diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000..f43c10f --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,12 @@ +name: Github-Actions + +on: [push, pull_request] + +jobs: + ci-test: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v1 + - name: make ci-test + run: make rootfs ci-test diff --git a/.gitignore b/.gitignore index a583ac7..e573ef4 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ *.orig /.idea /archlinux.tar +rootfs/etc/pacman.conf diff --git a/Dockerfile b/Dockerfile index 65f92c1..02fbabc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,9 +2,12 @@ FROM scratch ADD archlinux.tar.xz / # manually run all alpm hooks that can't be run inside the fakechroot -RUN ldconfig && update-ca-trust && locale-gen +RUN ldconfig && update-ca-trust && locale-gen RUN sh -c 'ls usr/lib/sysusers.d/*.conf | /usr/share/libalpm/scripts/systemd-hook sysusers ' +# update /etc/os-release +RUN ln -s /usr/lib/os-release /etc/os-release + # initialize the archlinux keyring, but discard any private key that may be shipped. RUN pacman-key --init && pacman-key --populate archlinux && rm -rf etc/pacman.d/gnupg/{openpgp-revocs.d/,private-keys-v1.d/,pubring.gpg~,gnupg.S.}* diff --git a/Makefile b/Makefile index 5b62979..6bbf628 100644 --- a/Makefile +++ b/Makefile @@ -10,16 +10,27 @@ hooks: rootfs: hooks mkdir -vp $(BUILDDIR)/var/lib/pacman/ + cp /usr/share/devtools/pacman-extra.conf rootfs/etc/pacman.conf + cat pacman-conf.d-noextract.conf >> rootfs/etc/pacman.conf fakechroot -- fakeroot -- pacman -Sy -r $(BUILDDIR) \ --noconfirm --dbpath $(PWD)/$(BUILDDIR)/var/lib/pacman \ - --config pacman.conf \ + --config rootfs/etc/pacman.conf \ --noscriptlet \ --hookdir $(PWD)/alpm-hooks/usr/share/libalpm/hooks/ $(shell cat packages) cp --recursive --preserve=timestamps --backup --suffix=.pacnew rootfs/* $(BUILDDIR)/ - tar --numeric-owner --xattrs --acls --exclude-from=exclude -C $(BUILDDIR) -c . -f archlinux.tar + + # remove passwordless login for root (see CVE-2019-5021 for reference) + sed -i -e 's/^root::/root:!:/' "$(BUILDDIR)/etc/shadow" + + # fakeroot to map the gid/uid of the builder process to root + # fixes #22 + fakeroot -- tar --numeric-owner --xattrs --acls --exclude-from=exclude -C $(BUILDDIR) -c . -f archlinux.tar rm -rf $(BUILDDIR) alpm-hooks -compress-rootfs: rootfs +archlinux.tar: rootfs + +compress-rootfs: archlinux.tar + xz -f archlinux.tar xz -9e -T0 -f archlinux.tar docker-image: compress-rootfs @@ -28,8 +39,7 @@ docker-image: compress-rootfs docker-image-test: docker-image # FIXME: /etc/mtab is hidden by docker so the stricter -Qkk fails docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Sy && /usr/bin/pacman -Qqk" - docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Syu --noconfirm docker && docker -v" - # Ensure that the image does not include a private key + docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Syu --noconfirm docker && docker -v" # Ensure that the image does not include a private key ! docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) pacman-key --lsign-key pierre@archlinux.de docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/id -u http" docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Syu --noconfirm grep && locale | grep -q UTF-8" diff --git a/packages b/packages index 39dffd0..2c07590 100644 --- a/packages +++ b/packages @@ -2,3 +2,9 @@ sed gzip pacman systemd +gawk +file +grep +tar +procps-ng +licenses diff --git a/pacman-conf.d-noextract.conf b/pacman-conf.d-noextract.conf new file mode 100644 index 0000000..76b762b --- /dev/null +++ b/pacman-conf.d-noextract.conf @@ -0,0 +1,9 @@ +[options] +NoExtract = usr/share/help/* !usr/share/help/en* +NoExtract = usr/share/gtk-doc/html/* usr/share/doc/* +NoExtract = usr/share/locale/* usr/share/X11/locale/* usr/share/i18n/* +NoExtract = !*locale*/en*/* !usr/share/i18n/charmaps/UTF-8.gz !usr/share/*locale*/locale.* +NoExtract = !usr/share/*locales/en_?? !usr/share/*locales/i18n* !usr/share/*locales/iso* +NoExtract = !usr/share/*locales/trans* +NoExtract = usr/share/man/* usr/share/info/* +NoExtract = usr/share/vim/vim*/lang/*