| Message ID | tencent_EE69D05C78693B4A0913E07D06A7CF6A2609@qq.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [isar-cip-core] refactor(squashfs): prompt for dropping acl | expand |
On Fri, 2024-09-06 at 11:22 +0800, developerdong@qq.com wrote: > From: Zhibin Dong <zhibin.dong@siemens.com> > > Because squashfs does not support ACL, a prompt is needed when the > squashed path contains ACL. Hi! I would rather say "issue a warning in case a squashed path contains an ACL". > > Signed-off-by: Zhibin Dong <zhibin.dong@siemens.com> > --- > classes/squashfs.bbclass | 22 ++++++++++++++++++++-- > 1 file changed, 20 insertions(+), 2 deletions(-) > > diff --git a/classes/squashfs.bbclass b/classes/squashfs.bbclass > index b39be0c..fc4c5d7 100644 > --- a/classes/squashfs.bbclass > +++ b/classes/squashfs.bbclass > @@ -1,10 +1,11 @@ > # > # CIP Core, generic profile > # > -# Copyright (c) Siemens AG, 2021-2023 > +# Copyright (c) Siemens AG, 2021-2024 > # > # Authors: > # Quirin Gylstorff <quirin.gylstorff@siemens.com> > +# Zhibin Dong <zhibin.dong@siemens.com> > # > # SPDX-License-Identifier: MIT > # > @@ -20,7 +21,7 @@ def get_free_mem(): > pass > return 4*1024*1024*1024 # 4G > > -IMAGER_INSTALL:squashfs += "squashfs-tools" > +IMAGER_INSTALL:squashfs += "squashfs-tools acl" > > SQUASHFS_EXCLUDE_DIRS ?= "" > SQUASHFS_CONTENT ?= "${PP_ROOTFS}" > @@ -45,6 +46,23 @@ python __anonymous() { > IMAGE_CMD:squashfs[depends] = "${PN}:do_transform_template" > IMAGE_CMD:squashfs[vardepsexclude] += "SQUASHFS_CREATION_LIMITS" > IMAGE_CMD:squashfs() { > + acl_paths=$(${SUDO_CHROOT} /usr/bin/getfacl -R -s -p > '${SQUASHFS_CONTENT}' | grep '^# file:' | awk '{print $3}' | sed > 's|${SQUASHFS_CONTENT}/||') This check looks really costly, as it operates on each and every file in the rootfs. I'm wondering if we can get the same information from mksquashfs itself. Also, if POSIX ACLs are supported depends on the squashfs version. There is some upstream work [1] going on to add ACL support, but I don't know what already has been integrated. [1]https://lore.kernel.org/all/cover.1548406694.git.geliangtang@gmail.com/ Felix > + include_acl_paths="" > + for path in ${acl_paths}; do > + exclude=false > + for dir in ${SQUASHFS_EXCLUDE_DIRS}; do > + if [ "${path#${dir}/}" != "${path}" ]; then > + exclude=true > + break > + fi > + done > + if [ "${exclude}" = false ]; then > + include_acl_paths="${include_acl_paths} ${path}" > + fi > + done > + if [ -n "${include_acl_paths}" ]; then > + bbwarn "The ACL of following paths under ${SQUASHFS_CONTENT} > will be ignored by mksquashfs: ${include_acl_paths}" > + fi > ${SUDO_CHROOT} /bin/mksquashfs \ > '${SQUASHFS_CONTENT}' '${IMAGE_FILE_CHROOT}' \ > -noappend ${SQUASHFS_CREATION_LIMITS} > ${SQUASHFS_CREATION_ARGS}
On 06.09.24 11:13, MOESSBAUER, Felix wrote: > On Fri, 2024-09-06 at 11:22 +0800, developerdong@qq.com wrote: >> From: Zhibin Dong <zhibin.dong@siemens.com> >> >> Because squashfs does not support ACL, a prompt is needed when the >> squashed path contains ACL. > > Hi! > > I would rather say "issue a warning in case a squashed path contains an > ACL". > >> >> Signed-off-by: Zhibin Dong <zhibin.dong@siemens.com> >> --- >> classes/squashfs.bbclass | 22 ++++++++++++++++++++-- >> 1 file changed, 20 insertions(+), 2 deletions(-) >> >> diff --git a/classes/squashfs.bbclass b/classes/squashfs.bbclass >> index b39be0c..fc4c5d7 100644 >> --- a/classes/squashfs.bbclass >> +++ b/classes/squashfs.bbclass >> @@ -1,10 +1,11 @@ >> # >> # CIP Core, generic profile >> # >> -# Copyright (c) Siemens AG, 2021-2023 >> +# Copyright (c) Siemens AG, 2021-2024 >> # >> # Authors: >> # Quirin Gylstorff <quirin.gylstorff@siemens.com> >> +# Zhibin Dong <zhibin.dong@siemens.com> >> # >> # SPDX-License-Identifier: MIT >> # >> @@ -20,7 +21,7 @@ def get_free_mem(): >> pass >> return 4*1024*1024*1024 # 4G >> >> -IMAGER_INSTALL:squashfs += "squashfs-tools" >> +IMAGER_INSTALL:squashfs += "squashfs-tools acl" >> >> SQUASHFS_EXCLUDE_DIRS ?= "" >> SQUASHFS_CONTENT ?= "${PP_ROOTFS}" >> @@ -45,6 +46,23 @@ python __anonymous() { >> IMAGE_CMD:squashfs[depends] = "${PN}:do_transform_template" >> IMAGE_CMD:squashfs[vardepsexclude] += "SQUASHFS_CREATION_LIMITS" >> IMAGE_CMD:squashfs() { >> + acl_paths=$(${SUDO_CHROOT} /usr/bin/getfacl -R -s -p >> '${SQUASHFS_CONTENT}' | grep '^# file:' | awk '{print $3}' | sed >> 's|${SQUASHFS_CONTENT}/||') > > This check looks really costly, as it operates on each and every file > in the rootfs. > > I'm wondering if we can get the same information from mksquashfs > itself. Also, if POSIX ACLs are supported depends on the squashfs > version. There is some upstream work [1] going on to add ACL support, > but I don't know what already has been integrated. > > [1]https://lore.kernel.org/all/cover.1548406694.git.geliangtang@gmail.com/ > Another reason to add support for EROFS [1] as well. Patches welcome! Jan [1] https://docs.kernel.org/filesystems/erofs.html
> -----Original Message----- > From: Moessbauer, Felix (T CED OES-DE) <felix.moessbauer@siemens.com> > Sent: Friday, September 6, 2024 5:14 PM > To: cip-dev@lists.cip-project.org; developerdong@qq.com > Cc: Dong, Zhi Bin (DI FA CTR SVC&AI CN) <ZhiBin.Dong@siemens.com> > Subject: Re: [isar-cip-core][PATCH] refactor(squashfs): prompt for dropping acl > > On Fri, 2024-09-06 at 11:22 +0800, developerdong@qq.com wrote: > > From: Zhibin Dong <zhibin.dong@siemens.com> > > > > Because squashfs does not support ACL, a prompt is needed when the > > squashed path contains ACL. > > Hi! > > I would rather say "issue a warning in case a squashed path contains an ACL". > > > > > Signed-off-by: Zhibin Dong <zhibin.dong@siemens.com> > > --- > > classes/squashfs.bbclass | 22 ++++++++++++++++++++-- > > 1 file changed, 20 insertions(+), 2 deletions(-) > > > > diff --git a/classes/squashfs.bbclass b/classes/squashfs.bbclass index > > b39be0c..fc4c5d7 100644 > > --- a/classes/squashfs.bbclass > > +++ b/classes/squashfs.bbclass > > @@ -1,10 +1,11 @@ > > # > > # CIP Core, generic profile > > # > > -# Copyright (c) Siemens AG, 2021-2023 > > +# Copyright (c) Siemens AG, 2021-2024 > > # > > # Authors: > > # Quirin Gylstorff <quirin.gylstorff@siemens.com> > > +# Zhibin Dong <zhibin.dong@siemens.com> > > # > > # SPDX-License-Identifier: MIT > > # > > @@ -20,7 +21,7 @@ def get_free_mem(): > > pass > > return 4*1024*1024*1024 # 4G > > > > -IMAGER_INSTALL:squashfs += "squashfs-tools" > > +IMAGER_INSTALL:squashfs += "squashfs-tools acl" > > > > SQUASHFS_EXCLUDE_DIRS ?= "" > > SQUASHFS_CONTENT ?= "${PP_ROOTFS}" > > @@ -45,6 +46,23 @@ python __anonymous() { > > IMAGE_CMD:squashfs[depends] = "${PN}:do_transform_template" > > IMAGE_CMD:squashfs[vardepsexclude] += "SQUASHFS_CREATION_LIMITS" > > IMAGE_CMD:squashfs() { > > + acl_paths=$(${SUDO_CHROOT} /usr/bin/getfacl -R -s -p > > '${SQUASHFS_CONTENT}' | grep '^# file:' | awk '{print $3}' | sed > > 's|${SQUASHFS_CONTENT}/||') > > This check looks really costly, as it operates on each and every file in the rootfs. Yes, but compared to mksquashfs, the cost may be acceptable. > > I'm wondering if we can get the same information from mksquashfs itself. Also, if > POSIX ACLs are supported depends on the squashfs version. There is some > upstream work [1] going on to add ACL support, but I don't know what already has > been integrated. mksquashfs obviously is a better place to do the check, but I didn't find any way to do this in mksquashfs. From the latest kernel doc, squashfs still does not support ACL: https://www.kernel.org/doc/html/latest/filesystems/squashfs.html > > [1]https://lore.kerne/ > l.org%2Fall%2Fcover.1548406694.git.geliangtang%40gmail.com%2F&data=05%7C > 02%7CZhiBin.Dong%40siemens.com%7C1ebf539a652047cd0be308dcce542e52% > 7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638612108143304541%7 > CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6I > k1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=oApst5i%2BMPDINwgkhM > %2B5mHF69%2B0yZPlO0oqRXRmjVbU%3D&reserved=0 > > Felix > > > + include_acl_paths="" > > + for path in ${acl_paths}; do > > + exclude=false > > + for dir in ${SQUASHFS_EXCLUDE_DIRS}; do > > + if [ "${path#${dir}/}" != "${path}" ]; then > > + exclude=true > > + break > > + fi > > + done > > + if [ "${exclude}" = false ]; then > > + include_acl_paths="${include_acl_paths} ${path}" > > + fi > > + done > > + if [ -n "${include_acl_paths}" ]; then > > + bbwarn "The ACL of following paths under ${SQUASHFS_CONTENT} > > will be ignored by mksquashfs: ${include_acl_paths}" > > + fi > > ${SUDO_CHROOT} /bin/mksquashfs \ > > '${SQUASHFS_CONTENT}' '${IMAGE_FILE_CHROOT}' \ > > -noappend ${SQUASHFS_CREATION_LIMITS} > > ${SQUASHFS_CREATION_ARGS} > > -- > Siemens AG, Technology > Linux Expert Center >
diff --git a/classes/squashfs.bbclass b/classes/squashfs.bbclass index b39be0c..fc4c5d7 100644 --- a/classes/squashfs.bbclass +++ b/classes/squashfs.bbclass @@ -1,10 +1,11 @@ # # CIP Core, generic profile # -# Copyright (c) Siemens AG, 2021-2023 +# Copyright (c) Siemens AG, 2021-2024 # # Authors: # Quirin Gylstorff <quirin.gylstorff@siemens.com> +# Zhibin Dong <zhibin.dong@siemens.com> # # SPDX-License-Identifier: MIT # @@ -20,7 +21,7 @@ def get_free_mem(): pass return 4*1024*1024*1024 # 4G -IMAGER_INSTALL:squashfs += "squashfs-tools" +IMAGER_INSTALL:squashfs += "squashfs-tools acl" SQUASHFS_EXCLUDE_DIRS ?= "" SQUASHFS_CONTENT ?= "${PP_ROOTFS}" @@ -45,6 +46,23 @@ python __anonymous() { IMAGE_CMD:squashfs[depends] = "${PN}:do_transform_template" IMAGE_CMD:squashfs[vardepsexclude] += "SQUASHFS_CREATION_LIMITS" IMAGE_CMD:squashfs() { + acl_paths=$(${SUDO_CHROOT} /usr/bin/getfacl -R -s -p '${SQUASHFS_CONTENT}' | grep '^# file:' | awk '{print $3}' | sed 's|${SQUASHFS_CONTENT}/||') + include_acl_paths="" + for path in ${acl_paths}; do + exclude=false + for dir in ${SQUASHFS_EXCLUDE_DIRS}; do + if [ "${path#${dir}/}" != "${path}" ]; then + exclude=true + break + fi + done + if [ "${exclude}" = false ]; then + include_acl_paths="${include_acl_paths} ${path}" + fi + done + if [ -n "${include_acl_paths}" ]; then + bbwarn "The ACL of following paths under ${SQUASHFS_CONTENT} will be ignored by mksquashfs: ${include_acl_paths}" + fi ${SUDO_CHROOT} /bin/mksquashfs \ '${SQUASHFS_CONTENT}' '${IMAGE_FILE_CHROOT}' \ -noappend ${SQUASHFS_CREATION_LIMITS} ${SQUASHFS_CREATION_ARGS}