commit: 187e786116b56b60bf1a84d44094619843214920
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Wed Sep 10 19:54:16 2014 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Wed Sep 10 19:54:16 2014 +0000
URL:
http://sources.gentoo.org/gitweb/?p=proj/releng.git;a=commit;h=187e7861
catalyst-auto: automatically use uts/ipc/pid namespaces
If the system can support them, throw the build process into various
namespaces to further isolate ourselves from the host system.
---
tools/catalyst-auto | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/tools/catalyst-auto b/tools/catalyst-auto
index ebdb7c7..4453009 100755
--- a/tools/catalyst-auto
+++ b/tools/catalyst-auto
@@ -2,10 +2,17 @@
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# First let's get our own mount namespace to avoid leaking crap.
+# First let's get our own namespaces to avoid leaking crap.
if [[ -z ${UNSHARE} ]] ; then
if type -P unshare >&/dev/null ; then
- UNSHARE=true exec unshare -m -- "$0" "$@"
+ uargs=()
+ # Probe the namespaces as some can be disabled (or we are not root).
+ unshare -m -- true >&/dev/null && uargs+=( -m )
+ unshare -u -- true >&/dev/null && uargs+=( -u )
+ unshare -i -- true >&/dev/null && uargs+=( -i )
+ unshare -p -- true >&/dev/null && uargs+=( -p -f --mount-proc )
+ # Re-exec ourselves in the new namespace.
+ UNSHARE=true exec unshare "${uargs[@]}" -- "$0" "$@"
fi
fi
unset UNSHARE
