Message ID | 20200930020815.2474349-2-daniel.sangorrin@toshiba.co.jp (mailing list archive) |
---|---|
State | Not Applicable |
Headers | show |
Series | [isar-cip-core] image: export dpkg status file for debsecan | expand |
On 30.09.20 04:08, Daniel Sangorrin wrote: > Although the currently exported manifest probably has > enough information, the tool debsecan and our wrapper > cip-core-sec depend on the dpkg status format. > > Signed-off-by: Daniel Sangorrin <daniel.sangorrin@toshiba.co.jp> > --- > recipes-core/images/cip-core-image-security.bb | 8 ++++++++ > recipes-core/images/cip-core-image.bb | 8 ++++++++ > 2 files changed, 16 insertions(+) > > diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb > index 61ddc39..928774c 100644 > --- a/recipes-core/images/cip-core-image-security.bb > +++ b/recipes-core/images/cip-core-image-security.bb > @@ -34,3 +34,11 @@ IMAGE_PREINSTALL += " \ > uuid-runtime \ > sudo \ > " > + > +# for cip-core-sec/debsecan > +ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status" > +export_dpkg_status() { > + sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \ > + cat /var/lib/dpkg/status > \ > + ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status This is just a copy-out, I don't see the chroot need here. > +} > diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb > index 2cecde3..0139819 100644 > --- a/recipes-core/images/cip-core-image.bb > +++ b/recipes-core/images/cip-core-image.bb > @@ -19,3 +19,11 @@ IMAGE_INSTALL += "customizations" > # for swupdate > SWU_DESCRIPTION ??= "swupdate" > include ${SWU_DESCRIPTION}.inc > + > +# for cip-core-sec/debsecan > +ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status" > +export_dpkg_status() { > + sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \ > + cat /var/lib/dpkg/status > \ > + ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status > +} > Please avoid code duplication. We have means like "require some.inc" in bitbake. I'm also wondering if this should go to isar upstream directly. debsecan is a generic Debian tool, nothing CIP-specific per se. Jan -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5496): https://lists.cip-project.org/g/cip-dev/message/5496 Mute This Topic: https://lists.cip-project.org/mt/77210404/4520428 Group Owner: cip-dev+owner@lists.cip-project.org Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy [patchwork-cip-dev@patchwork.kernel.org] -=-=-=-=-=-=-=-=-=-=-=-
OK, I will send it to ISAR then. > -----Original Message----- > From: Jan Kiszka <jan.kiszka@web.de> > Sent: Wednesday, September 30, 2020 4:12 PM > To: cip-dev@lists.cip-project.org; sangorrin daniel(サンゴリン ダニエル □SWC◯ACT) <daniel.sangorrin@toshiba.co.jp> > Subject: Re: [cip-dev] [isar-cip-core] image: export dpkg status file for debsecan > > On 30.09.20 04:08, Daniel Sangorrin wrote: > > Although the currently exported manifest probably has enough > > information, the tool debsecan and our wrapper cip-core-sec depend on > > the dpkg status format. > > > > Signed-off-by: Daniel Sangorrin <daniel.sangorrin@toshiba.co.jp> > > --- > > recipes-core/images/cip-core-image-security.bb | 8 ++++++++ > > recipes-core/images/cip-core-image.bb | 8 ++++++++ > > 2 files changed, 16 insertions(+) > > > > diff --git a/recipes-core/images/cip-core-image-security.bb > > b/recipes-core/images/cip-core-image-security.bb > > index 61ddc39..928774c 100644 > > --- a/recipes-core/images/cip-core-image-security.bb > > +++ b/recipes-core/images/cip-core-image-security.bb > > @@ -34,3 +34,11 @@ IMAGE_PREINSTALL += " \ > > uuid-runtime \ > > sudo \ > > " > > + > > +# for cip-core-sec/debsecan > > +ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status" > > +export_dpkg_status() { > > + sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \ > > + cat /var/lib/dpkg/status > \ > > + ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status > > This is just a copy-out, I don't see the chroot need here. > > > +} > > diff --git a/recipes-core/images/cip-core-image.bb > > b/recipes-core/images/cip-core-image.bb > > index 2cecde3..0139819 100644 > > --- a/recipes-core/images/cip-core-image.bb > > +++ b/recipes-core/images/cip-core-image.bb > > @@ -19,3 +19,11 @@ IMAGE_INSTALL += "customizations" > > # for swupdate > > SWU_DESCRIPTION ??= "swupdate" > > include ${SWU_DESCRIPTION}.inc > > + > > +# for cip-core-sec/debsecan > > +ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status" > > +export_dpkg_status() { > > + sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \ > > + cat /var/lib/dpkg/status > \ > > + ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status > > +} > > > > Please avoid code duplication. We have means like "require some.inc" in bitbake. > > I'm also wondering if this should go to isar upstream directly. debsecan is a generic Debian tool, nothing CIP-specific per se. > > Jan -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5483): https://lists.cip-project.org/g/cip-dev/message/5483 Mute This Topic: https://lists.cip-project.org/mt/77210404/4520428 Group Owner: cip-dev+owner@lists.cip-project.org Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy [patchwork-cip-dev@patchwork.kernel.org] -=-=-=-=-=-=-=-=-=-=-=-
Hi Jan, I forgot to reply one comment. > > +# for cip-core-sec/debsecan > > +ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status" > > +export_dpkg_status() { > > + sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \ > > + cat /var/lib/dpkg/status > \ > > + ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status > > This is just a copy-out, I don't see the chroot need here. This was based on the generate_manifest function. For some reason, copying without chroot didn't work for me. I will give it another try. Thanks, Daniel -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5484): https://lists.cip-project.org/g/cip-dev/message/5484 Mute This Topic: https://lists.cip-project.org/mt/77210404/4520428 Group Owner: cip-dev+owner@lists.cip-project.org Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy [patchwork-cip-dev@patchwork.kernel.org] -=-=-=-=-=-=-=-=-=-=-=-
Hi Jan, Now it seems to work. I think it was some subtle issue with the use of quotes. Thanks, Daniel > -----Original Message----- > From: sangorrin daniel(サンゴリン ダニエル □SWC◯ACT) > Sent: Thursday, October 1, 2020 9:23 AM > To: 'Jan Kiszka' <jan.kiszka@web.de>; cip-dev@lists.cip-project.org > Subject: RE: [cip-dev] [isar-cip-core] image: export dpkg status file for debsecan > > Hi Jan, > > I forgot to reply one comment. > > > > +# for cip-core-sec/debsecan > > > +ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status" > > > +export_dpkg_status() { > > > + sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \ > > > + cat /var/lib/dpkg/status > \ > > > + ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status > > > > This is just a copy-out, I don't see the chroot need here. > > This was based on the generate_manifest function. > For some reason, copying without chroot didn't work for me. I will give it another try. > > Thanks, > Daniel -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5486): https://lists.cip-project.org/g/cip-dev/message/5486 Mute This Topic: https://lists.cip-project.org/mt/77210404/4520428 Group Owner: cip-dev+owner@lists.cip-project.org Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy [patchwork-cip-dev@patchwork.kernel.org] -=-=-=-=-=-=-=-=-=-=-=-
diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb index 61ddc39..928774c 100644 --- a/recipes-core/images/cip-core-image-security.bb +++ b/recipes-core/images/cip-core-image-security.bb @@ -34,3 +34,11 @@ IMAGE_PREINSTALL += " \ uuid-runtime \ sudo \ " + +# for cip-core-sec/debsecan +ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status" +export_dpkg_status() { + sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \ + cat /var/lib/dpkg/status > \ + ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status +} diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb index 2cecde3..0139819 100644 --- a/recipes-core/images/cip-core-image.bb +++ b/recipes-core/images/cip-core-image.bb @@ -19,3 +19,11 @@ IMAGE_INSTALL += "customizations" # for swupdate SWU_DESCRIPTION ??= "swupdate" include ${SWU_DESCRIPTION}.inc + +# for cip-core-sec/debsecan +ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status" +export_dpkg_status() { + sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \ + cat /var/lib/dpkg/status > \ + ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status +}
Although the currently exported manifest probably has enough information, the tool debsecan and our wrapper cip-core-sec depend on the dpkg status format. Signed-off-by: Daniel Sangorrin <daniel.sangorrin@toshiba.co.jp> --- recipes-core/images/cip-core-image-security.bb | 8 ++++++++ recipes-core/images/cip-core-image.bb | 8 ++++++++ 2 files changed, 16 insertions(+)