diff options
Diffstat (limited to 'hosts/vidhar/borg/copy.py')
| -rwxr-xr-x | hosts/vidhar/borg/copy.py | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/hosts/vidhar/borg/copy.py b/hosts/vidhar/borg/copy.py index 4bfae1cb..9dac86ae 100755 --- a/hosts/vidhar/borg/copy.py +++ b/hosts/vidhar/borg/copy.py | |||
| @@ -21,6 +21,7 @@ from xdg import xdg_runtime_dir | |||
| 21 | import pathlib | 21 | import pathlib |
| 22 | 22 | ||
| 23 | import unshare | 23 | import unshare |
| 24 | import pyprctl | ||
| 24 | 25 | ||
| 25 | import signal | 26 | import signal |
| 26 | from time import sleep | 27 | from time import sleep |
| @@ -93,15 +94,19 @@ def copy_archive(src_repo_path, dst_repo_path, entry): | |||
| 93 | child = os.fork() | 94 | child = os.fork() |
| 94 | if child == 0: | 95 | if child == 0: |
| 95 | # print('unshare/chroot', file=stderr) | 96 | # print('unshare/chroot', file=stderr) |
| 96 | uid_map_content = f'0 {os.getuid()} 1\n0 0 1' | 97 | uid, gid = os.getuid(), os.getgid() |
| 97 | gid_map_content = f'0 {os.getgid()} 1\n0 0 1' | ||
| 98 | unshare.unshare(unshare.CLONE_NEWNS | unshare.CLONE_NEWUSER) | 98 | unshare.unshare(unshare.CLONE_NEWNS | unshare.CLONE_NEWUSER) |
| 99 | with open('/proc/self/setgroups', 'w') as setgroups: | 99 | with open('/proc/self/setgroups', 'w') as setgroups: |
| 100 | setgroups.write('deny') | 100 | setgroups.write('deny') |
| 101 | with open('/proc/self/uid_map', 'w') as uid_map: | 101 | with open('/proc/self/uid_map', 'w') as uid_map: |
| 102 | uid_map.write(uid_map_content) | 102 | uid_map.write(f'0 {uid} 1') |
| 103 | with open('/proc/self/gid_map', 'w') as gid_map: | 103 | with open('/proc/self/gid_map', 'w') as gid_map: |
| 104 | gid_map.write(gid_map_content) | 104 | gid_map.write(f'0 {gid} 1') |
| 105 | pyprctl.cap_ambient_raise(pyprctl.Cap.SYS_ADMIN) | ||
| 106 | with open('/proc/self/uid_map', 'w') as uid_map: | ||
| 107 | uid_map.write(f'{uid} {uid} 1') | ||
| 108 | with open('/proc/self/gid_map', 'w') as gid_map: | ||
| 109 | gid_map.write(f'{gid} {gid} 1') | ||
| 105 | subprocess.run(['mount', '--make-rprivate', '/'], check=True) | 110 | subprocess.run(['mount', '--make-rprivate', '/'], check=True) |
| 106 | chroot = pathlib.Path(tmpdir) / 'chroot' | 111 | chroot = pathlib.Path(tmpdir) / 'chroot' |
| 107 | upper = pathlib.Path(tmpdir) / 'upper' | 112 | upper = pathlib.Path(tmpdir) / 'upper' |