[gentoo-commits] proj/catalyst:pending/mattst88 commit in: catalyst/, catalyst/base/

Thu, 29 Oct 2020 09:14:48 -0700 

commit:     e8a048bbc0cef96f2a65365aa73169e6eff0f405
Author:     Matt Turner <mattst88 <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 29 15:00:42 2020 +0000
Commit:     Matt Turner <mattst88 <AT> gentoo <DOT> org>
CommitDate: Thu Oct 29 16:13:47 2020 +0000
URL:        https://gitweb.gentoo.org/proj/catalyst.git/commit/?id=e8a048bb

catalyst: Run the build sequence in new mount namespace

Catalyst has a lot of code to unmount the bind mounts it's made, and
then more to try harder when something fails. This is important because
if bind mounts still exist within the chroot when clean up happens,
files outside of the chroot on the host system can inadvertently be
deleted. E.g., distfiles, binpkgs, kerncache.

Running the build sequence (the steps that need bind mounts) within a
mount namespace and exiting the mount namespace when finished ensures
that clean up can never accidentally delete files outside the chroot.

Signed-off-by: Matt Turner <mattst88 <AT> gentoo.org>

 catalyst/base/stagebase.py | 8 +++++---
 catalyst/main.py           | 2 +-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/catalyst/base/stagebase.py b/catalyst/base/stagebase.py
index 06ec8727..ec9a8f06 100644
--- a/catalyst/base/stagebase.py
+++ b/catalyst/base/stagebase.py
@@ -15,6 +15,7 @@ from snakeoil.osutils import pjoin
 from DeComp.compress import CompressMap
 
 from catalyst import log
+from catalyst.context import namespace
 from catalyst.defaults import (confdefaults, MOUNT_DEFAULTS, PORT_LOGDIR_CLEAN)
 from catalyst.support import (CatalystError, file_locate, normpath,
                               cmd, read_makeconf, ismount, file_check,
@@ -1405,9 +1406,10 @@ class StageBase(TargetBase, ClearBase, GenBase):
         if not self.run_sequence(self.prepare_sequence):
             return False
 
-        if not self.run_sequence(self.build_sequence):
-            self.unbind()
-            return False
+        with namespace(mount=True):
+            if not self.run_sequence(self.build_sequence):
+                self.unbind()
+                return False
 
         if not self.run_sequence(self.finish_sequence):
             return False

diff --git a/catalyst/main.py b/catalyst/main.py
index 93a4a0d3..5536471a 100644
--- a/catalyst/main.py
+++ b/catalyst/main.py
@@ -355,7 +355,7 @@ def _main(parser, opts):
     # use pid & user namespaces, but snakeoil's namespace module has signal
     # transfer issues (CTRL+C doesn't propagate), and user namespaces need
     # more work due to Gentoo build process (uses sudo/root/portage).
-    with namespace(mount=True, uts=True, ipc=True, hostname='catalyst'):
+    with namespace(uts=True, ipc=True, hostname='catalyst'):
         # everything is setup, so the build is a go
         try:
             success = build_target(addlargs)

Reply via email to