From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-catalyst+bounces-3013-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id E4E7C138247
	for <garchives@archives.gentoo.org>; Wed,  1 Jan 2014 21:22:46 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 5C6A5E098A;
	Wed,  1 Jan 2014 21:22:45 +0000 (UTC)
Received: from mail-vc0-f175.google.com (mail-vc0-f175.google.com [209.85.220.175])
	(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id DDC46E098A
	for <gentoo-catalyst@lists.gentoo.org>; Wed,  1 Jan 2014 21:22:44 +0000 (UTC)
Received: by mail-vc0-f175.google.com with SMTP id lf12so5731909vcb.20
        for <gentoo-catalyst@lists.gentoo.org>; Wed, 01 Jan 2014 13:22:44 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:content-type;
        bh=HEonuxsuMtqDL+n8OUdkX9X8mxYQARqWN44LChqTzjo=;
        b=lA6uvdnenIPmeS2dEvW7XCtpWwe1wDBs9KV6MXfCNjgAD52PcNc34wk4zcRoH+9Q8m
         KL+gfQ26mm3gu74rRog71xmrq/fSigOqLKKzeahshKl5PXVDcdbWUgVoNq7fDSWKh/CI
         ojCBfADts5U2mSt/tVgesZh/SdLY4o735CH2NPIgecXn4nI4p7fpFyXpSzJraQ9SiE0Z
         5jcsWnHk28lOrINoCtmD0ClM1RmT5ZOc2Uwqq1wG5XC8DD6D7f+bqWN4ycD2CRbTaOaI
         IX1OYXMrWJJKwFGlKVBOxBBd4jWBRw6w2YJtSRpOP1x1GQ8oxR+Om+VbxqzOLLfJFeY+
         QyVg==
X-Gm-Message-State: ALoCoQkBXa0Q65K6vQnrA551veBae8fVEKDg3G+CO5q+qTblJSdDO0Z3j/Qijbpzh0zMKzqW26Ln
Precedence: bulk
List-Post: <mailto:gentoo-catalyst@lists.gentoo.org>
List-Help: <mailto:gentoo-catalyst+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-catalyst+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-catalyst+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-catalyst.gentoo.org>
X-BeenThere: gentoo-catalyst@lists.gentoo.org
Reply-to: gentoo-catalyst@lists.gentoo.org
MIME-Version: 1.0
X-Received: by 10.58.29.37 with SMTP id g5mr25204veh.38.1388611364173; Wed, 01
 Jan 2014 13:22:44 -0800 (PST)
Received: by 10.58.91.98 with HTTP; Wed, 1 Jan 2014 13:22:44 -0800 (PST)
In-Reply-To: <1388611102-11734-1-git-send-email-dwfreed@mtu.edu>
References: <1388611102-11734-1-git-send-email-dwfreed@mtu.edu>
Date: Wed, 1 Jan 2014 13:22:44 -0800
Message-ID: <CAFyXEpJ6PAabpUmc3DxEJUB+wgFgSHScdcUhO8byU+qydoWjCg@mail.gmail.com>
Subject: [gentoo-catalyst] Re: [PATCH] Mount /dev/shm in the chroot with the right options
From: Douglas Freed <dwfreed@mtu.edu>
To: gentoo-catalyst@lists.gentoo.org
Content-Type: text/plain; charset=UTF-8
X-Archives-Salt: 2ef46333-de55-4c42-97aa-e741398453df
X-Archives-Hash: b27624496f3bce59f2eb044b3d3e555d

On Wed, Jan 1, 2014 at 1:18 PM, Douglas Freed <dwfreed@mtu.edu> wrote:
> Bind mounting /dev/shm into the chroot isn't a good idea, as there may
> be collisions and result in weird side effects.  Instead, we can just
> mount a new tmpfs there, with the right options to ensure security.
> ---
>  modules/generic_stage_target.py | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/modules/generic_stage_target.py b/modules/generic_stage_target.py
> index 9edafe9..10b367d 100644
> --- a/modules/generic_stage_target.py
> +++ b/modules/generic_stage_target.py
> @@ -179,13 +179,13 @@ class generic_stage_target(generic_target):
>                         self.mountmap={"/proc":"/proc","/dev":"/dev","/dev/pts":"/dev/pts",\
>                                 "/usr/portage":self.settings["snapshot_cache_path"]+"/portage",\
>                                 "/usr/portage/distfiles":self.settings["distdir"],"/var/tmp/portage":"tmpfs",
> -                               "/dev/shm": "/dev/shm"}
> +                               "/dev/shm": "shmfs"}
>                 else:
>                         self.mounts=["/proc", "/dev", "/usr/portage/distfiles",
>                                 "/var/tmp/portage"]
>                         self.mountmap={"/proc":"/proc","/dev":"/dev","/dev/pts":"/dev/pts",\
>                                 "/usr/portage/distfiles":self.settings["distdir"],"/var/tmp/portage":"tmpfs",
> -                               "/dev/shm": "/dev/shm"}
> +                               "/dev/shm": "shmfs"}
>                 if os.uname()[0] == "Linux":
>                         self.mounts.append("/dev/pts")
>                         self.mounts.append("/dev/shm")
> @@ -904,7 +904,7 @@ class generic_stage_target(generic_target):
>                                 os.makedirs(self.settings["chroot_path"]+x,0755)
>
>                         if not os.path.exists(self.mountmap[x]):
> -                               if not self.mountmap[x] == "tmpfs":
> +                               if self.mountmap[x] != "tmpfs" and self.mountmap[x] != "shmfs":
>                                         os.makedirs(self.mountmap[x],0755)
>
>                         src=self.mountmap[x]
> @@ -923,6 +923,9 @@ class generic_stage_target(generic_target):
>                                                 retval=os.system("mount -t tmpfs -o size="+\
>                                                         self.settings["var_tmpfs_portage"]+"G "+src+" "+\
>                                                         self.settings["chroot_path"]+x)
> +                               else if src == "shmfs":
> +                                       retval=os.system("mount -t tmpfs -o noexec,nosuid,nodev shm "+\
> +                                               self.settings["chroot_path"]+x)
>                                 else:
>                                         retval=os.system("mount --bind "+src+" "+\
>                                                 self.settings["chroot_path"]+x)
> --
> 1.8.4.3
>

Oh, I forgot to mention that this is for 2.X, not master.

-Doug