317dffb817
In some cases we cannot do a fast bind-mount of the files we want in our jail since we don't have cap_sys_admin for loolmount inside eg. docker. Thus we need to fallback to hard-linking, however various security systems namespace parts of our tree, such that link() fails with EXDEV even across the (apparently) same file-system. As such we need to assemble a copy of what we want to hard-link close to our jails. However, this needs to be owned by root / the system to avoid having writable files shared between jails. Hence we need cap_chown in addition to cap_fowner, to get ownership right and then hard-link. Change-Id: Iba0ef46ddbc1c03f3dc7177bc1ec1755624135db Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
37 lines
1 KiB
Bash
37 lines
1 KiB
Bash
#!/bin/sh
|
|
|
|
set -e
|
|
|
|
case "$1" in
|
|
configure)
|
|
setcap cap_fowner,cap_chown,cap_mknod,cap_sys_chroot=ep /usr/bin/loolforkit || true
|
|
setcap cap_sys_admin=ep /usr/bin/loolmount || true
|
|
|
|
adduser --quiet --system --group --home /opt/lool lool
|
|
mkdir -p /var/cache/loolwsd && chown lool: /var/cache/loolwsd
|
|
rm -rf /var/cache/loolwsd/*
|
|
chown lool: /etc/loolwsd/loolwsd.xml
|
|
chmod 640 /etc/loolwsd/loolwsd.xml
|
|
|
|
# We assume that the LibreOffice to be used is built TDF-style
|
|
# and installs in @LO_PATH@, and that /opt/lool is
|
|
# on the same file system
|
|
|
|
rm -rf /opt/lool
|
|
mkdir -p /opt/lool/child-roots
|
|
chown lool: /opt/lool
|
|
chown lool: /opt/lool/child-roots
|
|
|
|
fc-cache @LO_PATH@/share/fonts/truetype
|
|
|
|
loolwsd-systemplate-setup /opt/lool/systemplate @LO_PATH@ >/dev/null 2>&1
|
|
loolwsd-generate-proof-key >/dev/null 2>&1
|
|
cat << EOF > /etc/apt/apt.conf.d/25loolwsd
|
|
// Rebuild systemplate of @APP_NAME@
|
|
DPkg::Post-Invoke { "echo Updating loolwsd systemplate;loolwsd-systemplate-setup /opt/lool/systemplate @LO_PATH@ >/dev/null 2>&1"; };
|
|
EOF
|
|
;;
|
|
|
|
esac
|
|
|
|
#DEBHELPER#
|