[thirdparty/systemd.git] / mkosi.images / system / mkosi.postinst.chroot

#!/bin/sh
# SPDX-License-Identifier: LGPL-2.1-or-later
set -e

if [ "$1" = "build" ]; then
    exit 0
fi

if [ -n "$SANITIZERS" ]; then
    LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}')

    mkdir -p /etc/systemd/system.conf.d

    cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF
[Manager]
ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
                   UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
                   LD_PRELOAD=$LD_PRELOAD
DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
                   UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
                   LD_PRELOAD=$LD_PRELOAD
EOF

    # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
    # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any
    # sanitizer failures appear directly on the user's console.
    mkdir -p /etc/systemd/system/systemd-journald.service.d
    cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF
[Service]
StandardOutput=tty
EOF

    # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users.
    # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As
    # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login
    # from calling vhangup() so that journald's ASAN logs correctly end up in the console.

    mkdir -p /etc/systemd/system/console-getty.service.d
    cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF
[Service]
TTYVHangup=no
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
EOF
    # ASAN and syscall filters aren't compatible with each other.
    find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} +

    # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default.
    systemctl mask systemd-hwdb-update.service
fi

if [ -n "$IMAGE_ID" ] ; then
    sed -n \
        -i \
        -e '/^IMAGE_ID=/!p' \
        -e "\$aIMAGE_ID=$IMAGE_ID" \
        /usr/lib/os-release
fi

if [ -n "$IMAGE_VERSION" ] ; then
    sed -n \
        -i \
        -e '/^IMAGE_VERSION=/!p' \
        -e "\$aIMAGE_VERSION=$IMAGE_VERSION" \
        /usr/lib/os-release
fi

if command -v authselect >/dev/null; then
    authselect select minimal

    if authselect list-features minimal | grep -q "with-homed"; then
        authselect enable-feature with-homed
    fi
fi

# Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that
# if that's the case.
mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf
rm -f /etc/resolv.conf

. /usr/lib/os-release

if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
    alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1
    alternatives --set python3 /usr/bin/python3.9
fi

mkdir -p /usr/lib/sysusers.d
cat >/usr/lib/sysusers.d/testuser.conf <<EOF
u	testuser	4711	"Test User"	/home/testuser
EOF
mkdir -p /usr/lib/tmpfiles.d
cat >/usr/lib/tmpfiles.d/testuser.conf <<EOF
q	/home/testuser	0700	4711	4711
EOF
Commit	Line	Data
1b6f9b98 DDM	1	#!/bin/sh
1b6f9b98 DDM	2	# SPDX-License-Identifier: LGPL-2.1-or-later
2d1d0a6c	3	set -e
1b6f9b98	4
1ad84c9a DDM	5	if [ "$1" = "build" ]; then
	6	exit 0
	7	fi
	8
	9	if [ -n "$SANITIZERS" ]; then
	10	LD_PRELOAD=$(ldd /usr/lib/systemd/systemd \| grep libasan.so \| awk '{print $3}')
01a07564	11
1ad84c9a	12	mkdir -p /etc/systemd/system.conf.d
01a07564	13
1ad84c9a	14	cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF
01a07564 DDM	15	[Manager]
	16	ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
	17	UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
	18	LD_PRELOAD=$LD_PRELOAD
	19	DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
	20	UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
	21	LD_PRELOAD=$LD_PRELOAD
5a4327d1 DDM	22	EOF
5a4327d1 DDM	23
1ad84c9a DDM	24	# ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
	25	# all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any
	26	# sanitizer failures appear directly on the user's console.
	27	mkdir -p /etc/systemd/system/systemd-journald.service.d
	28	cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF
01a07564 DDM	29	[Service]
	30	StandardOutput=tty
	31	EOF
	32
1ad84c9a DDM	33	# Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users.
	34	# This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As
	35	# a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login
	36	# from calling vhangup() so that journald's ASAN logs correctly end up in the console.
01a07564	37
1ad84c9a DDM	38	mkdir -p /etc/systemd/system/console-getty.service.d
1ad84c9a DDM	39	cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF
01a07564 DDM	40	[Service]
	41	TTYVHangup=no
	42	CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
	43	EOF
1ad84c9a DDM	44	# ASAN and syscall filters aren't compatible with each other.
1ad84c9a DDM	45	find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\\|SystemCall\)/# \1/' {} +
69d638e6	46
1ad84c9a DDM	47	# `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default.
	48	systemctl mask systemd-hwdb-update.service
	49	fi
37d35150	50
1ad84c9a DDM	51	if [ -n "$IMAGE_ID" ] ; then
	52	sed -n \
	53	-i \
	54	-e '/^IMAGE_ID=/!p' \
	55	-e "\$aIMAGE_ID=$IMAGE_ID" \
	56	/usr/lib/os-release
	57	fi
01a07564	58
1ad84c9a DDM	59	if [ -n "$IMAGE_VERSION" ] ; then
	60	sed -n \
	61	-i \
	62	-e '/^IMAGE_VERSION=/!p' \
	63	-e "\$aIMAGE_VERSION=$IMAGE_VERSION" \
	64	/usr/lib/os-release
1b6f9b98	65	fi
6b7e774b	66
fe424384 DDM	67	if command -v authselect >/dev/null; then
	68	authselect select minimal
	69
	70	if authselect list-features minimal \| grep -q "with-homed"; then
	71	authselect enable-feature with-homed
	72	fi
	73	fi
7cd64af5	74
b57e7522 DDM	75	# Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that
	76	# if that's the case.
	77	mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf
7cd64af5	78	rm -f /etc/resolv.conf
d052cc88	79
6ac5aa97	80	. /usr/lib/os-release
d052cc88 DDM	81
	82	if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
	83	alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1
	84	alternatives --set python3 /usr/bin/python3.9
	85	fi
09477485 RM	86
	87	mkdir -p /usr/lib/sysusers.d
	88	cat >/usr/lib/sysusers.d/testuser.conf <<EOF
	89	u testuser 4711 "Test User" /home/testuser
	90	EOF
	91	mkdir -p /usr/lib/tmpfiles.d
	92	cat >/usr/lib/tmpfiles.d/testuser.conf <<EOF
	93	q /home/testuser 0700 4711 4711
	94	EOF