diff options
Diffstat (limited to 'hosts/vidhar/borg/copy.py')
| -rwxr-xr-x | hosts/vidhar/borg/copy.py | 32 |
1 files changed, 7 insertions, 25 deletions
diff --git a/hosts/vidhar/borg/copy.py b/hosts/vidhar/borg/copy.py index 96426682..6adaa817 100755 --- a/hosts/vidhar/borg/copy.py +++ b/hosts/vidhar/borg/copy.py | |||
| @@ -21,7 +21,6 @@ from xdg import xdg_runtime_dir | |||
| 21 | import pathlib | 21 | import pathlib |
| 22 | 22 | ||
| 23 | import unshare | 23 | import unshare |
| 24 | import pyprctl | ||
| 25 | 24 | ||
| 26 | import signal | 25 | import signal |
| 27 | from time import sleep | 26 | from time import sleep |
| @@ -94,38 +93,21 @@ def copy_archive(src_repo_path, dst_repo_path, entry): | |||
| 94 | child = os.fork() | 93 | child = os.fork() |
| 95 | if child == 0: | 94 | if child == 0: |
| 96 | # print('unshare/chroot', file=stderr) | 95 | # print('unshare/chroot', file=stderr) |
| 97 | uid, gid = os.geteuid(), os.getegid() | 96 | unshare.unshare(unshare.CLONE_NEWNS) |
| 98 | unshare.unshare(unshare.CLONE_NEWNS | unshare.CLONE_NEWUSER) | ||
| 99 | ps_effective = set() # {pyprctl.Cap.SETUID, pyprctl.Cap.SETGID} | ||
| 100 | ps_ambient = {pyprctl.Cap.SYS_ADMIN} | ||
| 101 | pyprctl.cap_permitted.add(*(ps_effective | ps_ambient)) | ||
| 102 | pyprctl.cap_effective.add(*(ps_effective | ps_ambient)) | ||
| 103 | pyprctl.cap_inheritable.add(*ps_ambient) | ||
| 104 | pyprctl.cap_ambient.add(*ps_ambient) | ||
| 105 | with open('/proc/self/setgroups', 'w') as setgroups: | ||
| 106 | setgroups.write('deny') | ||
| 107 | with open('/proc/self/uid_map', 'w') as uid_map: | ||
| 108 | uid_map.write(f'0 {uid} 1') | ||
| 109 | with open('/proc/self/gid_map', 'w') as gid_map: | ||
| 110 | gid_map.write(f'0 {gid} 1') | ||
| 111 | subprocess.run(['mount', '--make-rprivate', '/'], check=True) | 97 | subprocess.run(['mount', '--make-rprivate', '/'], check=True) |
| 112 | chroot = pathlib.Path(tmpdir) / 'chroot' | 98 | chroot = pathlib.Path(tmpdir) / 'chroot' |
| 113 | chroot.mkdir() | 99 | upper = pathlib.Path(tmpdir) / 'upper' |
| 114 | # upper = pathlib.Path(tmpdir) / 'upper' | 100 | work = pathlib.Path(tmpdir) / 'work' |
| 115 | # work = pathlib.Path(tmpdir) / 'work' | 101 | for path in [chroot,upper,work]: |
| 116 | # for path in [chroot,upper,work]: | 102 | path.mkdir() |
| 117 | # path.mkdir() | 103 | subprocess.run(['mount', '-t', 'overlay', 'overlay', '-o', f'lowerdir=/,upperdir={upper},workdir={work}', chroot], check=True) |
| 118 | # print(f'euid={os.getuid()}', file=stderr) | 104 | bindMounts = ['nix', 'run', 'proc', 'dev', 'sys', pathlib.Path(os.path.expanduser('~')).relative_to('/')] |
| 119 | # subprocess.run(['stat', '/', upper, work, chroot], check=True) | ||
| 120 | # subprocess.run(['mount', '-t', 'overlay', 'overlay', '-o', f'lowerdir=/,upperdir={upper},workdir={work}', chroot], check=True) | ||
| 121 | bindMounts = ['etc', 'nix', 'run', 'proc', 'dev', 'sys', pathlib.Path(os.path.expanduser('~')).relative_to('/')] | ||
| 122 | if not ":" in src_repo_path: | 105 | if not ":" in src_repo_path: |
| 123 | bindMounts.append(pathlib.Path(src_repo_path).relative_to('/')) | 106 | bindMounts.append(pathlib.Path(src_repo_path).relative_to('/')) |
| 124 | if 'SSH_AUTH_SOCK' in os.environ: | 107 | if 'SSH_AUTH_SOCK' in os.environ: |
| 125 | bindMounts.append(pathlib.Path(os.environ['SSH_AUTH_SOCK']).parent.relative_to('/')) | 108 | bindMounts.append(pathlib.Path(os.environ['SSH_AUTH_SOCK']).parent.relative_to('/')) |
| 126 | for bindMount in bindMounts: | 109 | for bindMount in bindMounts: |
| 127 | (chroot / bindMount).mkdir(parents=True,exist_ok=True) | 110 | (chroot / bindMount).mkdir(parents=True,exist_ok=True) |
| 128 | print(*['mount', '--bind', pathlib.Path('/') / bindMount, chroot / bindMount], file=stderr) | ||
| 129 | subprocess.run(['mount', '--bind', pathlib.Path('/') / bindMount, chroot / bindMount], check=True) | 111 | subprocess.run(['mount', '--bind', pathlib.Path('/') / bindMount, chroot / bindMount], check=True) |
| 130 | os.chroot(chroot) | 112 | os.chroot(chroot) |
| 131 | os.chdir('/') | 113 | os.chdir('/') |