more mounts in mock
Enrico Scholz
enrico.scholz at informatik.tu-chemnitz.de
Fri May 26 10:24:32 UTC 2006
mike at redhat.com (Mike McLean) writes:
> Attached are a couple of patches that expand the mounts created in the
> chroot by mock. These are mounts that we've used for builds within Red
> Hat for years and some packages need them to compile properly.
1. 'mock' should be run in an own namespace; then you would not need to
track the mounted filesystems
2. most of the mounts should be done directly with the mount(2) syscall;
NFS filesystem are the only exception I am aware of
3. a secure way to mount the filesystems is
| chroot(ROOTDIR);
| mount(...);
Current path-checks (e.g. for '/../') are completely useless because
they will not protect against symlink attacks.
> more_mounts.patch is the larger patch, it refactors _mount() so that
> the mounts to be created are specified in a list and looped over.
> I've also changed to the unmounting code to make it more paranoid.
With namespaces, unmounting would not be needed...
> In order to allow these mounts, I had to make some changes to
> mock-helper.
>
> bind_dev.patch builds on the the previous patch and provides an option
> to have /dev bind mounted in the chroot (instead of the skeletal /dev
> that mock sets up).
When packages require special devices to build these packages are
broken...
Making a full /dev available lowers security significantly in environments
which remove CAP_MKNOD for the buildsys.
Enrico
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 480 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-buildsys-list/attachments/20060526/c42046cd/attachment.sig>
More information about the Fedora-buildsys-list
mailing list