Userland/BuggieBox: Build a static-pie version#26629
Closed
supercomputer7 wants to merge 3 commits intoSerenityOS:masterfrom
Closed
Userland/BuggieBox: Build a static-pie version#26629supercomputer7 wants to merge 3 commits intoSerenityOS:masterfrom
supercomputer7 wants to merge 3 commits intoSerenityOS:masterfrom
Conversation
If we wait to enter a new VFS root context after exec, we might try to run a command from a path that is not relevant in a container anymore. We might want to revisit this change, if configuration feature of such context will intefere with this commit in the future.
supercomputer7
force-pushed
the
buggiebox-as-pie-static
branch
from
1400055 to
c81be86
Compare
supercomputer7
requested review from
BertalanD,
alimpfard,
timschumi and
trflynn89
as code owners
github-actions
bot
added
the
👀 pr-needs-review
Member
Author
|
This is ready for review! Next PRs can create an emergency environment based on this. I'd imagine creating a cpio archive being linked to the kernel, and could be used as an initramfs in case of failure to mount the actual rootfs for some reason, automatically :) |
supercomputer7
force-pushed
the
buggiebox-as-pie-static
branch
from
c81be86 to
00573a5
Compare
supercomputer7
changed the title
In this version we only need the dynamic loader to load this program, but any other library is contained in the generated binary, hence making it possible to embed it in emergency environment or containers. As an immediate result, the next commit would make it possible to only copy the dynamic loader and the static-pie version of BuggieBox into a containerized environment, in which it can happily run without any other dependencies anymore. Personally, this has been a goal I worked on for a very long time, and I finally succeeded to finish this patch by realizing (with the help of ChatGPT) that I needed to include the whole LibC archive during linking because of how weak symbols are being resolved with library archives vs library shared objects.
We don't need most libraries if we copy the static-pie version of BuggieBox, which helps minimizing what is exposed in such environment. It should also help with ensuring that this configuration file will not be regressed anymore by changes in other utilities linked in BuggieBox.
supercomputer7
force-pushed
the
buggiebox-as-pie-static
branch
from
00573a5 to
579ff19
Compare
Member
Author
|
Let's close this - I will have a better PR soon for this, with almost no code changes :) |
github-actions
bot
removed
the
👀 pr-needs-review
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is some work I started doing here - #24921. I finally made it working by realizing how to ensure we resolve weak symbols being generated (which in theory should have been resolved like with shared object
libc.so).This is mostly some nice work that we can expand on from containers to build initramfs images (with emergency environment in mind).
This relies on #26609. Should fix #26627.