Add small bubblewrap like program as a build step

rootfs.py

@@ -31,8 +31,9 @@ def create_configuration_file(args):
     config_path = os.path.join('sysa', 'bootstrap.cfg')
     with open(config_path, "w", encoding="utf_8") as config:
         config.write(f"FORCE_TIMESTAMPS={args.force_timestamps}\n")
-        config.write(f"CHROOT={args.chroot or args.bwrap}\n")
+        config.write(f"CHROOT={args.chroot or args.wrap or args.bwrap}\n")
         config.write(f"CHROOT_ONLY_SYSA={args.bwrap}\n")
+        config.write(f"CHROOT_WRAP={args.wrap}\n")
         config.write(f"UPDATE_CHECKSUMS={args.update_checksums}\n")
         config.write(f"JOBS={args.cores}\n")
         config.write(f"INTERNAL_CI={args.internal_ci}\n")
@@ -59,6 +60,8 @@ def main():
                         action="store_true")
     parser.add_argument("-bw", "--bwrap", help="Run inside a bwrap sandbox",
                         action="store_true")
+    parser.add_argument("-w", "--wrap", help="Use builtin unprivileged wrapper",
+                        action="store_true")
     parser.add_argument("-p", "--preserve", help="Do not remove temporary dir",
                         action="store_true")
     parser.add_argument("-t", "--tmpdir", help="Temporary directory",
@@ -113,6 +116,8 @@ def check_types():
             count += 1
         if args.bwrap:
             count += 1
+        if args.wrap:
+            count += 1
         if args.bare_metal:
             count += 1
         return count
@@ -131,6 +136,9 @@ def check_types():
     if args.bwrap and args.tmpfs:
         raise ValueError("tmpfs cannot be used with bwrap.")
 
+    if args.wrap and args.tmpfs:
+        raise ValueError("tmpfs cannot be used with wrap.")
+
     # Cores validation
     if int(args.cores) < 1:
         raise ValueError("Must use one or more cores.")
@@ -224,6 +232,15 @@ def bootstrap(args, system_a, system_c, tmpdir):
                          '--tmpfs', '/tmp',
                          '/init')
 
+    elif args.wrap:
+        system_c.prepare(create_disk_image=False)
+        system_a.prepare(create_initramfs=False, wrap=True)
+
+        arch = stage0_arch_map.get(args.arch, args.arch)
+        init = os.path.join('bootstrap-seeds', 'POSIX', arch, 'kaem-optional-seed')
+
+        run(init, cwd = system_a.tmp_dir)
+
     elif args.bare_metal:
         if args.kernel:
             system_c.prepare(create_disk_image=True)

sysa.py

@@ -37,7 +37,7 @@ def __init__(self, tmpdir, arch, external_sources,
 
         self.tmp_dir = tmpdir.add_sys("sysa")
 
-    def prepare(self, create_initramfs, kernel_bootstrap=False):
+    def prepare(self, create_initramfs, kernel_bootstrap=False, wrap=False):
         """
         Prepare directory structure for System A.
         We create an empty tmp directory, unpack stage0-posix.
@@ -50,7 +50,7 @@ def prepare(self, create_initramfs, kernel_bootstrap=False):
             shutil.copy2(os.path.join(self.sys_dir, 'base-preseeded.kaem'),
                          os.path.join(self.tmp_dir, 'kaem.x86'))
         else:
-            self.stage0_posix()
+            self.stage0_posix(wrap)
 
         self.sysa()
 
@@ -93,7 +93,7 @@ def sysc(self, create_initramfs):
         shutil.copytree(self.sysc_dir, os.path.join(self.tmp_dir, 'sysc'),
                 ignore=ignore)
 
-    def stage0_posix(self):
+    def stage0_posix(self, wrap):
         """Copy in all of the stage0-posix"""
         stage0_posix_base_dir = os.path.join(self.sys_dir, 'stage0-posix', 'src')
         copy_tree(stage0_posix_base_dir, self.tmp_dir)
@@ -104,7 +104,11 @@ def stage0_posix(self):
         shutil.copy2(kaem_optional_seed, os.path.join(self.tmp_dir, 'init'))
 
         # stage0-posix hook to continue running live-bootstrap
-        shutil.copy2(os.path.join(self.sys_dir, 'after.kaem'),
+        if wrap:
+            after_kaem_name = "after_wrap.kaem"
+        else:
+            after_kaem_name = "after.kaem"
+        shutil.copy2(os.path.join(self.sys_dir, after_kaem_name),
                      os.path.join(self.tmp_dir, 'after.kaem'))
 
     def add_fiwix_files(self, file_list_path, dirpath):

sysa/after_wrap.kaem

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# SPDX-FileCopyrightText: 2023 Max Hearnden <max@hearnden.org.uk>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -ex
+
+PATH=./${ARCH_DIR}/bin
+
+./${ARCH_DIR}/bin/M2-Mesoplanet --architecture ${ARCH} \
+  -f sysa/wrap.c \
+  -o ./${ARCH_DIR}/bin/wrap \
+  --temp-directory ./x86/artifact
+
+exec ./${ARCH_DIR}/bin/wrap ./${ARCH_DIR}/bin/kaem --verbose --strict --file sysa/after.kaem

sysa/run2.sh

@@ -114,6 +114,15 @@ else
     SYSC=/sysc_image
     sys_transfer "${SYSC}" /sysc gzip patch
     if [ "${CHROOT_ONLY_SYSA}" != True ]; then
+        if [ "${CHROOT_WRAP}" = True ]; then
+            # bind mount dev, proc and sys into new root
+            mkdir -p "${SYSC}/dev"
+            mount --no-mtab --rbind /dev "${SYSC}/dev"
+            mkdir -p "${SYSC}/proc"
+            mount --no-mtab --rbind /proc "${SYSC}/proc"
+            mkdir -p "${SYSC}/sys"
+            mount --no-mtab --rbind /sys "${SYSC}/sys"
+        fi
         exec chroot "${SYSC}" /init
     fi
 fi