[EMAIL PROTECTED] (Mike McLean) writes: > Attached are a couple of patches that expand the mounts created in the > chroot by mock. These are mounts that we've used for builds within Red > Hat for years and some packages need them to compile properly.
1. 'mock' should be run in an own namespace; then you would not need to track the mounted filesystems 2. most of the mounts should be done directly with the mount(2) syscall; NFS filesystem are the only exception I am aware of 3. a secure way to mount the filesystems is | chroot(ROOTDIR); | mount(...); Current path-checks (e.g. for '/../') are completely useless because they will not protect against symlink attacks. > more_mounts.patch is the larger patch, it refactors _mount() so that > the mounts to be created are specified in a list and looped over. > I've also changed to the unmounting code to make it more paranoid. With namespaces, unmounting would not be needed... > In order to allow these mounts, I had to make some changes to > mock-helper. > > bind_dev.patch builds on the the previous patch and provides an option > to have /dev bind mounted in the chroot (instead of the skeletal /dev > that mock sets up). When packages require special devices to build these packages are broken... Making a full /dev available lowers security significantly in environments which remove CAP_MKNOD for the buildsys. Enrico
pgp8QyvQlCq3E.pgp
Description: PGP signature
-- Fedora-buildsys-list mailing list Fedora-buildsys-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-buildsys-list