Fix ssh/scp/rsync sandboxing
Change-Id: I1e94c028fafa78d4792a50790a76ab32bc4e10b2
Signed-off-by: James Kuszmaul <jabukuszmaul+collab@gmail.com>
diff --git a/WORKSPACE b/WORKSPACE
index 8db3b72..c603581 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -587,16 +587,16 @@
http_archive(
name = "rsync",
build_file = "@//debian:rsync.BUILD",
- sha256 = "53be65a9214aaa6d1b9176f135184fb4a78ccefd58f95ce0da37e6a392dfeb60",
- url = "https://software.frc971.org/Build-Dependencies/rsync.tar.gz",
+ sha256 = "75ea8ce442c94fd12c0d00eb24860ac1de5ea6af56154bb1b195a96018c9e8a2",
+ url = "https://software.frc971.org/Build-Dependencies/rsync-2023.09.06.tar.gz",
)
# //debian:ssh
http_archive(
name = "ssh",
build_file = "@//debian:ssh.BUILD",
- sha256 = "470fdc1252a2133a9d3c3da778e892a5b88f04f402cb04d8eb1cff7853242034",
- url = "https://software.frc971.org/Build-Dependencies/ssh_v3.tar.gz",
+ sha256 = "9c4a9eefa605283486fb15a44ef9977d4a95b55c3a41c4e71cfbacd1cf20a4b5",
+ url = "https://software.frc971.org/Build-Dependencies/ssh-2023.09.06.tar.gz",
)
http_archive(
diff --git a/debian/BUILD b/debian/BUILD
index e2a8541..d8f1753 100644
--- a/debian/BUILD
+++ b/debian/BUILD
@@ -112,6 +112,27 @@
)
download_packages(
+ name = "download_rsync_packages",
+ excludes = [
+ ],
+ packages = [
+ "rsync",
+ ],
+)
+
+download_packages(
+ name = "download_ssh_packages",
+ excludes = [
+ "libcbor0.8",
+ "libsemanage2",
+ "libsepol2",
+ ],
+ packages = [
+ "ssh",
+ ],
+)
+
+download_packages(
name = "download_gtk_runtime",
excludes = [
"libstdc++6",
@@ -425,6 +446,7 @@
exports_files([
"ssh_wrapper.sh",
+ "rsync_wrapper.sh",
"curl.BUILD",
"BUILD.zlib.bazel",
])
diff --git a/debian/rsync.BUILD b/debian/rsync.BUILD
index 4fe45b1..d761ace 100644
--- a/debian/rsync.BUILD
+++ b/debian/rsync.BUILD
@@ -1,5 +1,26 @@
-filegroup(
+genrule(
+ name = "copy_rsync_wrapper",
+ srcs = ["@//debian:rsync_wrapper.sh"],
+ outs = ["rsync_wrapper.sh"],
+ cmd = "cp $< $@",
+)
+
+sh_binary(
name = "rsync",
- srcs = ["usr/bin/rsync"],
+ srcs = [
+ "rsync_wrapper.sh",
+ ],
+ data = [
+ "usr/bin/rsync",
+ ":libs",
+ "@bazel_tools//tools/bash/runfiles",
+ ],
visibility = ["//visibility:public"],
)
+
+filegroup(
+ name = "libs",
+ srcs = glob([
+ "usr/lib/x86_64-linux-gnu/**",
+ ]),
+)
diff --git a/debian/rsync.bzl b/debian/rsync.bzl
index 6be610d..768a98c 100644
--- a/debian/rsync.bzl
+++ b/debian/rsync.bzl
@@ -1,3 +1,9 @@
files = {
- "rsync_3.1.2-1+deb9u2_amd64.deb": "f2987623a6e5b5aedf56e679bedd2e6f7d54cdb4815ac4149c4d135da16ff9c2",
+ "init-system-helpers_1.60_all.deb": "43420922c5e3aa747f8854236bf381a35179bba3885b242edb104751dad20644",
+ "liblz4-1_1.9.3-2_amd64.deb": "79ac6e9ca19c483f2e8effcc3401d723dd9dbb3a4ae324714de802adb21a8117",
+ "libpopt0_1.18-2_amd64.deb": "2f9fca8afbc5a18211ad46fa5f5df323662ba4d5212fa36bfc30dd551ae86b28",
+ "libssl1.1_1.1.1n-0+deb11u5_amd64.deb": "08be73a6a5454a8978c5a71ea5ca4b3a6909ce6cc927890729ebd6f9af12d9d8",
+ "libxxhash0_0.8.0-2_amd64.deb": "3fb82550a71d27d05672472508548576dfb34486847bc860d3066cda5aaf186f",
+ "lsb-base_11.1.0_all.deb": "89ed6332074d827a65305f9a51e591dff20641d61ff5e11f4e1822a9987e96fe",
+ "rsync_3.2.3-4+deb11u1_amd64.deb": "2ba613ac761266dcfc8518b06c257c790c4d02ea311163829871dc38fbf08ba0",
}
diff --git a/debian/rsync_wrapper.sh b/debian/rsync_wrapper.sh
new file mode 100755
index 0000000..9a8d4ba
--- /dev/null
+++ b/debian/rsync_wrapper.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# --- begin runfiles.bash initialization v2 ---
+# Copy-pasted from the Bazel Bash runfiles library v2.
+set -uo pipefail; f=bazel_tools/tools/bash/runfiles/runfiles.bash
+source "${RUNFILES_DIR:-/dev/null}/$f" 2>/dev/null || \
+ source "$(grep -sm1 "^$f " "${RUNFILES_MANIFEST_FILE:-/dev/null}" | cut -f2- -d' ')" 2>/dev/null || \
+ source "$0.runfiles/$f" 2>/dev/null || \
+ source "$(grep -sm1 "^$f " "$0.runfiles_manifest" | cut -f2- -d' ')" 2>/dev/null || \
+ source "$(grep -sm1 "^$f " "$0.exe.runfiles_manifest" | cut -f2- -d' ')" 2>/dev/null || \
+ { echo>&2 "ERROR: cannot find $f"; exit 1; }; f=; set -e
+# --- end runfiles.bash initialization v2 ---
+
+LIB_PATH="$(rlocation rsync/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)"
+LIB_PATH="${LIB_PATH%/libcrypto.so.1.1}"
+export LD_LIBRARY_PATH="${LIB_PATH}"
+
+
+TOOL_PATH="$(rlocation rsync/usr/bin/rsync)"
+
+exec "${TOOL_PATH}" "$@"
diff --git a/debian/ssh.bzl b/debian/ssh.bzl
index 77b913c..9150540 100644
--- a/debian/ssh.bzl
+++ b/debian/ssh.bzl
@@ -1,4 +1,42 @@
files = {
- "openssh-client_7.9p1-10+deb10u1_amd64.deb": "1c30bcaf37dafe198783cf691096fe557e8eacbc9435631f51af62b3f705ee12",
- "libssl1.1_1.1.1d-0+deb10u2_amd64.deb": "31c15130e0e4b2c907ef7cd92e50be23320a22c0c3b54e130b5258fe6bd8df2d",
+ "adduser_3.118_all.deb": "bd71dd1ab8dcd6005390708f23741d07f1913877affb7604dfd55f85d009aa2b",
+ "cdebconf_0.260_amd64.deb": "f54b3308b019b3d4246f5ae114d7d8a489e26dcdc80db85fc8eec089fc31acb6",
+ "coreutils_8.32-4+b1_amd64.deb": "3558a412ab51eee4b60641327cb145bb91415f127769823b68f9335585b308d4",
+ "init-system-helpers_1.60_all.deb": "43420922c5e3aa747f8854236bf381a35179bba3885b242edb104751dad20644",
+ "libattr1_2.4.48-6_amd64.deb": "af3c3562eb2802481a2b9558df1b389f3c6d9b1bf3b4219e000e05131372ebaf",
+ "libbsd0_0.11.3-1_amd64.deb": "284a7b8dcfcad74770f57360721365317448b38ab773db542bf630e94e60c13e",
+ "libdb5.3_5.3.28+dfsg1-0.8_amd64.deb": "00b9e63e287f45300d4a4f59b6b88e25918443c932ae3e5845d5761ae193c530",
+ "libdebian-installer4_0.121_amd64.deb": "b97d270ea3588bcff281b2595ff89752e0f829e54c8c7a4cc9a46492692cd0fd",
+ "libedit2_3.1-20191231-2+b1_amd64.deb": "ac545f6ad10ba791aca24b09255ad1d6d943e6bc7c5511d5998e104aee51c943",
+ "libfido2-1_1.6.0-2_amd64.deb": "e9efa10b4e45e8c941883b4bea29bc68dc5a298b8619bd786a7ca1675ca0c197",
+ "libgcrypt20_1.8.7-6_amd64.deb": "7a2e0eef8e0c37f03f3a5fcf7102a2e3dc70ba987f696ab71949f9abf36f35ef",
+ "libgmp10_6.2.1+dfsg-1+deb11u1_amd64.deb": "fc117ccb084a98d25021f7e01e4dfedd414fa2118fdd1e27d2d801d7248aebbc",
+ "libgpg-error0_1.38-2_amd64.deb": "16a507fb20cc58b5a524a0dc254a9cb1df02e1ce758a2d8abde0bc4a3c9b7c26",
+ "liblz4-1_1.9.3-2_amd64.deb": "79ac6e9ca19c483f2e8effcc3401d723dd9dbb3a4ae324714de802adb21a8117",
+ "libmd0_1.0.3-3_amd64.deb": "9e425b3c128b69126d95e61998e1b5ef74e862dd1fc953d91eebcc315aea62ea",
+ "libncurses6_6.2+20201114-2+deb11u1_amd64.deb": "030173bda939906c849a022823b8b90a1984ccc249a8ee9b54ea1f08acc24e9e",
+ "libncursesw6_6.2+20201114-2+deb11u1_amd64.deb": "4a53efece402caaa798649f74bfb63fe21ac2fbcacf302554e46fbd17e5b30fc",
+ "libnewt0.52_0.52.21-4+b3_amd64.deb": "5a59623010dd29b006335c1bb989303031f1148080b90e76e857cd6298aa546e",
+ "libpam-modules-bin_1.4.0-9+deb11u1_amd64.deb": "abbbd181329c236676222d3e912df13f8d1d90a117559edd997d90006369e5c8",
+ "libpam-modules_1.4.0-9+deb11u1_amd64.deb": "ca1e121700bf4b3eb33e30e0774d3e63e1adae9d4b6a940ea3501225db3cc287",
+ "libpam-runtime_1.4.0-9+deb11u1_all.deb": "d98a68a56386d0992446417a4ee9fa685ebe841e81303a7d4f45cdd4c133c3f6",
+ "libpam0g_1.4.0-9+deb11u1_amd64.deb": "496771218fb585bb716fdae6ef8824dbfb5d544b4fa2f3cd4d0e4d7158ae2220",
+ "libprocps8_3.3.17-5_amd64.deb": "0a60017f0229cd4eec95b9f354c68312cc4ca4770ba8c01f545fd9c02b34e8a0",
+ "libslang2_2.3.2-5_amd64.deb": "107ad70aba3dc4dab2bc0fe11c3dd7c2afe9549dd45f4da3f4cf9d360e171eba",
+ "libssl1.1_1.1.1n-0+deb11u5_amd64.deb": "08be73a6a5454a8978c5a71ea5ca4b3a6909ce6cc927890729ebd6f9af12d9d8",
+ "libsystemd0_247.3-7+deb11u4_amd64.deb": "e6f3e65e388196a399c1a36564c38ad987337350358732056227db1b6e708878",
+ "libtextwrap1_0.1-14.2_amd64.deb": "6626eee49a3ad10c596955f1180bee6c937f5e9ea1404085516a29010ab8bd23",
+ "libtinfo6_6.2+20201114-2+deb11u1_amd64.deb": "92ac8a8c12f02a6fe08c47f33ea6fb313e1b9480484e26eab34e2058ea59fdb4",
+ "libudev1_247.3-7+deb11u4_amd64.deb": "9274ca1aa37fcdf5895dad1de0895162351099ef8dff8a62f2f4c9eb181a8fce",
+ "libwrap0_7.6.q-31_amd64.deb": "c6aa9c653857d807cff31682b5158722e8b16eeb3cec443d34d6eba52312e701",
+ "lsb-base_11.1.0_all.deb": "89ed6332074d827a65305f9a51e591dff20641d61ff5e11f4e1822a9987e96fe",
+ "openssh-client_8.4p1-5+deb11u1_amd64.deb": "5b908fa946a425c6f2b4e4b234f4e42ae61c35c6655dc06b9746145e09b6cb2f",
+ "openssh-server_8.4p1-5+deb11u1_amd64.deb": "7118fe69fee753a08480c97d9d873dfca7c7a6972366515ae26d8428301a0dea",
+ "openssh-sftp-server_8.4p1-5+deb11u1_amd64.deb": "b77715c95ef748aad458d1291df307bbe4ed2e6099d02f2c47dae961bd175cb7",
+ "passwd_4.8.1-1_amd64.deb": "542593f26502e87b4276fa778e6e3ae52e66b973979986fff77803d9fcb2c2e8",
+ "procps_3.3.17-5_amd64.deb": "ac8edf0517abe09637c36651cb6a59e10948b2879f3af9003b9145b2128a7a08",
+ "runit-helper_2.10.3_all.deb": "fb8add1955628b2ad896318553ac1e3bc7cfa2a7058e9c9dbaa23baa21fc53a7",
+ "sensible-utils_0.0.14_all.deb": "b9a447dc4ec8714196b037e20a2209e62cd669f5450222952f259bda4416b71f",
+ "ssh_8.4p1-5+deb11u1_all.deb": "3ec5c5a0ea62d534bed2b339a669920d90cf4777899fb90d3a9a45f747c107eb",
+ "ucf_3.0043_all.deb": "ebef6bcd777b5c0cc2699926f2159db08433aed07c50cb321fd828b28c5e8d53",
}
diff --git a/debian/ssh_wrapper.sh b/debian/ssh_wrapper.sh
index 687ed87..3343887 100755
--- a/debian/ssh_wrapper.sh
+++ b/debian/ssh_wrapper.sh
@@ -11,8 +11,8 @@
{ echo>&2 "ERROR: cannot find $f"; exit 1; }; f=; set -e
# --- end runfiles.bash initialization v2 ---
-LIB_PATH="$(rlocation ssh/usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)"
-LIB_PATH="${LIB_PATH%/libcrypto.so.1.0.0}"
+LIB_PATH="$(rlocation ssh/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)"
+LIB_PATH="${LIB_PATH%/libcrypto.so.1.1}"
export LD_LIBRARY_PATH="${LIB_PATH}"
TOOL_PATH="$(rlocation ssh/%(TOOL))"
diff --git a/frc971/downloader/downloader.py b/frc971/downloader/downloader.py
index d21d8bd..a962d5b 100644
--- a/frc971/downloader/downloader.py
+++ b/frc971/downloader/downloader.py
@@ -126,7 +126,7 @@
os.chmod(os.path.join(temp_dir, "starterd"), 0o775 | stat.S_ISUID)
rsync_cmd = ([
- "external/rsync/usr/bin/rsync",
+ "external/rsync/rsync",
"-e",
ssh_path,
"-c",