Closed stapelberg closed 5 years ago
Dumping this here in case we want to pick up the udisks approach at some point:
import "github.com/godbus/dbus"
func udisks() error {
conn, err := dbus.SystemBus()
if err != nil {
return err
}
const (
linux = "0x83"
squashFS = linux // SquashFS does not have a dedicated type
)
// TODO: set bootable flag?
options = map[string]dbus.Variant{
// Need to specify the partition type explicitly, otherwise udisks
// creates an extended partition for the last (/perm) partition:
"partition-type": dbus.MakeVariant("primary"),
}
obj = conn.Object("org.freedesktop.UDisks2", "/org/freedesktop/UDisks2/block_devices/sda")
if err := obj.Call("org.freedesktop.UDisks2.PartitionTable.CreatePartition", 0,
uint64(8192*512), // offset, start at 8192 sectors
uint64(100*MB), // size
"0xc", // type
"", // name
options).Err; err != nil {
return fmt.Errorf("UDisks2.CreatePartition(/dev/sda): %v", err)
}
if err := obj.Call("org.freedesktop.UDisks2.PartitionTable.CreatePartition", 0,
uint64(8192*512+100*MB), // offset, start after partition 1
uint64(500*MB), // size
squashFS, // type
"", // name
options).Err; err != nil {
return fmt.Errorf("UDisks2.CreatePartition(/dev/sda): %v", err)
}
if err := obj.Call("org.freedesktop.UDisks2.PartitionTable.CreatePartition", 0,
uint64(8192*512+600*MB), // offset, start after partition 2
uint64(500*MB), // size
squashFS, // type
"", // name
options).Err; err != nil {
return fmt.Errorf("UDisks2.CreatePartition(/dev/sda): %v", err)
}
if err := obj.Call("org.freedesktop.UDisks2.PartitionTable.CreatePartition", 0,
uint64(8192*512+1100*MB), // offset, start after partition 2
uint64(500*MB), // size, TODO
linux, // type
"", // name
options).Err; err != nil {
return fmt.Errorf("UDisks2.CreatePartition(/dev/sda): %v", err)
}
return nil
}
One way to use the gokr-packer is to pass a filename to the -overwrite parameter and have it write an image. While this works without any additional permissions, there are two significant advantages to passing a device to -overwrite:
-target_storage_bytes
parameter.We have a number of options as to how to obtain the required permissions:
sudo setcap CAP_SYS_ADMIN,CAP_DAC_OVERRIDE=ep $(go env GOPATH)/bin/gokr-packer
. This silently doesn’t work on file systems which are mountednosuid
, such as ecryptfs when using Ubuntu’s home directory encryption.sudo setfacl -m u:${USER}:rw /dev/mmc* /dev/sd*
. This doesn’t stick: once you unplug the SD card, the permission change is lost.disk
group, effectively granting write permission to all disk devices. This requires logging in again (or usingnewgrp
) and might be too coarse-grained. Debian decided against using groups for disk access for (not concretely specified) security reasons: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751892sudo gokr-packer
is not desired, as gokr-packer calls out to the go tool, which would then operate on root’s $GOPATH, not the user’s.