[gentoo-catalyst] Re: [PATCH] Mount /dev/shm in the chroot with the right options

Wed, 01 Jan 2014 13:23:05 -0800 

On Wed, Jan 1, 2014 at 1:18 PM, Douglas Freed <[email protected]> wrote:
> Bind mounting /dev/shm into the chroot isn't a good idea, as there may
> be collisions and result in weird side effects.  Instead, we can just
> mount a new tmpfs there, with the right options to ensure security.
> ---
>  modules/generic_stage_target.py | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/modules/generic_stage_target.py b/modules/generic_stage_target.py
> index 9edafe9..10b367d 100644
> --- a/modules/generic_stage_target.py
> +++ b/modules/generic_stage_target.py
> @@ -179,13 +179,13 @@ class generic_stage_target(generic_target):
>                         
> self.mountmap={"/proc":"/proc","/dev":"/dev","/dev/pts":"/dev/pts",\
>                                 
> "/usr/portage":self.settings["snapshot_cache_path"]+"/portage",\
>                                 
> "/usr/portage/distfiles":self.settings["distdir"],"/var/tmp/portage":"tmpfs",
> -                               "/dev/shm": "/dev/shm"}
> +                               "/dev/shm": "shmfs"}
>                 else:
>                         self.mounts=["/proc", "/dev", 
> "/usr/portage/distfiles",
>                                 "/var/tmp/portage"]
>                         
> self.mountmap={"/proc":"/proc","/dev":"/dev","/dev/pts":"/dev/pts",\
>                                 
> "/usr/portage/distfiles":self.settings["distdir"],"/var/tmp/portage":"tmpfs",
> -                               "/dev/shm": "/dev/shm"}
> +                               "/dev/shm": "shmfs"}
>                 if os.uname()[0] == "Linux":
>                         self.mounts.append("/dev/pts")
>                         self.mounts.append("/dev/shm")
> @@ -904,7 +904,7 @@ class generic_stage_target(generic_target):
>                                 
> os.makedirs(self.settings["chroot_path"]+x,0755)
>
>                         if not os.path.exists(self.mountmap[x]):
> -                               if not self.mountmap[x] == "tmpfs":
> +                               if self.mountmap[x] != "tmpfs" and 
> self.mountmap[x] != "shmfs":
>                                         os.makedirs(self.mountmap[x],0755)
>
>                         src=self.mountmap[x]
> @@ -923,6 +923,9 @@ class generic_stage_target(generic_target):
>                                                 retval=os.system("mount -t 
> tmpfs -o size="+\
>                                                         
> self.settings["var_tmpfs_portage"]+"G "+src+" "+\
>                                                         
> self.settings["chroot_path"]+x)
> +                               else if src == "shmfs":
> +                                       retval=os.system("mount -t tmpfs -o 
> noexec,nosuid,nodev shm "+\
> +                                               
> self.settings["chroot_path"]+x)
>                                 else:
>                                         retval=os.system("mount --bind 
> "+src+" "+\
>                                                 
> self.settings["chroot_path"]+x)
> --
> 1.8.4.3
>

Oh, I forgot to mention that this is for 2.X, not master.

-Doug

Reply via email to