[Buildroot] [PATCH v2 10/14] package/systemd: invoke systemd-tmpfilesd on final image

Norbert Lange nolange79 at gmail.com
Mon Jun 15 14:58:53 UTC 2020


Am Mo., 15. Juni 2020 um 16:32 Uhr schrieb Jérémy ROSEN <
jeremy.rosen at smile.fr>:

> I wonder how that would work with lines that contain %b (boot id)
> and %m (machine-id)
> my educated guest would be that it would create files with the host's
> boot-id/machine-id. Thus leaking the host's information. This is not
> good, especially the machine-id of the host which is confidential
> information (not crypto-grade, but still shouldn't be leaked)
>

> if systemd-tmpile supports that correctly (maybe skipping all %b %m
> when --root is used) it's all fine. But I don't remember seeing that.
>
> does it ?
>

The default config files don't create files with machine-id, and %b is not
replaced at all AFAIR.
But I believe you are right that systemd-tmpfiles picks up the host
machine-id and would replace it.
Good catch, need to check.


>
> Cheers
> Jeremy
>
>
> Le lun. 15 juin 2020 à 09:21, Norbert Lange <nolange79 at gmail.com> a
> écrit :
>
>> Especially for read-only filesystems it is helpfull to
>> pre-create all folders for non-volatile paths.
>>
>> This needs to run under fakeroot to allow setting
>> uids/gids/perms for the target fs.
>>
>> Signed-off-by: Norbert Lange <nolange79 at gmail.com>
>> ---
>>  package/systemd/systemd.mk | 8 +++++++-
>>  1 file changed, 7 insertions(+), 1 deletion(-)
>>
>> diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
>> index e117e3a082..cb0278f3b7 100644
>> --- a/package/systemd/systemd.mk
>> +++ b/package/systemd/systemd.mk
>> @@ -599,6 +599,12 @@ SYSTEMD_TARGET_FINALIZE_HOOKS += PURGE_LOCALES
>>  endif
>>  SYSTEMD_TARGET_FINALIZE_HOOKS += SYSTEMD_UPDATE_CATALOGS
>>
>> +define SYSTEMD_CREATE_TMPFILES_HOOK
>> +       $(HOST_DIR)/bin/systemd-tmpfiles --root=$(TARGET_DIR) --create
>> --boot \
>> +               $(addprefix --exclude-prefix=/,dev mnt proc run sys tmp)
>> || :
>> +endef
>> +SYSTEMD_ROOTFS_PRE_CMD_HOOKS += SYSTEMD_CREATE_TMPFILES_HOOK
>> +
>>  SYSTEMD_CONF_ENV = $(HOST_UTF8_LOCALE_ENV)
>>  SYSTEMD_NINJA_ENV = $(HOST_UTF8_LOCALE_ENV)
>>
>> @@ -652,7 +658,7 @@ HOST_SYSTEMD_CONF_OPTS = \
>>         -Dvconsole=false \
>>         -Dquotacheck=false \
>>         -Dsysusers=false \
>> -       -Dtmpfiles=false \
>> +       -Dtmpfiles=true \
>>         -Dimportd=false \
>>         -Dhwdb=false \
>>         -Drfkill=false \
>> --
>> 2.27.0
>>
>>
>
> --
> [image: SMILE]  <http://www.smile.eu/>
>
> 20 rue des Jardins
> 92600 Asnières-sur-Seine
> *Jérémy ROSEN*
> Architecte technique
>
> [image: email] jeremy.rosen at smile.fr
> [image: phone]  +33 6 88 25 87 42
> [image: url] http://www.smile.eu
>
> [image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
> <https://www.facebook.com/smileopensource> [image: LinkedIn]
> <https://www.linkedin.com/company/smile> [image: Github]
> <https://github.com/Smile-SA>
>
> [image: Découvrez l’univers Smile, rendez-vous sur smile.eu]
> <https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200615/9a4489b3/attachment.html>


More information about the buildroot mailing list