#!/bin/bash
set -eEux
set -o pipefail
trap 'echo >&2 "$0: unknown error"' ERR

export LC_ALL=C DEBIAN_FRONTEND=noninteractive
a=amd64 r=jessie t=live M=http://httpredir.debian.org/debian

# We can't use /tmp as it may (reasonably) be mounted -onodev.
mkdir -p /tmp/bootstrap
grep -q '^tmpfs /tmp/bootstrap tmpfs' /proc/mounts ||
mount tmpfs /tmp/bootstrap -ttmpfs -omode=700,size=80%
cd /tmp/bootstrap
rm -rf $t                                                       # Delete previous build (if any).

debootstrap --variant minbase --arch $a $r $t $M
>$t/etc/debian_chroot                   echo bootstrap
>$t/etc/apt/sources.list                printf 'deb %s %s main\n'       $M $r   $M $r-updates   $M $r-backports   http://security.debian.org $r/updates
>$t/etc/apt/sources.list.d/30selinux.list printf 'deb %s %s selinux\n' http://www.coker.com.au $r
>$t/etc/apt/apt.conf.d/10stable         echo "APT::Default-Release \"$r\";"
>$t/etc/apt/apt.conf.d/10bootstrap      echo 'APT::Get::Assume-Yes "1"; APT::Get::AutomaticRemove "1"; APT::Install-Recommends "0"; Quiet "1";'
>$t/usr/sbin/policy-rc.d                printf '#!/bin/sh\nexit 101'
chmod +x $t/usr/sbin/policy-rc.d
chroot $t apt-key adv --keyserver hkp://pool.sks-keyservers.net --recv-key D141CD30FC4B8F79
chroot $t apt-get update
chroot $t apt-get install -y initramfs-tools
>$t/etc/kernel-img.conf                 echo link_in_boot=yes
sed -i 's/^root:[^:]*:/root::/' $t/etc/shadow                   # root has null password
>$t/etc/initramfs-tools/modules         printf '%s\n' overlay squashfs
>$t/etc/initramfs-tools/scripts/overlaytest cat <<EOF
mountroot()
{
  set -x
  : "--> Mount a tmpfs on /live for use by overlay"
  mkdir /live
  mount -t tmpfs tmpfs /live
  : "--> Make the two subdirs required by overlay"
  mkdir -p /live/overlay/rw /live/overlay/work
  : "--> Make /filesystem to mount the read-only squashfs"
  mkdir /filesystem
  : "--> Create a /etc directory in what will become the writable portion of"
  : "--> the overlay filesystem"
  mkdir -p /live/overlay/rw/etc
  : "--> Mount the squashfs"
  mount -t squashfs /dev/vda /filesystem
  : "--> Union the tmpfs and the squashfs with overlayfs and mount them on"
  : "--> /root"
  mount -t overlay -o noatime,lowerdir=/filesystem/,upperdir=/live/overlay/rw,workdir=/live/overlay/work overlay /root/

  : "--> Demonstrate that creating a file..."
  touch /root/newfile
  : "--> ... creating a directory..."
  mkdir -p /root/newdir
  : "--> ... and creating a file in the new directory all work in the"
  : "--> root of the overlay filesystem..."
  touch /root/newdir/newfile
  : "--> ...before cleaning up those files/dirs"
  rm -r /root/newfile /root/newdir/newfile /root/newdir
  : "--> Demonstrate that touching an existing directory (/etc, which we"
  : "--> created earlier), and a file within it, works"
  touch /root/etc/
  touch /root/etc/newfile
  : "--> Demonstrate that touching a directory or file not already present in"
  : "--> the read-write part of overlay does *NOT* work"
  touch /root/home/
  touch /root/home/newfile

  set +x

  maybe_break

}
EOF
>$t/etc/initramfs-tools/hooks/strace cat <<\EOF
#!/bin/bash

set -e
if [[ prereqs = $1 ]]
then exit 0
fi

. /usr/share/initramfs-tools/hook-functions

copy_exec /usr/bin/strace
EOF
chmod a+x $t/etc/initramfs-tools/hooks/strace
chroot $t apt-get install -y --no-install-recommends linux-image-4.1.0-0.bpo.1-amd64 busybox selinux-basics selinux-policy-default auditd strace

# SELinux relabel
# NOTE: This requres SELinux to be enabled on the build host, even if it
# is set to permissive!
setfiles -r $t/ $t/etc/selinux/default/contexts/files/file_contexts $t/

exclusions=(
    # Since boot/* is needed outside the squashfs, don't duplicate it inside.
    '^boot$/.'
    # Filesystems created at boot time.
    '^(dev|tmp|run)$/.'
    '^var$/^(lock|run|tmp)$/.'
    # Build-time configuration and cache.
    '^etc$/^(debian_chroot|hostname|hosts|motd(\.tail)?|mtab|resolv.conf)$'
    '^etc$/^apt$/^apt.conf.d$/^10bootstrap$'
    '^etc$/^network$/^interfaces$'
    '^usr$/^sbin$/^policy-rc\.d$'
    '^var$/^cache$/^apt$/^(src)?pkgcache\.bin$'
    '^var$/^cache$/^apt$/^archives$/\.deb$'
    '^var$/^cache$/^bootstrap$'
    '^var$/^lib$/^apt$/^lists$/.'
    '^var$/^log$/.'
)

mksquashfs $t $t/boot/filesystem.squashfs -regex -e "${exclusions[@]}"

kvm -m 256 -nographic -kernel $t/boot/vmlinuz -initrd $t/boot/initrd.img -append 'console=ttyS0 root=/dev/vda loglevel=1 security=selinux boot=overlaytest' -drive file=$t/boot/filesystem.squashfs,index=0,media=disk,if=virtio -net nic,model=virtio