[OE-core] [PATCH] rootfs-postcommands.bbclass: break up read_only_rootfs_hook
Nick Rosbrook
rosbrookn at gmail.com
Tue Mar 26 16:43:41 UTC 2019
The function read_only_rootfs_hook makes changes to ssh, dropbear,
fstab, and sysvinit configurations. Replace this function with
four new functions for each component so that they can be removed
from postprocess independently of each other.
Signed-off-by: Nick Rosbrook <rosbrookn at ainfosec.com>
---
meta/classes/rootfs-postcommands.bbclass | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/meta/classes/rootfs-postcommands.bbclass b/meta/classes/rootfs-postcommands.bbclass
index bde58ad6cd..110f67e40d 100644
--- a/meta/classes/rootfs-postcommands.bbclass
+++ b/meta/classes/rootfs-postcommands.bbclass
@@ -15,7 +15,16 @@ ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'deb
ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp ; "
# Tweak the mount options for rootfs in /etc/fstab if read-only-rootfs is enabled
-ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "read_only_rootfs_hook; ", "",d)}'
+ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "read_only_fstab; ", "",d)}'
+
+# Change the default sshd_config if read-only-rootfs is enabled
+ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "read_only_sshd; ", "",d)}'
+
+# Change the default key locations for dropbear if read-only-rootfs is enabled
+ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "read_only_dropbear; ", "",d)}'
+
+# Tweaks for sysvinit if read-only-rootfs is enabled
+ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "read_only_sysvinit; ", "",d)}'
# We also need to do the same for the kernel boot parameters,
# otherwise kernel or initramfs end up mounting the rootfs read/write
@@ -86,15 +95,14 @@ systemd_create_users () {
done
}
-#
-# A hook function to support read-only-rootfs IMAGE_FEATURES
-#
-read_only_rootfs_hook () {
+read_only_fstab () {
# Tweak the mount option and fs_passno for rootfs in fstab
if [ -f ${IMAGE_ROOTFS}/etc/fstab ]; then
sed -i -e '/^[#[:space:]]*\/dev\/root/{s/defaults/ro/;s/\([[:space:]]*[[:digit:]]\)\([[:space:]]*\)[[:digit:]]$/\1\20/}' ${IMAGE_ROOTFS}/etc/fstab
fi
+}
+read_only_sshd () {
# If we're using openssh and the /etc/ssh directory has no pre-generated keys,
# we should configure openssh to use the configuration file /etc/ssh/sshd_config_readonly
# and the keys under /var/run/ssh.
@@ -107,14 +115,18 @@ read_only_rootfs_hook () {
echo "SSHD_OPTS='-f /etc/ssh/sshd_config_readonly'" >> ${IMAGE_ROOTFS}/etc/default/ssh
fi
fi
+}
+read_only_dropbear () {
# Also tweak the key location for dropbear in the same way.
if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then
if [ ! -e ${IMAGE_ROOTFS}/etc/dropbear/dropbear_rsa_host_key ]; then
echo "DROPBEAR_RSAKEY_DIR=/var/lib/dropbear" >> ${IMAGE_ROOTFS}/etc/default/dropbear
fi
fi
+}
+read_only_sysvinit () {
if ${@bb.utils.contains("DISTRO_FEATURES", "sysvinit", "true", "false", d)}; then
# Change the value of ROOTFS_READ_ONLY in /etc/default/rcS to yes
if [ -e ${IMAGE_ROOTFS}/etc/default/rcS ]; then
--
2.17.1
More information about the Openembedded-core
mailing list