From 2f3ae702a1ac0bd1b3136fa73ac3f431efe815a7 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 4 Jun 2024 15:25:03 +0200 Subject: [PATCH] mkosi: set -o nounset for scripts Those scripts are written with the expectation that all input variables are set and will not behave correctly if something is ommitted. In particular, the non-chrooted scripts (mkosi.clean, mkosi.sync) might wreak havoc if called without the full environment. --- mkosi.images/system/mkosi.clean | 1 + mkosi.images/system/mkosi.postinst.chroot | 1 + mkosi.images/system/mkosi.sanitizers.chroot | 5 +++-- mkosi.images/system/mkosi.sync | 3 ++- 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/mkosi.images/system/mkosi.clean b/mkosi.images/system/mkosi.clean index cb716c41f71..64810b79571 100755 --- a/mkosi.images/system/mkosi.clean +++ b/mkosi.images/system/mkosi.clean @@ -1,4 +1,5 @@ #!/bin/bash set -e +set -o nounset rm -f "$OUTPUTDIR"/*.{rpm,deb,pkg.tar} diff --git a/mkosi.images/system/mkosi.postinst.chroot b/mkosi.images/system/mkosi.postinst.chroot index 397884b7202..acb4e631e9c 100755 --- a/mkosi.images/system/mkosi.postinst.chroot +++ b/mkosi.images/system/mkosi.postinst.chroot @@ -1,6 +1,7 @@ #!/bin/bash # SPDX-License-Identifier: LGPL-2.1-or-later set -e +set -o nounset if command -v authselect >/dev/null; then # authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so diff --git a/mkosi.images/system/mkosi.sanitizers.chroot b/mkosi.images/system/mkosi.sanitizers.chroot index 854a419933b..524e3dadb19 100755 --- a/mkosi.images/system/mkosi.sanitizers.chroot +++ b/mkosi.images/system/mkosi.sanitizers.chroot @@ -1,8 +1,9 @@ #!/bin/bash # SPDX-License-Identifier: LGPL-2.1-or-later set -e +set -o nounset -if [[ -z "$SANITIZERS" ]]; then +if [[ -z "${SANITIZERS:-}" ]]; then exit 0 fi @@ -18,7 +19,7 @@ EOF # ASAN and syscall filters aren't compatible with each other. find /usr /etc -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} + -# `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default. +# 'systemd-hwdb update' takes > 50s when built with sanitizers so let's not run it by default. systemctl mask systemd-hwdb-update.service ASAN_RT_PATH="$(grep libasan.so < <(ldd /usr/lib/systemd/systemd) | cut -d ' ' -f 3)" diff --git a/mkosi.images/system/mkosi.sync b/mkosi.images/system/mkosi.sync index a4f0ab94ec1..6856af7c6b0 100755 --- a/mkosi.images/system/mkosi.sync +++ b/mkosi.images/system/mkosi.sync @@ -1,8 +1,9 @@ #!/bin/bash # SPDX-License-Identifier: LGPL-2.1-or-later set -e +set -o nounset -if ((NO_SYNC)); then +if ((${NO_SYNC:-0})); then exit 0 fi -- 2.47.3