Commit 89638a41 authored by Colin Walters's avatar Colin Walters

build: Update to use new linux-user-chroot APIs

We're now filtering devices and using seccomp for increased security.
parent d989f332
......@@ -19,6 +19,7 @@ const GLib = imports.gi.GLib;
const Gio = imports.gi.Gio;
const Lang = imports.lang;
const Format = imports.format;
const Params = imports.params;
const GSystem = imports.gi.GSystem;
......@@ -69,9 +70,17 @@ function findUserChrootPath() {
return userChrootPath;
}
function getBaseUserChrootArgs() {
function getBaseUserChrootArgs(params) {
params = Params.parse(params, { readonlyroot: false });
let path = findUserChrootPath();
return [path.get_path(), '--unshare-pid', '--unshare-ipc', '--unshare-net'];
let argv = [path.get_path()];
// This has to go first, as later mounts will be on top
if (params.readonlyroot)
Array.prototype.push.apply(argv, ['--mount-readonly', '/'])
// If you bump the seccomp profile version, be sure to test some builds.
Array.prototype.push.apply(argv, ['--mount-devapi', '/dev', '--mount-proc', '/proc', '--unshare-pid', '--unshare-ipc', '--unshare-net',
'--seccomp-profile-version', '0']);
return argv;
}
function compareVersions(a, b) {
......
......@@ -748,12 +748,9 @@ const TaskBuild = new Lang.Class({
}
childArgs = ['setarch', architecture];
childArgs.push.apply(childArgs, BuildUtil.getBaseUserChrootArgs());
childArgs.push.apply(childArgs, BuildUtil.getBaseUserChrootArgs({readonlyroot: true}));
childArgs.push.apply(childArgs, [
'--mount-readonly', '/',
'--mount-bind', '/', '/sysroot',
'--mount-proc', '/proc',
'--mount-bind', '/dev', '/dev',
'--mount-bind', '/tmp', '/tmp',
'--mount-bind', componentSrc.get_path(), chrootSourcedir.get_path(),
'--mount-bind', componentResultdir.get_path(), '/ostbuild/results',
......@@ -935,8 +932,6 @@ const TaskBuild = new Lang.Class({
let childArgs = BuildUtil.getBaseUserChrootArgs();
childArgs.push.apply(childArgs, [
'--mount-bind', '/', '/sysroot',
'--mount-proc', '/proc',
'--mount-bind', '/dev', '/dev',
'--mount-bind', '/tmp', '/tmp',
rootdir.get_path(), rootdir.get_relative_path(tmpTriggersScriptPath),
rootdir.get_relative_path(tmpTriggersPath)]);
......@@ -1088,8 +1083,6 @@ const TaskBuild = new Lang.Class({
let usrEtcDir = composeRootdir.resolve_relative_path('usr/etc');
GSystem.file_rename(usrEtcDir, etcDir, cancellable);
let args = [this._linuxUserChrootPath.get_path(),
'--mount-proc', '/proc',
'--mount-bind', '/dev', '/dev',
'--mount-bind', '/', '/sysroot',
'--mount-bind', tmpDir.get_path(), '/tmp',
'--mount-bind', varDir.get_path(), '/var',
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment