1 |
On Wed, Jan 01, 2014 at 09:18:22PM +0000, Douglas Freed wrote: |
2 |
> Bind mounting /dev/shm into the chroot isn't a good idea, as there may |
3 |
> be collisions and result in weird side effects. Instead, we can just |
4 |
> mount a new tmpfs there, with the right options to ensure security. |
5 |
> --- |
6 |
> modules/generic_stage_target.py | 9 ++++++--- |
7 |
> 1 file changed, 6 insertions(+), 3 deletions(-) |
8 |
> |
9 |
> diff --git a/modules/generic_stage_target.py b/modules/generic_stage_target.py |
10 |
> index 9edafe9..10b367d 100644 |
11 |
> --- a/modules/generic_stage_target.py |
12 |
> +++ b/modules/generic_stage_target.py |
13 |
> @@ -179,13 +179,13 @@ class generic_stage_target(generic_target): |
14 |
> self.mountmap={"/proc":"/proc","/dev":"/dev","/dev/pts":"/dev/pts",\ |
15 |
> "/usr/portage":self.settings["snapshot_cache_path"]+"/portage",\ |
16 |
> "/usr/portage/distfiles":self.settings["distdir"],"/var/tmp/portage":"tmpfs", |
17 |
> - "/dev/shm": "/dev/shm"} |
18 |
> + "/dev/shm": "shmfs"} |
19 |
> else: |
20 |
> self.mounts=["/proc", "/dev", "/usr/portage/distfiles", |
21 |
> "/var/tmp/portage"] |
22 |
> self.mountmap={"/proc":"/proc","/dev":"/dev","/dev/pts":"/dev/pts",\ |
23 |
> "/usr/portage/distfiles":self.settings["distdir"],"/var/tmp/portage":"tmpfs", |
24 |
> - "/dev/shm": "/dev/shm"} |
25 |
> + "/dev/shm": "shmfs"} |
26 |
> if os.uname()[0] == "Linux": |
27 |
> self.mounts.append("/dev/pts") |
28 |
> self.mounts.append("/dev/shm") |
29 |
> @@ -904,7 +904,7 @@ class generic_stage_target(generic_target): |
30 |
> os.makedirs(self.settings["chroot_path"]+x,0755) |
31 |
> |
32 |
> if not os.path.exists(self.mountmap[x]): |
33 |
> - if not self.mountmap[x] == "tmpfs": |
34 |
> + if self.mountmap[x] != "tmpfs" and self.mountmap[x] != "shmfs": |
35 |
> os.makedirs(self.mountmap[x],0755) |
36 |
> |
37 |
> src=self.mountmap[x] |
38 |
> @@ -923,6 +923,9 @@ class generic_stage_target(generic_target): |
39 |
> retval=os.system("mount -t tmpfs -o size="+\ |
40 |
> self.settings["var_tmpfs_portage"]+"G "+src+" "+\ |
41 |
> self.settings["chroot_path"]+x) |
42 |
> + else if src == "shmfs": |
43 |
> + retval=os.system("mount -t tmpfs -o noexec,nosuid,nodev shm "+\ |
44 |
> + self.settings["chroot_path"]+x) |
45 |
> else: |
46 |
> retval=os.system("mount --bind "+src+" "+\ |
47 |
> self.settings["chroot_path"]+x) |
48 |
|
49 |
Looks good enough to me. Are we forward-porting this onto blueness' |
50 |
pending patch? |
51 |
|
52 |
I'll wait until more of the pending branch has been absorbed into |
53 |
master before working up a more thorough patch to support |
54 |
user-configurable: |
55 |
|
56 |
* '--bind $SOURCE' vs. '--rbind $SOURCE' vs. '-t $TYPE' |
57 |
* '-o $OPTIONS' |
58 |
|
59 |
Which will take care of my --rbind goals [1] in a more flexible way. |
60 |
|
61 |
Cheers, |
62 |
Trevor |
63 |
|
64 |
[1]: http://mid.gmane.org/20140101185335.GK29195@××××××××××××.us |
65 |
|
66 |
-- |
67 |
This email may be signed or encrypted with GnuPG (http://www.gnupg.org). |
68 |
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy |