Read-only / + !CAP_MKNOD support for mock
Enrico Scholz
enrico.scholz at informatik.tu-chemnitz.de
Sun Jul 10 14:30:01 UTC 2005
Hello,
the patch which is available at
http://ensc.de/fedora/mock-namespace.diff
changes some things so that mock is a little bit more secure:
* everything except /var/lib/mock can be read-only now; this is done by
- avoiding modification of /etc/mtab* by using the '-n' switch for
'mount'
- executing all mach operations in an own namespace; so the cleanup
of mounts happens automatically without relying on /etc/mtab
- workarounding the 'rpm --root'-touches-the-rpmdb-of-the-host bug;
namespaces mentioned above make it possible to bind-mount the
buildroot-rpmdb into the host
* mock works with removed CAP_MKNOD capabilities; instead of, a precreated
/dev template will be bind-mounted into the buildroot. Ideally, this
precreated template is a mounted cramfs as it can not be modified but
still allows the devices to work (this would not be the case e.g. with a
read-only mounted ext3 fs)
With these modifications, 'mock' can be used within VServers[1]. Please note
that the patch above protects only the filesystem but not processes. So you
will have to restart the buildsystem after each build (takes around 2-3
seconds with vservers and 1-2 minutes with regular hosts). Else, every
hostile package can take control over subsequent builds.
Footnotes:
[1] http://linux-vservers.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 480 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-buildsys-list/attachments/20050710/0c10c3a4/attachment.sig>
More information about the Fedora-buildsys-list
mailing list