From f3828e44db27a6ae3e61b6cbdf712047d5a234be Mon Sep 17 00:00:00 2001
From: MaxHearnden <maxoscarhearnden@gmail.com>
Date: Tue, 10 Sep 2024 05:57:49 +0100
Subject: [PATCH] Add minimal unprivileged bootstrap

---
 lib/generator.py            |  9 ++++++---
 rootfs.py                   | 19 +++++++++++++++----
 seed/after-wrap.kaem        | 19 +++++++++++++++++++
 seed/after.kaem             | 15 ++++++++++++++-
 seed/seed.kaem              |  7 ++++++-
 seed/wrap-bootstrap.cfg     |  5 +++++
 steps/improve/setup_repo.sh |  2 +-
 7 files changed, 66 insertions(+), 10 deletions(-)
 create mode 100644 seed/after-wrap.kaem
 create mode 100644 seed/wrap-bootstrap.cfg

diff --git a/lib/generator.py b/lib/generator.py
index 2f69058b..8ccaafbb 100755
--- a/lib/generator.py
+++ b/lib/generator.py
@@ -42,7 +42,7 @@ class Generator():
         self.external_dir = os.path.join(self.target_dir, 'external')
         self.distfiles()
 
-    def prepare(self, target, using_kernel=False, kernel_bootstrap=False, target_size=0):
+    def prepare(self, target, using_kernel=False, kernel_bootstrap=False, wrap=False, target_size=0):
         """
         Prepare basic media of live-bootstrap.
         /steps -- contains steps to be built
@@ -82,7 +82,7 @@ class Generator():
                          os.path.join(self.target_dir, 'kaem.x86'))
         else:
             self.stage0_posix(kernel_bootstrap)
-            self.seed()
+            self.seed(wrap)
 
         os.makedirs(self.external_dir)
 
@@ -134,12 +134,15 @@ class Generator():
                                               'kaem-optional-seed')
             shutil.copy2(kaem_optional_seed, os.path.join(self.target_dir, 'init'))
 
-    def seed(self):
+    def seed(self, wrap):
         """Copy in extra seed files"""
         seed_dir = os.path.join(self.git_dir, 'seed')
         for entry in os.listdir(seed_dir):
             if os.path.isfile(os.path.join(seed_dir, entry)):
                 shutil.copy2(os.path.join(seed_dir, entry), os.path.join(self.target_dir, entry))
+        if wrap:
+            shutil.copy2(os.path.join(seed_dir, 'after-wrap.kaem'), os.path.join(self.target_dir, 'after.kaem'))
+            shutil.copy2(os.path.join(seed_dir, 'after.kaem'), os.path.join(self.target_dir, 'after-wrapped.kaem'))
 
     def distfiles(self):
         """Copy in distfiles"""
diff --git a/rootfs.py b/rootfs.py
index 1cfeab94..a68e5998 100755
--- a/rootfs.py
+++ b/rootfs.py
@@ -31,7 +31,7 @@ def create_configuration_file(args):
         config.write(f"ARCH={args.arch}\n")
         config.write(f"ARCH_DIR={stage0_arch_map.get(args.arch, args.arch)}\n")
         config.write(f"FORCE_TIMESTAMPS={args.force_timestamps}\n")
-        config.write(f"CHROOT={args.chroot or args.bwrap}\n")
+        config.write(f"CHROOT={args.chroot or args.bwrap or args.wrap}\n")
         config.write(f"UPDATE_CHECKSUMS={args.update_checksums}\n")
         config.write(f"JOBS={args.cores}\n")
         config.write(f"SWAP_SIZE={args.swap}\n")
@@ -63,6 +63,8 @@ def main():
                         default="x86")
     parser.add_argument("-c", "--chroot", help="Run inside chroot",
                         action="store_true")
+    parser.add_argument("-w", "--wrap", help="Run inside a minimal sandbox",
+                        action="store_true")
     parser.add_argument("-bw", "--bwrap", help="Run inside a bwrap sandbox",
                         action="store_true")
     parser.add_argument("-t", "--target", help="Target directory",
@@ -127,15 +129,18 @@ def main():
             count += 1
         if args.bwrap:
             count += 1
+        if args.wrap:
+            count += 1
         if args.bare_metal:
             count += 1
         return count
 
     if check_types() > 1:
-        raise ValueError("No more than one of qemu, chroot, bwrap, bare metal"
-                         "may be used.")
+        raise ValueError("No more than one of qemu, chroot, bwrap, wrap, bare "
+                         "metal may be used.")
     if check_types() == 0:
-        raise ValueError("One of qemu, chroot, bwrap, or bare metal must be selected.")
+        raise ValueError("One of qemu, chroot, bwrap, wrap, or bare metal must"
+                         " be selected.")
 
     # Arch validation
     if args.arch != "x86":
@@ -237,6 +242,12 @@ print(shutil.which('chroot'))
                                   '--tmpfs', '/tmp',
                                   init)
 
+    elif args.wrap:
+        generator.prepare(target, wrap = True)
+        arch = stage0_arch_map.get(args.arch, args.arch)
+        init = os.path.join('bootstrap-seeds', 'POSIX', arch, 'kaem-optional-seed')
+        run(init, cwd = generator.target_dir)
+
     elif args.bare_metal:
         if args.kernel:
             generator.prepare(target, using_kernel=True, target_size=size)
diff --git a/seed/after-wrap.kaem b/seed/after-wrap.kaem
new file mode 100644
index 00000000..ebbfef4b
--- /dev/null
+++ b/seed/after-wrap.kaem
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# SPDX-FileCopyrightText: 2024 Max Hearnden maxoscarhearnden@gmail.com
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -ex
+
+# detect wether we are in a rootfs.py environment
+if ./${ARCH_DIR}/bin/catm steps/env-saved steps/env; then
+  ./${ARCH_DIR}/bin/wrap /${ARCH_DIR}/bin/kaem --file after-wrapped.kaem
+else
+  # leave seed/stage0-posix
+  cd ../..
+
+  ARCH_DIR=seed/stage0-posix/${ARCH_DIR}
+
+  ./${ARCH_DIR}/bin/wrap /${ARCH_DIR}/bin/kaem --file seed/after.kaem
+fi
diff --git a/seed/after.kaem b/seed/after.kaem
index a9ab9aa0..b9dae1e3 100755
--- a/seed/after.kaem
+++ b/seed/after.kaem
@@ -11,5 +11,18 @@ set -ex
 
 PATH=/${ARCH_DIR}/bin
 
-catm seed-full.kaem /steps/bootstrap.cfg /steps/env seed.kaem
+if catm seed-full.kaem /steps/bootstrap.cfg /steps/env seed.kaem; then
+else
+  replace --file /steps/env --output /steps/env --match-on /external/distfiles --replace-with /distfiles
+  cp /seed/wrap-bootstrap.cfg /steps/bootstrap.cfg
+  catm seed-full.kaem /steps/bootstrap.cfg /steps/env /seed/seed.kaem
+  cp /seed/configurator.c configurator.c
+  cp /seed/configurator.${ARCH}.checksums configurator.${ARCH}.checksums
+
+  cp /seed/script-generator.c script-generator.c
+  cp /seed/script-generator.${ARCH}.checksums script-generator.${ARCH}.checksums
+  # placeholder value
+  FINAL_JOBS=1
+fi
+
 kaem --file seed-full.kaem
diff --git a/seed/seed.kaem b/seed/seed.kaem
index 1468cc1d..d56c480c 100755
--- a/seed/seed.kaem
+++ b/seed/seed.kaem
@@ -64,7 +64,12 @@ MES_PKG=mes-0.27
 MES_PREFIX=${SRCDIR}/${MES_PKG}/build/${MES_PKG}
 GUILE_LOAD_PATH=${MES_PREFIX}/mes/module:${MES_PREFIX}/module:${SRCDIR}/${MES_PKG}/build/${NYACC_PKG}/module
 
-M2-Mesoplanet --architecture ${ARCH} -f configurator.c -o configurator
+if M2-Mesoplanet --architecture ${ARCH} -f configurator.c -o configurator; then
+else
+  # using lightweight wrapper
+  M2LIBC_PATH=/seed/stage0-posix/M2libc
+  M2-Mesoplanet --architecture ${ARCH} -f configurator.c -o configurator
+fi
 # Checksums
 if match x${UPDATE_CHECKSUMS} xTrue; then
     sha256sum -o configurator.${ARCH}.checksums configurator
diff --git a/seed/wrap-bootstrap.cfg b/seed/wrap-bootstrap.cfg
new file mode 100644
index 00000000..6a827cad
--- /dev/null
+++ b/seed/wrap-bootstrap.cfg
@@ -0,0 +1,5 @@
+CHROOT=True
+DISK=sda1
+KERNEL_BOOTSTRAP=False
+BUILD_KERNELS=False
+JOBS=${FINAL_JOBS}
diff --git a/steps/improve/setup_repo.sh b/steps/improve/setup_repo.sh
index 60fc3512..cabf07a6 100755
--- a/steps/improve/setup_repo.sh
+++ b/steps/improve/setup_repo.sh
@@ -6,4 +6,4 @@
 #
 mkdir -p /external/repo
 
-tar -cf - --exclude='/external/repo/*' --exclude='/external/repo-preseeded/*' --exclude='/external/distfiles/*' --exclude='/dev/*' --exclude='/proc/*' --exclude='/sys/*' --exclude='/tmp/*' / | bzip2 --best > /external/repo/base.tar.bz2
+tar -cf - --exclude='/external/repo/*' --exclude='/external/repo-preseeded/*' --exclude='/external/distfiles/*' --exclude='/distfiles/*' --exclude='/dev/*' --exclude='/proc/*' --exclude='/sys/*' --exclude='/tmp/*' / | bzip2 --best > /external/repo/base.tar.bz2