From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Sun, 29 Oct 2023 17:22:45 +0000 (+0100)
Subject: Add mkosi-as-caller helper
X-Git-Tag: v19~33^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2023%2Fhead;p=thirdparty%2Fmkosi.git

Add mkosi-as-caller helper

This helper can be used to replace the following pattern which is similar to
something used in the systemd codebase:

SU="setpriv --reuid=${MKOSI_UID:-0} --regid=${MKOSI_GID:-0} --clear-groups"
$SU meson setup "$BUILDDIR/build" "$SRCDIR"
$SU meson compile -C "$BUILDDIR/build"
meson install -C "$BUILDDIR/build" --no-rebuild

With the helper this becomes:

mkosi-as-caller meson setup "$BUILDDIR/build" "$SRCDIR"
mkosi-as-caller meson compile -C "$BUILDDIR/build"
meson install -C "$BUILDDIR/build" --no-rebuild
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 21bd8af6c..90178a185 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -76,6 +76,12 @@ from mkosi.versioncomp import GenericVersion
 
 MINIMUM_SYSTEMD_VERSION = GenericVersion("254")
 
+MKOSI_AS_CALLER = (
+    "setpriv",
+    f"--reuid={INVOKING_USER.uid}",
+    f"--regid={INVOKING_USER.gid}",
+    "--clear-groups",
+)
 
 @contextlib.contextmanager
 def mount_base_trees(state: MkosiState) -> Iterator[None]:
@@ -412,6 +418,7 @@ def run_prepare_scripts(state: MkosiState, build: bool) -> None:
                         "--setenv", "BUILDROOT", "/",
                     ],
                 ),
+                "mkosi-as-caller" : MKOSI_AS_CALLER,
             }
 
             hd = stack.enter_context(finalize_host_scripts(state, helpers))
@@ -479,6 +486,7 @@ def run_build_scripts(state: MkosiState) -> None:
                         *(["--setenv", "BUILDDIR", "/work/build"] if state.config.build_dir else []),
                     ],
                 ),
+                "mkosi-as-caller" : MKOSI_AS_CALLER,
             }
 
             cmdline = state.args.cmdline if state.args.verb == Verb.build else []
@@ -530,6 +538,7 @@ def run_postinst_scripts(state: MkosiState) -> None:
                         "--setenv", "BUILDROOT", "/",
                     ],
                 ),
+                "mkosi-as-caller" : MKOSI_AS_CALLER,
             }
 
             with (
@@ -579,6 +588,7 @@ def run_finalize_scripts(state: MkosiState) -> None:
                         "--setenv", "BUILDROOT", "/",
                     ],
                 ),
+                "mkosi-as-caller" : MKOSI_AS_CALLER,
             }
 
             with (
diff --git a/mkosi/resources/mkosi.md b/mkosi/resources/mkosi.md
index 2834c745b..0f9080877 100644
--- a/mkosi/resources/mkosi.md
+++ b/mkosi/resources/mkosi.md
@@ -1638,6 +1638,23 @@ available via `$PATH` to simplify common usecases.
   the host system. This means that from a script, you can do e.g.
   `dnf install vim` to install vim into the image.
 
+* `mkosi-as-caller`: This script uses `setpriv` to switch from
+  the user `root` in the user namespace used for various build steps
+  back to the original user that called mkosi. This is useful when
+  we want to invoke build steps which will write to $BUILDDIR and
+  we want to have the files owned by the calling user.
+
+  For example, a complete `mkosi.build` script might be the following:
+
+  ```sh
+  set -ex
+
+  rm -rf "$BUILDDIR/build"
+  mkosi-as-caller meson setup "$BUILDDIR/build" "$SRCDIR"
+  mkosi-as-caller meson compile -C "$BUILDDIR/build"
+  meson install -C "$BUILDDIR/build" --no-rebuild
+  ```
+
 When scripts are executed, any directories that are still writable are
 also made read-only (`/home`, `/var`, `/root`, ...) and only the minimal set
 of directories that need to be writable remain writable. This is to