/
enter-chroot
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
#!/bin/sh -e
# Copyright (c) 2014 The crouton Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
set -e
APPLICATION="${0##*/}"
BACKGROUND=''
BINDIR="`dirname "\`readlink -f "$0"\`"`"
CHROOTS="`readlink -f "$BINDIR/../chroots"`"
KEYFILE=''
LOGIN=''
NAME=''
TARGET=''
USERNAME='1000'
NOLOGIN=''
SETUPSCRIPT='/prepare.sh'
USAGE="$APPLICATION [options] [command [args...]]
Enters an installed Debian-based chroot for running alongside Chromium OS.
By default, it will log into the primary user on the first chroot found.
You can specify a command and parameters to run instead of an interactive shell.
Options:
-b Fork and run the specified command silently in the background.
-c CHROOTS Directory the chroots are in. Default: $CHROOTS
-l Make the command part of a login. Parameters are passed directly
to the chroot command, and a call to su is appended.
-k KEYFILE Override the auto-detected encryption key location.
-n NAME Name of the chroot to enter. Default: first one found in CHROOTS
-t TARGET Only enter the chroot if it contains the specified TARGET.
-u USERNAME Username (or UID) to log into. Default: 1000 (the primary user)
-x Does not log in, but directly executes the command instead.
Note that the environment will be empty (sans TERM).
Specify -x a second time to run the $SETUPSCRIPT script."
# Common functions
. "$BINDIR/../installer/functions"
# Safely launch a command ($*) via /bin/sh within the chroot as the root user.
chrootcmd() {
# env may be overridden when running in the background; don't let it fork.
local ret=0 oldtrap="$TRAP"
TRAP=''
env -i chroot "$CHROOT" su -s '/bin/sh' -c "$*" - root || ret=$?
local pid="$!"
# $pid might not be set if env has not been redefined yet
if [ -n "$BACKGROUND" ] && [ -n "$pid" ]; then
wait "$pid" || ret=$?
fi
TRAP="$oldtrap"
return "$ret"
}
# Process arguments
prevoptind=1
while getopts 'bc:k:ln:t:u:x' f; do
# Disallow empty string as option argument
if [ "$((OPTIND-prevoptind))" = 2 -a -z "$OPTARG" ]; then
error 2 "$USAGE"
fi
prevoptind="$OPTIND"
case "$f" in
b) BACKGROUND='y';;
c) CHROOTS="`readlink -f "$OPTARG"`";;
k) KEYFILE="$OPTARG";;
l) LOGIN='y';;
n) NAME="$OPTARG";;
t) TARGET="$OPTARG";;
u) USERNAME="$OPTARG";;
x) NOLOGIN="$((NOLOGIN+1))"
[ "$NOLOGIN" -gt 2 ] && NOLOGIN=2;;
\?) error 2 "$USAGE";;
esac
done
shift "$((OPTIND-1))"
# Shift away empty string as first argument (used in start* scripts to mark
# the end of user-specified parameters)
if [ "$#" -ge 1 -a -z "$1" ]; then
shift
fi
# We need to run as root
if [ ! "$USER" = root -a ! "$UID" = 0 ]; then
error 2 "$APPLICATION must be run as root."
fi
# We need a command if we specified to run in the background
if [ -n "$BACKGROUND" -a $# = 0 ]; then
error 2 "A command must be specified in order to run in the background."
fi
# If -x is specified twice, our command is the setup script.
if [ "$NOLOGIN" = 2 ]; then
if [ ! $# = 0 ]; then
error 2 "A command cannot be specified with -xx."
fi
if [ -n "$BACKGROUND" ]; then
error 2 "Cannot run the setup script in the background."
fi
set -- "$SETUPSCRIPT"
fi
# Select the first chroot available if one hasn't been specified
if [ -z "$NAME" ]; then
haschroots=''
for CHROOT in "$CHROOTS"/*; do
if [ ! -d "$CHROOT/etc" -a ! -f "$CHROOT/.ecryptfs" ]; then
continue
fi
haschroots='y'
if [ -n "$TARGET" ]; then
if ! grep -q "^$TARGET$" "$CHROOT/.crouton-targets" 2>/dev/null; then
continue
fi
fi
NAME="${CHROOT##*/}"
break
done
if [ -z "$haschroots" ]; then
error 1 "No chroots found in $CHROOTS"
fi
if [ -z "$NAME" ]; then
error 1 "No chroots with target '$TARGET' found in $CHROOTS"
fi
elif [ -n "$TARGET" ]; then
if ! grep -q "^$TARGET$" "$CHROOTS/$NAME/.crouton-targets" 2>/dev/null; then
error 1 "$CHROOTS/$NAME does not contain target '$TARGET'"
fi
fi
# Avoid kernel panics due to slow I/O
disablehungtask
# Enable control of framebuffer compression (if used) by video users
for fbc in '/sys/kernel/debug/dri/0/'*fbc*; do :; done
if [ -f "$fbc" ] && ! grep -q 'disabled per module param' "$fbc"; then
fbc='/sys/module/i915/parameters/i915_enable_fbc'
chgrp video "$fbc"
chmod g+w "$fbc"
fi
# Allow X server running as normal user to set/drop DRM master
drm_relax_file="/sys/kernel/debug/dri/drm_master_relax"
if [ -f "$drm_relax_file" ]; then
echo 'Y' > "$drm_relax_file"
fi
# Make sure we always exit with echo on the tty.
addtrap "stty echo 2>/dev/null"
# Mount the chroot and update our CHROOT path
CHROOTSRC="$CHROOTS/$NAME"
if [ -n "$KEYFILE" ]; then
CHROOT="`sh -e "$BINDIR/mount-chroot" \
-k "$KEYFILE" -p -c "$CHROOTS" -- "$NAME"`"
else
CHROOT="`sh -e "$BINDIR/mount-chroot" -p -c "$CHROOTS" -- "$NAME"`"
fi
if [ ! "$NOLOGIN" = 2 ]; then
echo "Entering $CHROOTSRC..." 1>&2
fi
# In disk full situations, mount-chroot can be empty. Good time to check sanity.
if [ -z "$CHROOT" ]; then
error 1 'Something is wrong with the crouton install. Please make sure you have
sufficient space available, then re-install the chroot and try again.'
fi
# Register the crash_reporter_wrapper to properly handle coredumps
if [ -f "$BINDIR/crash_reporter_wrapper" ]; then
if ! sh -e "$BINDIR/crash_reporter_wrapper" register; then
echo 'WARNING: Unable to register core dump handler.' 1>&2
fi
fi
if [ -z "$CROUTON_NO_UNMOUNT" ]; then
# Auto-unmount everything below and including the chroot upon exit
addtrap "sh -e '$BINDIR/unmount-chroot' -yc '$CHROOTS' -- '$NAME'"
fi
# If our root is on an external disk we need to ensure USB device persistence is
# enabled otherwise we will lose the file-system after a suspend event.
if [ ! "${CHROOTSRC#/media}" = "$CHROOTSRC" ]; then
for usbp in /sys/bus/usb/devices/*/power/persist; do
if [ -e "$usbp" ]; then
echo 1 > "$usbp"
fi
done
fi
# Offer to run the setup script if it exists and yet we're logging in.
if [ -z "$NOLOGIN" -a -f "$CHROOT$SETUPSCRIPT" ]; then
echo 'A chroot setup script still exists inside the chroot.' 1>&2
echo 'The chroot may not be fully set up.' 1>&2
response=''
# A finished setup script will have permissions 500
if [ "`stat -c '%a' "$CHROOT$SETUPSCRIPT"`" != '500' ]; then
echo 'However, it appears the setup script is invalid.' 1>&2
response='d'
fi
if [ -t 0 -a -z "$response" ]; then
echo -n 'Would you like to finish the setup? [Y/n/d] ' 1>&2
read response
fi
if [ -z "$response" -o "${response#[Yy]}" != "$response" ]; then
echo 'Preparing chroot environment...' 1>&2
if CROUTON_NO_UNMOUNT=1 sh -e "$BINDIR/enter-chroot" \
-c "$CHROOTS" -n "$NAME" -xx; then
echo 'Setup completed. Entering chroot...' 1>&2
response=''
else
echo 'The chroot setup script may be broken. Your chroot is not fully configured.' 1>&2
response='d'
fi
fi
if [ "${response#[Dd]}" != "$response" ]; then
echo 'Removing the chroot setup script. You may want to update your chroot again.' 1>&2
rm -f "$CHROOT$SETUPSCRIPT"
elif [ -n "$response" ]; then
echo 'Skipping setup. You will be prompted again next time.' 1>&2
fi
fi
# Resolve USERNAME if it is a UID (and we're logging in)
passwd="$CHROOT/etc/passwd"
if [ -z "$NOLOGIN" ]; then
if [ ! -r "$passwd" ]; then
error 1 "$CHROOTSRC doesn't appear to be a valid chroot."
fi
case "$USERNAME" in
''|*[!0-9]*)
# Make sure the username exists
if ! grep -q "^$USERNAME:" "$passwd"; then
error 1 "User $USERNAME not found in $NAME"
fi;;
*)
# Resolve the UID
uid="$USERNAME"
USERNAME="`awk -F: '$3=='"$uid"'{print $1; exit}' "$passwd"`"
if [ -z "$USERNAME" ]; then
error 1 "UID $uid not found in $NAME"
fi
esac
# Detect the home directory and shell for the user
CHROOTHOME="`awk -F: '$1=="'"$USERNAME"'"{print $6; exit}' "$passwd"`"
CHROOTSHELL="`awk -F: '$1=="'"$USERNAME"'"{print $NF; exit}' "$passwd"`"
else
CHROOTSHELL='/bin/sh'
fi
# Save the chroot name to the chroot
echo "$NAME" > "$CHROOT/etc/crouton/name"
# Ensure $CHROOT/var/host exists.
mkdir -p "$CHROOT/var/host"
# Copy in the current Chromium OS version for reference
cp -f '/etc/lsb-release' "$CHROOT/var/host/"
# Copy the latest Xauthority into the chroot
if [ -f "${XAUTHORITY:=/home/chronos/.Xauthority}" ]; then
cp -f "$XAUTHORITY" "$CHROOT/var/host/Xauthority"
chmod 444 "$CHROOT/var/host/Xauthority"
# Be backwards-compatible, just in case
if [ -f "$CHROOT/etc/X11/host-Xauthority" ]; then
ln -sfT '/var/host/Xauthority' "$CHROOT/etc/X11/host-Xauthority"
fi
fi
# Prepare chroot filesystem
# Soft-link resolv.conf so that updates are automatically propagated
ln -sf '/var/host/shill/resolv.conf' "$CHROOT/etc/resolv.conf"
# Sanity check of the timezone setting
localtime="$CHROOT/etc/localtime"
hostlocaltime='/var/host/timezone/localtime'
if [ -h "$localtime" ] && [ "`readlink "$localtime"`" = "$hostlocaltime" ]; then
timezone="`readlink -m /var/lib/timezone/localtime || true`"
if [ -z "$timezone" -o ! -e "$CHROOT$LOCALTIME" ]; then
echo "\
WARNING: the timezone selected in Chromium OS does not exist inside the chroot.
To set the chroot's timezone, run the following: sudo dpkg-reconfigure tzdata" 1>&2
else
# Set /etc/timezone in chroot - fixes the clock in Unity
echo "${timezone#/usr/share/zoneinfo/}" > "$CHROOT/etc/timezone"
fi
fi
# Follows and fixes dangerous symlinks, returning the canonicalized path.
fixabslinks() {
local p="$CHROOT/$1" c
# Follow and fix dangerous absolute symlinks
while c="`readlink -m "$p"`" && [ ! "$c" = "$p" ]; do
p="$CHROOT${c#"$CHROOT"}"
done
echo "$p"
}
# Bind-mounts $1 into $CHROOT/${2:-"$1"} if $2 is not already mounted
# If $3 is specified, remounts with the specified options.
# If $1 starts with a -, it's considered options to the bind mount, and the rest
# of the parameters are shifted.
bindmount() {
bindopts=''
if [ ! "${1#"-"}" = "$1" ]; then
bindopts="$1"
shift
fi
local target="`fixabslinks "${2:-"$1"}"`"
if mountpoint -q "$target"; then
return 0
fi
mkdir -p "$target"
mount --bind $bindopts "$1" "$target"
if [ -n "$3" ]; then
mount -i -o "remount,$3" "$target"
fi
}
# Creates a tmpfs mount at $CHROOT/$1 with options $2 if not already mounted
tmpfsmount() {
local target="`fixabslinks "$1"`"
if mountpoint -q "$target"; then
return 0
fi
mkdir -p "$target"
mount -i -t tmpfs -o "rw${2:+,}$2" tmpfs "$target"
}
# If /var/run isn't mounted, we know the chroot hasn't been started yet.
if mountpoint -q "`fixabslinks '/var/run'`"; then
firstrun=''
else
firstrun='y'
fi
bindmount /dev
bindmount /dev/pts
bindmount /dev/shm
bindmount /tmp /tmp exec
bindmount /proc
tmpfsmount /var/run 'noexec,nosuid,mode=0755,size=10%'
tmpfsmount /var/run/lock 'noexec,nosuid,nodev,size=5120k'
bindmount /var/run/dbus /var/host/dbus
bindmount /var/run/shill /var/host/shill
bindmount /var/run/cras /var/host/cras
bindmount /var/lib/timezone /var/host/timezone
for m in /lib/modules/*; do
if [ -d "$m" ]; then
bindmount '-o ro' "$m"
fi
done
# Add a shm symlink to our new /var/run
ln -sfT /dev/shm "`fixabslinks '/var/run'`/shm"
# Add a /run/udev symlink for later versions of udev
ln -sfT /dev/.udev "`fixabslinks '/var/run'`/udev"
# Add a /var/host/cras symlink for CRAS clients
ln -sfT /var/host/cras "`fixabslinks '/var/run'`/cras"
# Bind-mount /media, specifically the removable directory
destmedia="`fixabslinks '/var/host/media'`"
if ! mountpoint -q "$destmedia"; then
mount --make-shared /media
mkdir -p "$destmedia" "$CHROOT/media"
ln -sf "/var/host/media/removable" "$CHROOT/media/"
mount --rbind /media "$destmedia"
fi
# Bind-mount ~/Downloads if we're logged in as a user
localdownloads='/home/chronos/user/Downloads'
if [ -z "$NOLOGIN" -a -n "$CHROOTHOME" -a -d "$localdownloads" ]; then
bindmount "$localdownloads" "$CHROOTHOME/Downloads" exec
fi
# Bind-mount /sys recursively, making it a slave in the chroot
if ! mountpoint -q "$CHROOT/sys"; then
mkdir -p "$CHROOT/sys"
mount --make-rshared /sys
mount --rbind /sys "$CHROOT/sys"
mount --make-rslave "$CHROOT/sys"
fi
# Get croutonversion variables
croutonversion="$CHROOT/usr/local/bin/croutonversion"
CHROOTRELEASE="unknown"
if [ -x "$croutonversion" ]; then
CHROOTRELEASE="`"$croutonversion" -r 2>/dev/null || echo "$CHROOTRELEASE"`"
fi
# For test machines with low entropy, bind mount /dev/urandom to /dev/random
if [ -n "$CROUTON_WEAK_RANDOM" ]; then
mount --bind "$CHROOT/dev/urandom" "$CHROOT/dev/random"
fi
# Fix group numbers for critical groups to match Chromium OS. This is necessary
# so that users have access to shared hardware, such as video and audio.
gfile="$CHROOT/etc/group"
if [ -f "$gfile" ]; then
for group in audio:hwaudio cras:audio cdrom disk floppy i2c input lp \
serial tape tty usb:plugdev uucp video; do
hostgroup="${group%:*}"
chrootgroup="${group#*:}"
gid="`awk -F: '$1=="'"$hostgroup"'"{print $3; exit}' '/etc/group'`"
if [ -z "$gid" ]; then
echo "Couldn't find $hostgroup group in Chromium OS!" 1>&2
continue
fi
curgid="`awk -F: '$1=="'"$chrootgroup"'"{print $3; exit}' "$gfile"`"
if [ "$gid" = "$curgid" ]; then
continue
elif [ -z "$curgid" ]; then
echo "Creating $chrootgroup group with GID $gid..." 1>&2
groupcmd=groupadd
else
echo "Changing $chrootgroup GID from $curgid to $gid..." 1>&2
groupcmd=groupmod
fi
move="`awk -F: '$3=='"$gid"'{print $1; exit}' "$gfile"`"
if [ -n "$move" ]; then
ngid="$gid"
while grep -q ":$ngid:" "$gfile"; do
ngid="$((ngid+1))"
done
echo "Moving $move GID from $gid to $ngid..." 1>&2
chrootcmd groupmod -g "$ngid" "$move"
fi
chrootcmd "$groupcmd" -g "$gid" "$chrootgroup"
done
fi
# To run silently, we override the env command to launch a background process,
# and move the trap code to happen there.
if [ -n "$BACKGROUND" ]; then
env() {
# Shuffle FDs around to preserve stdin
{ (
trap '' INT HUP
trap "$TRAP" 0
exec 0<&9 9<&-
[ -t 0 ] && exec < /dev/null
[ -t 1 ] && exec > /dev/null
[ -t 2 ] && exec 2>&1
/usr/bin/env "$@"
) & } 9<&0
}
fi
ret=0
# Launch the system dbus unless we are entering a basic shell.
if [ ! "$NOLOGIN" = 1 ] && grep -q '^root:' "$passwd" 2>/dev/null; then
# Try to detect the dbus user by parsing its configuration file
# If it fails, or if the user does not exist, `id -un '$dbususer'`
# will fail, and we fallback on a default user name ("messagebus")
dbususer="`echo "cat /busconfig/user/text()" \
| xmllint --shell "$CHROOT/etc/dbus-1/system.conf" 2>/dev/null \
| grep '^[a-z][-a-z0-9_]*$' || true`"
chrootcmd "
if ! hash dbus-daemon 2>/dev/null; then
exit 0
fi
dbususer='$dbususer'"'
pidfile="/var/run/dbus/pid"
if [ -f "$pidfile" ]; then
if grep -q "^dbus-daemon" "/proc/`cat "$pidfile"`/cmdline" \
2>/dev/null; then
exit 0
fi
rm -f "$pidfile"
fi
mkdir -p /var/run/dbus
dbususer="`id -un "$dbususer" 2>/dev/null || echo "messagebus"`"
dbusgrp="`id -gn "$dbususer" 2>/dev/null || echo "messagebus"`"
chown "$dbususer:$dbusgrp" /var/run/dbus
exec dbus-daemon --system --fork' || ret=$?
if [ ! "$ret" = 0 ]; then
echo "WARNING: starting chroot system dbus daemon failed with code $ret" 1>&2
ret=0
fi
# Launch systemd-logind if available and not already running
# Whitelisted for saucy and trusty
systemd_dir="`fixabslinks '/run/systemd'`"
if [ -x "$CHROOT/lib/systemd/systemd-logind" ] && \
[ ! -d "$systemd_dir" ] && \
[ "$CHROOTRELEASE" = 'saucy' -o "$CHROOTRELEASE" = 'trusty' ]; then
# Every piece of systemd code ever assumes that this directory exists
mkdir -p "$systemd_dir"
# Create systemd cgroup if necessary
if ! mountpoint -q "$CHROOT/sys/fs/cgroup/systemd"; then
mkdir -p "$CHROOT/sys/fs/cgroup/systemd"
mount -t cgroup -o nosuid,noexec,nodev,none,name=systemd systemd \
"$CHROOT/sys/fs/cgroup/systemd"
fi
# systemd-logind doesn't fork
chrootcmd "/lib/systemd/systemd-logind >/dev/null 2>&1 </dev/null &"
fi
fi
# Start the chroot and any specified command
if [ -n "$NOLOGIN" ]; then
env -i TERM="$TERM" chroot "$CHROOT" "$@" || ret=$?
# Handle the return value when running the setup script.
if [ "$NOLOGIN" = 2 ]; then
# If it succeeded yet still exists, run it again.
if [ "$ret" = 0 -a -f "$CHROOT$SETUPSCRIPT" ]; then
sh -e "$BINDIR/unmount-chroot" -yxc "$CHROOTS" -- "$NAME"
# We don't need to return from this.
exec sh -e "$BINDIR/enter-chroot" -c "$CHROOTS" -n "$NAME" -xx
elif [ ! "$ret" = 0 ]; then
error "$ret" 'Failed to complete chroot setup.'
fi
fi
else
# Run rc.local
if [ -n "$firstrun" -a -x "$CHROOT/etc/rc.local" ]; then
chrootcmd 'exec /etc/rc.local >/dev/null 2>/dev/null </dev/null' \
|| ret=$?
if [ ! "$ret" = 0 ]; then
echo "WARNING: /etc/rc.local failed with code $ret" 1>&2
ret=0
fi
fi
if [ $# = 0 -o -n "$LOGIN" ]; then
env -i TERM="$TERM" chroot "$CHROOT" "$@" su - "$USERNAME" || ret=$?
else
# Escape out the command
cmd="export SHELL='$CHROOTSHELL';"
for param in "$@"; do
cmd="$cmd'`echo -n "$param" | sed "s/'/'\\\\\\''/g"`' "
done
env -i TERM="$TERM" chroot "$CHROOT" \
su -s '/bin/sh' -c "$cmd" - "$USERNAME" \
|| ret=$?
fi
fi
# We don't want to trap for this proccess if we're running in the background
if [ -n "$BACKGROUND" ]; then
settrap ''
fi
# Cleanup all happens in the exit trap
exit $ret