diff mbox series

[isar-cip-core] image: export dpkg status file for debsecan

Message ID 20200930020815.2474349-2-daniel.sangorrin@toshiba.co.jp (mailing list archive)
State Not Applicable
Headers show
Series [isar-cip-core] image: export dpkg status file for debsecan | expand

Commit Message

Daniel Sangorrin Sept. 30, 2020, 2:08 a.m. UTC 
Although the currently exported manifest probably has
enough information, the tool debsecan and our wrapper
cip-core-sec depend on the dpkg status format.

Signed-off-by: Daniel Sangorrin <daniel.sangorrin@toshiba.co.jp>
---
 recipes-core/images/cip-core-image-security.bb | 8 ++++++++
 recipes-core/images/cip-core-image.bb          | 8 ++++++++
 2 files changed, 16 insertions(+)

Comments

Jan Kiszka Sept. 30, 2020, 7:11 a.m. UTC | #1 
On 30.09.20 04:08, Daniel Sangorrin wrote:
> Although the currently exported manifest probably has
> enough information, the tool debsecan and our wrapper
> cip-core-sec depend on the dpkg status format.
>
> Signed-off-by: Daniel Sangorrin <daniel.sangorrin@toshiba.co.jp>
> ---
>  recipes-core/images/cip-core-image-security.bb | 8 ++++++++
>  recipes-core/images/cip-core-image.bb          | 8 ++++++++
>  2 files changed, 16 insertions(+)
>
> diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
> index 61ddc39..928774c 100644
> --- a/recipes-core/images/cip-core-image-security.bb
> +++ b/recipes-core/images/cip-core-image-security.bb
> @@ -34,3 +34,11 @@ IMAGE_PREINSTALL += " \
>  	uuid-runtime \
>  	sudo \
>  "
> +
> +# for cip-core-sec/debsecan
> +ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status"
> +export_dpkg_status() {
> +    sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \
> +        cat /var/lib/dpkg/status > \
> +        ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status

This is just a copy-out, I don't see the chroot need here.

> +}
> diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb
> index 2cecde3..0139819 100644
> --- a/recipes-core/images/cip-core-image.bb
> +++ b/recipes-core/images/cip-core-image.bb
> @@ -19,3 +19,11 @@ IMAGE_INSTALL += "customizations"
>  # for swupdate
>  SWU_DESCRIPTION ??= "swupdate"
>  include ${SWU_DESCRIPTION}.inc
> +
> +# for cip-core-sec/debsecan
> +ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status"
> +export_dpkg_status() {
> +    sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \
> +        cat /var/lib/dpkg/status > \
> +        ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status
> +}
>

Please avoid code duplication. We have means like "require some.inc" in
bitbake.

I'm also wondering if this should go to isar upstream directly. debsecan
is a generic Debian tool, nothing CIP-specific per se.

Jan
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5496): https://lists.cip-project.org/g/cip-dev/message/5496
Mute This Topic: https://lists.cip-project.org/mt/77210404/4520428
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy [patchwork-cip-dev@patchwork.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
Daniel Sangorrin Oct. 1, 2020, 12:20 a.m. UTC | #2 
OK, I will send it to ISAR then.

> -----Original Message-----
> From: Jan Kiszka <jan.kiszka@web.de>
> Sent: Wednesday, September 30, 2020 4:12 PM
> To: cip-dev@lists.cip-project.org; sangorrin daniel(サンゴリン ダニエル □SWC◯ACT) <daniel.sangorrin@toshiba.co.jp>
> Subject: Re: [cip-dev] [isar-cip-core] image: export dpkg status file for debsecan
> 
> On 30.09.20 04:08, Daniel Sangorrin wrote:
> > Although the currently exported manifest probably has enough
> > information, the tool debsecan and our wrapper cip-core-sec depend on
> > the dpkg status format.
> >
> > Signed-off-by: Daniel Sangorrin <daniel.sangorrin@toshiba.co.jp>
> > ---
> >  recipes-core/images/cip-core-image-security.bb | 8 ++++++++
> >  recipes-core/images/cip-core-image.bb          | 8 ++++++++
> >  2 files changed, 16 insertions(+)
> >
> > diff --git a/recipes-core/images/cip-core-image-security.bb
> > b/recipes-core/images/cip-core-image-security.bb
> > index 61ddc39..928774c 100644
> > --- a/recipes-core/images/cip-core-image-security.bb
> > +++ b/recipes-core/images/cip-core-image-security.bb
> > @@ -34,3 +34,11 @@ IMAGE_PREINSTALL += " \
> >  	uuid-runtime \
> >  	sudo \
> >  "
> > +
> > +# for cip-core-sec/debsecan
> > +ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status"
> > +export_dpkg_status() {
> > +    sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \
> > +        cat /var/lib/dpkg/status > \
> > +        ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status
> 
> This is just a copy-out, I don't see the chroot need here.
> 
> > +}
> > diff --git a/recipes-core/images/cip-core-image.bb
> > b/recipes-core/images/cip-core-image.bb
> > index 2cecde3..0139819 100644
> > --- a/recipes-core/images/cip-core-image.bb
> > +++ b/recipes-core/images/cip-core-image.bb
> > @@ -19,3 +19,11 @@ IMAGE_INSTALL += "customizations"
> >  # for swupdate
> >  SWU_DESCRIPTION ??= "swupdate"
> >  include ${SWU_DESCRIPTION}.inc
> > +
> > +# for cip-core-sec/debsecan
> > +ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status"
> > +export_dpkg_status() {
> > +    sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \
> > +        cat /var/lib/dpkg/status > \
> > +        ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status
> > +}
> >
> 
> Please avoid code duplication. We have means like "require some.inc" in bitbake.
> 
> I'm also wondering if this should go to isar upstream directly. debsecan is a generic Debian tool, nothing CIP-specific per se.
> 
> Jan
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5483): https://lists.cip-project.org/g/cip-dev/message/5483
Mute This Topic: https://lists.cip-project.org/mt/77210404/4520428
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy [patchwork-cip-dev@patchwork.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
Daniel Sangorrin Oct. 1, 2020, 12:23 a.m. UTC | #3 
Hi Jan,

I forgot to reply one comment.

> > +# for cip-core-sec/debsecan
> > +ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status"
> > +export_dpkg_status() {
> > +    sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \
> > +        cat /var/lib/dpkg/status > \
> > +        ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status
> 
> This is just a copy-out, I don't see the chroot need here.

This was based on the generate_manifest function.
For some reason, copying without chroot didn't work for me. I will give it another try.

Thanks,
Daniel
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5484): https://lists.cip-project.org/g/cip-dev/message/5484
Mute This Topic: https://lists.cip-project.org/mt/77210404/4520428
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy [patchwork-cip-dev@patchwork.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
Daniel Sangorrin Oct. 1, 2020, 3:03 a.m. UTC | #4 
Hi Jan,

Now it seems to work. I think it was some subtle issue with the use of quotes.

Thanks,
Daniel

> -----Original Message-----
> From: sangorrin daniel(サンゴリン ダニエル □SWC◯ACT)
> Sent: Thursday, October 1, 2020 9:23 AM
> To: 'Jan Kiszka' <jan.kiszka@web.de>; cip-dev@lists.cip-project.org
> Subject: RE: [cip-dev] [isar-cip-core] image: export dpkg status file for debsecan
> 
> Hi Jan,
> 
> I forgot to reply one comment.
> 
> > > +# for cip-core-sec/debsecan
> > > +ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status"
> > > +export_dpkg_status() {
> > > +    sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \
> > > +        cat /var/lib/dpkg/status > \
> > > +        ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status
> >
> > This is just a copy-out, I don't see the chroot need here.
> 
> This was based on the generate_manifest function.
> For some reason, copying without chroot didn't work for me. I will give it another try.
> 
> Thanks,
> Daniel
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5486): https://lists.cip-project.org/g/cip-dev/message/5486
Mute This Topic: https://lists.cip-project.org/mt/77210404/4520428
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy [patchwork-cip-dev@patchwork.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
diff mbox series

Patch

diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
index 61ddc39..928774c 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -34,3 +34,11 @@  IMAGE_PREINSTALL += " \
 	uuid-runtime \
 	sudo \
 "
+
+# for cip-core-sec/debsecan
+ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status"
+export_dpkg_status() {
+    sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \
+        cat /var/lib/dpkg/status > \
+        ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status
+}
diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb
index 2cecde3..0139819 100644
--- a/recipes-core/images/cip-core-image.bb
+++ b/recipes-core/images/cip-core-image.bb
@@ -19,3 +19,11 @@  IMAGE_INSTALL += "customizations"
 # for swupdate
 SWU_DESCRIPTION ??= "swupdate"
 include ${SWU_DESCRIPTION}.inc
+
+# for cip-core-sec/debsecan
+ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status"
+export_dpkg_status() {
+    sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \
+        cat /var/lib/dpkg/status > \
+        ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status
+}