libreoffice-online/debian/loolwsd.postinst.in
Michael Meeks 317dffb817 Optimize copy of jails to hard-linking with new capability.
In some cases we cannot do a fast bind-mount of the files we want
in our jail since we don't have cap_sys_admin for loolmount inside
eg. docker.

Thus we need to fallback to hard-linking, however various security
systems namespace parts of our tree, such that link() fails with
EXDEV even across the (apparently) same file-system.

As such we need to assemble a copy of what we want to hard-link
close to our jails. However, this needs to be owned by root / the
system to avoid having writable files shared between jails. Hence
we need cap_chown in addition to cap_fowner, to get ownership right
and then hard-link.

Change-Id: Iba0ef46ddbc1c03f3dc7177bc1ec1755624135db
Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
2021-01-04 15:05:36 +00:00

37 lines
1 KiB
Bash

#!/bin/sh
set -e
case "$1" in
configure)
setcap cap_fowner,cap_chown,cap_mknod,cap_sys_chroot=ep /usr/bin/loolforkit || true
setcap cap_sys_admin=ep /usr/bin/loolmount || true
adduser --quiet --system --group --home /opt/lool lool
mkdir -p /var/cache/loolwsd && chown lool: /var/cache/loolwsd
rm -rf /var/cache/loolwsd/*
chown lool: /etc/loolwsd/loolwsd.xml
chmod 640 /etc/loolwsd/loolwsd.xml
# We assume that the LibreOffice to be used is built TDF-style
# and installs in @LO_PATH@, and that /opt/lool is
# on the same file system
rm -rf /opt/lool
mkdir -p /opt/lool/child-roots
chown lool: /opt/lool
chown lool: /opt/lool/child-roots
fc-cache @LO_PATH@/share/fonts/truetype
loolwsd-systemplate-setup /opt/lool/systemplate @LO_PATH@ >/dev/null 2>&1
loolwsd-generate-proof-key >/dev/null 2>&1
cat << EOF > /etc/apt/apt.conf.d/25loolwsd
// Rebuild systemplate of @APP_NAME@
DPkg::Post-Invoke { "echo Updating loolwsd systemplate;loolwsd-systemplate-setup /opt/lool/systemplate @LO_PATH@ >/dev/null 2>&1"; };
EOF
;;
esac
#DEBHELPER#