Fix: Address multiple critical vulnerabilities and bugs

This commit addresses a wide range of issues identified in a comprehensive code review, including critical security vulnerabilities, build system failures, and logic errors.

Key changes include:

- **Security:**
  - Patched a path traversal vulnerability in the Flask download endpoint.
  - Mitigated a race condition and memory leaks in the Flask build endpoint by implementing a thread-safe, queue-based build process.
  - Replaced the use of the `--privileged` Docker flag with more granular capabilities (`--cap-add=SYS_ADMIN --cap-add=MKNOD`) to reduce container security risks.
  - Implemented atomic file writes in `entrypoint.sh` to prevent configuration file corruption.
  - Added input validation for directory paths and package list syntax.

- **Build System:**
  - Corrected the XZ compression options in `profiledef.sh` for `mksquashfs`.
  - Improved the `select-mirrors.sh` script to handle failures in `reflector` gracefully.
  - Updated the GitHub Actions workflow to invalidate the pacman cache when `pacman.conf` changes.
  - Fixed an issue in the `no-beep.service` file where it would try to write to a non-existent sysfs path.

- **Logic and Reliability:**
  - Enhanced the `validate` function in `entrypoint.sh` to perform more comprehensive checks on configuration files.
  - Corrected a typo in a variable name within the build script.
  - Updated the `bootmodes` array in `profiledef.sh` to use simplified, general options.

- **Pull Request Feedback:**
  - Fixed a YAML syntax error in `.github/workflows/gui-build-test.yml`.
  - Corrected the `mksquashfs` compression options in `profiledef.sh` to use `-processors` instead of the invalid `-Xthreads` option.
  - Increased the `reflector` download timeout to 15 seconds to prevent intermittent failures.

Author: google-labs-jules[bot]

.github/workflows/gui-build-test.yml

@@ -34,7 +34,8 @@ jobs:
         run: sudo docker exec arch-iso-gui-test test -f /workdir/out/Arch.iso
 
       - name: Test ISO download endpoint
-        run: curl -f -I http://localhost:8080/download | grep -q 'Content-Disposition: attachment; filename=Arch.iso'
+        run: |
+          curl -f -I http://localhost:8080/download | grep -q 'Content-Disposition: attachment; filename=Arch.iso'
 
       - name: Stop the container
         if: always()

profiledef.sh

@@ -18,25 +18,25 @@ bootstrap_tarball_compression=('zstd' '-c' '-T0' '--auto-threads=logical' '--lon
 # Correctly formatted compression options for mksquashfs with XZ
 # -b (block size) must be a power of 2, max 1M (1048576)
 # -Xdict-size (dictionary size) should be a power of 2, max 1M
-# -Xthreads=0 tells XZ to use all available CPU cores
+# Use the -processors option to control the number of CPUs to use
 if [ "$(nproc)" -ge 4 ]; then
   # For systems with 4 or more cores, use multi-threading and larger dictionary
   airootfs_image_tool_options=(
     '-comp' 'xz'
     '-Xbcj' 'x86'
     '-b' '1M'
     '-Xdict-size' '1M'
-    '-Xthreads' '0'
   )
+  airootfs_image_tool_options+=('-processors' "$(nproc)")
 else
   # For systems with fewer than 4 cores, use a single thread and smaller dictionary
   airootfs_image_tool_options=(
     '-comp' 'xz'
     '-Xbcj' 'x86'
     '-b' '512K'
     '-Xdict-size' '512K'
-    '-Xthreads' '1'
   )
+  airootfs_image_tool_options+=('-processors' '1')
 fi
 
 file_permissions=(

scripts/select-mirrors.sh

@@ -44,7 +44,7 @@ fi
 
 # Generate mirror list with reflector
 log "Generating optimized mirror list..."
-if ! reflector --latest 20 --sort rate --protocol https --save airootfs/etc/pacman.d/mirrorlist; then
+if ! reflector --latest 20 --sort rate --protocol https --download-timeout 15 --save airootfs/etc/pacman.d/mirrorlist; then
     error "Reflector failed to generate a new mirror list. The build cannot continue."
 fi