On Mon, Jun 21, 2021 at 09:51:56PM +0300, Alper Nebi Yasak wrote: > The filesystem test setup needs to prepare disk images for its tests, > with either guestmount or loop mounts. The former requires access to the > host fuse device (added in a previous patch), the latter requires access > to host loop devices. Both mounts also need additional privileges since > docker's default configuration prevents the containers from mounting > filesystems (for host security). > > Add any available loop devices to the container and try to add as few > privileges as possible to run these tests, which narrow down to adding > SYS_ADMIN capability and disabling apparmor confinement. However, this > much still seems to be insecure enough to let malicious container > processes escape as root on the host system [1]. > > [1] > https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/ > > Since the mentioned tests are marked to run only on the sandbox board, > add these additional devices and privileges only when testing with that. > > An alternative to using mounts is modifying the filesystem tests to use > virt-make-fs (like some EFI tests do), but it fails to generate a > partitionless FAT filesystem image on Debian systems. Other more > feasible alternatives are using guestfish or directly using libguestfs > Python bindings to create and populate the images, but switching the > test setups to these is nontrivial and is left as future work. > > Signed-off-by: Alper Nebi Yasak <[email protected]>
Applied to u-boot/master, thanks! -- Tom
signature.asc
Description: PGP signature
