emulate mode: target_root is now R/O for "normal" use, "sb2 -R" makes it R/W

- A stricter policy protects agains accidental writing to target_root (rootstrap): - When the "emulate" mode is entered with option "-R" (e.g. "sb2 -eR" or "sb2 -m emulate -R") target_root will be "mounted" for read/write access. The "-R" option also activates "fakeroot", so the user experience should be as close to a "normal" system as possible.
author: Lauri Aarnio <Lauri.Aarnio@iki.fi> 2008-11-11 00:09:55 +0200
committer: Lauri Leukkunen <lle@rahina.org> 2008-12-07 04:32:46 +0200
commit: 87d9f856fe6bfe193a8d20c16c6834eb49c4e79a (patch)
tree: e8a980502273220a8e1d0be868b74348560a3b3d /lua_scripts
parent: bd2828051f5a407dfb4d989cdd0d801fc3b134e2 (diff)
2 files changed, 35 insertions, 13 deletions
diff --git a/lua_scripts/main.lua b/lua_scripts/main.lua
index 860063b..fedc5fe 100644
--- a/lua_scripts/main.lua
+++ b/lua_scripts/main.lua
@@ -15,7 +15,7 @@ debug_messages_enabled = sb.debug_messages_enabled()
 --
 -- NOTE: the corresponding identifier for C is in include/sb2.h,
 -- see that file for description about differences
-sb2_lua_c_interface_version = "35,lta-2008-10-01"
+sb2_lua_c_interface_version = "53,lta-2008-11-10"
 
 function do_file(filename)
 	if (debug_messages_enabled) then
diff --git a/lua_scripts/pathmaps/emulate/00_default.lua b/lua_scripts/pathmaps/emulate/00_default.lua
index 3c1c9c0..7631a67 100644
--- a/lua_scripts/pathmaps/emulate/00_default.lua
+++ b/lua_scripts/pathmaps/emulate/00_default.lua
@@ -25,6 +25,15 @@ else
 	tmp_dir_dest = session_dir .. "/tmp"
 end
 
+-- If the permission token exists and contains "root", target_root
+-- will be available in R/W mode. Otherwise it will be "mounted" R/O.
+local target_root_is_readonly
+if sb.get_session_perm() == "root" then
+	target_root_is_readonly = false
+else
+	target_root_is_readonly = true
+end
+
 -- disable the gcc toolchain tricks. gcc & friends will be available, if
 -- those have been installed to target_root (but then they will probably run
 -- under cpu transparency = very slowly..)
@@ -34,30 +43,40 @@ mapall_chain = {
 	next_chain = nil,
 	binary = nil,
 	rules = {
-		{path = sbox_cputransparency_method, use_orig_path = true, readonly = true},
-		{path = "/usr/bin/sb2-show", use_orig_path = true, readonly = true},
+		{path = sbox_cputransparency_method, use_orig_path = true,
+		 readonly = true},
+
+		{path = "/usr/bin/sb2-show", use_orig_path = true,
+		 readonly = true},
 
-		{prefix = target_root, use_orig_path = true},
+		{prefix = target_root, use_orig_path = true,
+		 readonly = target_root_is_readonly},
 
 		-- Scratchbox 1 compatibility rules:
-		{ prefix = "/targets/", map_to = sb1_compat_dir },
+		{ prefix = "/targets/", map_to = sb1_compat_dir,
+		  readonly = target_root_is_readonly},
 		{ path = "/usr/bin/scratchbox-launcher.sh",
-                    map_to = sb1_compat_dir },
+                  map_to = sb1_compat_dir,
+		  readonly = target_root_is_readonly},
                 { path = "/etc/osso-af-init/dbus-systembus.sh",
-                    map_to = sb1_compat_dir },
+                  map_to = sb1_compat_dir,
+		  readonly = target_root_is_readonly},
 		
 		-- ldconfig is static binary, and needs to be wrapped
 		{path = "/sbin/ldconfig", replace_by = sbox_dir ..
-				"/share/scratchbox2/wrappers/ldconfig"},
+				"/share/scratchbox2/wrappers/ldconfig",
+		 readonly = true},
 
 		--
 		-- Gdb needs some special parameters before it
 		-- can be run so we wrap it.
 		--
 		{path = "/usr/bin/gdb", replace_by = sbox_dir ..
-		    "/share/scratchbox2/wrappers/gdb"},
+		    "/share/scratchbox2/wrappers/gdb",
+		 readonly = true},
 		-- gdb wants to have access to our dynamic linker also.
-		{path = "/usr/lib/libsb2/ld-2.5.so", use_orig_path = true},
+		{path = "/usr/lib/libsb2/ld-2.5.so", use_orig_path = true,
+		 readonly = true},
 
 		-- 
 		{prefix = session_dir, use_orig_path = true},
@@ -72,11 +91,13 @@ mapall_chain = {
 		{prefix = sbox_dir .. "/share/scratchbox2",
 		 use_orig_path = true},
 
-		{prefix = "/etc/resolv.conf", use_orig_path = true},
+		{prefix = "/etc/resolv.conf", use_orig_path = true,
+		 readonly = true},
 
 		-- -----------------------------------------------
 		-- "user" is a special username, and should not be mapped:
-		{prefix = "/home/user", map_to = target_root},
+		{prefix = "/home/user", map_to = target_root,
+		 readonly = target_root_is_readonly},
 		-- Other home directories = not mapped, R/W access
 		{prefix = "/home", use_orig_path = true},
 		-- -----------------------------------------------
@@ -87,7 +108,8 @@ mapall_chain = {
 		{prefix = unmapped_workdir, use_orig_path = true},
 
 		{path = "/", use_orig_path = true},
-		{prefix = "/", map_to = target_root}
+		{prefix = "/", map_to = target_root,
+		 readonly = target_root_is_readonly}
 	}
 }
author	Lauri Aarnio <Lauri.Aarnio@iki.fi>	2008-11-11 00:09:55 +0200
committer	Lauri Leukkunen <lle@rahina.org>	2008-12-07 04:32:46 +0200
commit	87d9f856fe6bfe193a8d20c16c6834eb49c4e79a (patch)
tree	e8a980502273220a8e1d0be868b74348560a3b3d /lua_scripts
parent	bd2828051f5a407dfb4d989cdd0d801fc3b134e2 (diff)