fixup! feat(extensions): add netboot extension for full TFTP+NFS boot

Author: iav

extensions/netboot/netboot.sh

@@ -85,12 +85,23 @@ function extension_prepare_config__netboot_defaults_and_validate() {
 		"" | gzip | zstd | zst | none) ;;
 		*) exit_with_error "${EXTENSION}: unknown ROOTFS_COMPRESSION: '${ROOTFS_COMPRESSION}' (expected: gzip|zstd|zst|none)" ;;
 	esac
-	if [[ -n "${ROOTFS_EXPORT_DIR}" && "${ROOTFS_EXPORT_DIR}" != /* ]]; then
-		exit_with_error "${EXTENSION}: ROOTFS_EXPORT_DIR must be an absolute path (got '${ROOTFS_EXPORT_DIR}')"
-	fi
 	if [[ "${ROOTFS_COMPRESSION}" == "none" && -z "${ROOTFS_EXPORT_DIR}" ]]; then
 		exit_with_error "${EXTENSION}: ROOTFS_COMPRESSION=none requires ROOTFS_EXPORT_DIR (otherwise nothing is produced)"
 	fi
+
+	# Keep ROOTFS_EXPORT_DIR confined to a fixed base under ${SRC}/output, so a
+	# stray typo or accidental absolute path can never let rsync --delete touch
+	# the host filesystem outside that subtree. Any user value (relative or
+	# absolute) is treated as a sub-path of the base; an absolute `/srv/nfs`
+	# becomes `${SRC}/output/netboot-export//srv/nfs` (the ordinary path-join
+	# semantics make this a plain sub-directory). If a NFS server on the build
+	# host expects `/srv/...`, symlink `${SRC}/output/netboot-export` there.
+	if [[ -n "${ROOTFS_EXPORT_DIR}" ]]; then
+		case "${ROOTFS_EXPORT_DIR}" in
+			*..*) exit_with_error "${EXTENSION}: ROOTFS_EXPORT_DIR must not contain '..'" "${ROOTFS_EXPORT_DIR}" ;;
+		esac
+		declare -g ROOTFS_EXPORT_DIR="${SRC}/output/netboot-export/${ROOTFS_EXPORT_DIR}"
+	fi
 }
 
 # Ensure NFS-root client support is built into the kernel.
@@ -126,27 +137,20 @@ function post_customize_image__netboot_skip_firstlogin_wizard() {
 	run_host_command_logged rm -f "${SDCARD}/root/.not_logged_in_yet"
 }
 
-# ROOTFS_EXPORT_DIR must be visible inside the build container at the same path the
-# in-container rsync writes to — otherwise data lands in the container's private
-# filesystem and disappears on umount. Two cases:
-#   1) Path already under ${SRC}: core already bind-mounts ${SRC} at
-#      ${DOCKER_ARMBIAN_TARGET_PATH} (/armbian) inside the container, so the data
-#      path IS host-visible — but the env var still holds the host path, which
-#      does not exist in the container. Translate the env var to the container
-#      path so rsync writes into the bind-mounted volume.
-#   2) Path outside ${SRC}: add an explicit bind-mount at the same path.
+# Expose the host export directory inside the container at a fixed, known-safe
+# mount point so the in-container rsync cannot be tricked into overwriting a
+# system path. The host side is already confined under ${SRC}/output/netboot-export/
+# by extension_prepare_config; bind that host path onto a dedicated container
+# target and point ROOTFS_EXPORT_DIR at the container path for rsync.
 function host_pre_docker_launch__netboot_mount_export_dir() {
 	[[ -z "${ROOTFS_EXPORT_DIR}" ]] && return 0
-	if [[ "${ROOTFS_EXPORT_DIR}" == "${SRC}" || "${ROOTFS_EXPORT_DIR}" == "${SRC}/"* ]]; then
-		declare container_export_dir="${DOCKER_ARMBIAN_TARGET_PATH:-/armbian}${ROOTFS_EXPORT_DIR#"${SRC}"}"
-		display_alert "${EXTENSION}: translating ROOTFS_EXPORT_DIR for container" "${ROOTFS_EXPORT_DIR} -> ${container_export_dir}" "info"
-		mkdir -p "${ROOTFS_EXPORT_DIR}"
-		DOCKER_EXTRA_ARGS+=("--env" "ROOTFS_EXPORT_DIR=${container_export_dir}")
-		return 0
-	fi
+	declare container_export_dir="/armbian/netboot-export"
 	mkdir -p "${ROOTFS_EXPORT_DIR}"
-	display_alert "${EXTENSION}: bind-mounting ROOTFS_EXPORT_DIR into container" "${ROOTFS_EXPORT_DIR}" "info"
-	DOCKER_EXTRA_ARGS+=("--mount" "type=bind,source=${ROOTFS_EXPORT_DIR},target=${ROOTFS_EXPORT_DIR}")
+	display_alert "${EXTENSION}: bind-mounting ROOTFS_EXPORT_DIR into container" "${ROOTFS_EXPORT_DIR} -> ${container_export_dir}" "info"
+	DOCKER_EXTRA_ARGS+=(
+		"--mount" "type=bind,source=${ROOTFS_EXPORT_DIR},target=${container_export_dir}"
+		"--env" "ROOTFS_EXPORT_DIR=${container_export_dir}"
+	)
 }
 
 function pre_umount_final_image__900_collect_netboot_artifacts() {