[gentoo-catalyst] Re: [PATCH] Mount /dev/shm in the chroot with the right options - gentoo-catalyst

From:	Douglas Freed <dwfreed@×××.edu>
To:	gentoo-catalyst@l.g.o
Subject:	[gentoo-catalyst] Re: [PATCH] Mount /dev/shm in the chroot with the right options
Date:	Wed, 01 Jan 2014 21:22:46
Message-Id:	`CAFyXEpJ6PAabpUmc3DxEJUB+wgFgSHScdcUhO8byU+qydoWjCg@mail.gmail.com`
In Reply to:	[gentoo-catalyst] [PATCH] Mount /dev/shm in the chroot with the right options by Douglas Freed

1

On Wed, Jan 1, 2014 at 1:18 PM, Douglas Freed <dwfreed@×××.edu> wrote:

2

> Bind mounting /dev/shm into the chroot isn't a good idea, as there may

3

> be collisions and result in weird side effects.  Instead, we can just

4

> mount a new tmpfs there, with the right options to ensure security.

5

> ---

6

>  modules/generic_stage_target.py | 9 ++++++---

7

>  1 file changed, 6 insertions(+), 3 deletions(-)

8

>

9

> diff --git a/modules/generic_stage_target.py b/modules/generic_stage_target.py

10

> index 9edafe9..10b367d 100644

11

> --- a/modules/generic_stage_target.py

12

> +++ b/modules/generic_stage_target.py

13

> @@ -179,13 +179,13 @@ class generic_stage_target(generic_target):

14

>                         self.mountmap={"/proc":"/proc","/dev":"/dev","/dev/pts":"/dev/pts",\

15

>                                 "/usr/portage":self.settings["snapshot_cache_path"]+"/portage",\

16

>                                 "/usr/portage/distfiles":self.settings["distdir"],"/var/tmp/portage":"tmpfs",

17

> -                               "/dev/shm": "/dev/shm"}

18

> +                               "/dev/shm": "shmfs"}

19

>                 else:

20

>                         self.mounts=["/proc", "/dev", "/usr/portage/distfiles",

21

>                                 "/var/tmp/portage"]

22

>                         self.mountmap={"/proc":"/proc","/dev":"/dev","/dev/pts":"/dev/pts",\

23

>                                 "/usr/portage/distfiles":self.settings["distdir"],"/var/tmp/portage":"tmpfs",

24

> -                               "/dev/shm": "/dev/shm"}

25

> +                               "/dev/shm": "shmfs"}

26

>                 if os.uname()[0] == "Linux":

27

>                         self.mounts.append("/dev/pts")

28

>                         self.mounts.append("/dev/shm")

29

> @@ -904,7 +904,7 @@ class generic_stage_target(generic_target):

30

>                                 os.makedirs(self.settings["chroot_path"]+x,0755)

31

>

32

>                         if not os.path.exists(self.mountmap[x]):

33

> -                               if not self.mountmap[x] == "tmpfs":

34

> +                               if self.mountmap[x] != "tmpfs" and self.mountmap[x] != "shmfs":

35

>                                         os.makedirs(self.mountmap[x],0755)

36

>

37

>                         src=self.mountmap[x]

38

> @@ -923,6 +923,9 @@ class generic_stage_target(generic_target):

39

>                                                 retval=os.system("mount -t tmpfs -o size="+\

40

>                                                         self.settings["var_tmpfs_portage"]+"G "+src+" "+\

41

>                                                         self.settings["chroot_path"]+x)

42

> +                               else if src == "shmfs":

43

> +                                       retval=os.system("mount -t tmpfs -o noexec,nosuid,nodev shm "+\

44

> +                                               self.settings["chroot_path"]+x)

45

>                                 else:

46

>                                         retval=os.system("mount --bind "+src+" "+\

47

>                                                 self.settings["chroot_path"]+x)

48

> --

49

> 1.8.4.3

50

>

51

52

Oh, I forgot to mention that this is for 2.X, not master.

53

54

-Doug

1	On Wed, Jan 1, 2014 at 1:18 PM, Douglas Freed <dwfreed@×××.edu> wrote:
2	> Bind mounting /dev/shm into the chroot isn't a good idea, as there may
3	> be collisions and result in weird side effects. Instead, we can just
4	> mount a new tmpfs there, with the right options to ensure security.
5	> ---
6	> modules/generic_stage_target.py \| 9 ++++++---
7	> 1 file changed, 6 insertions(+), 3 deletions(-)
8	>
9	> diff --git a/modules/generic_stage_target.py b/modules/generic_stage_target.py
10	> index 9edafe9..10b367d 100644
11	> --- a/modules/generic_stage_target.py
12	> +++ b/modules/generic_stage_target.py
13	> @@ -179,13 +179,13 @@ class generic_stage_target(generic_target):
14	> self.mountmap={"/proc":"/proc","/dev":"/dev","/dev/pts":"/dev/pts",\
15	> "/usr/portage":self.settings["snapshot_cache_path"]+"/portage",\
16	> "/usr/portage/distfiles":self.settings["distdir"],"/var/tmp/portage":"tmpfs",
17	> - "/dev/shm": "/dev/shm"}
18	> + "/dev/shm": "shmfs"}
19	> else:
20	> self.mounts=["/proc", "/dev", "/usr/portage/distfiles",
21	> "/var/tmp/portage"]
22	> self.mountmap={"/proc":"/proc","/dev":"/dev","/dev/pts":"/dev/pts",\
23	> "/usr/portage/distfiles":self.settings["distdir"],"/var/tmp/portage":"tmpfs",
24	> - "/dev/shm": "/dev/shm"}
25	> + "/dev/shm": "shmfs"}
26	> if os.uname()[0] == "Linux":
27	> self.mounts.append("/dev/pts")
28	> self.mounts.append("/dev/shm")
29	> @@ -904,7 +904,7 @@ class generic_stage_target(generic_target):
30	> os.makedirs(self.settings["chroot_path"]+x,0755)
31	>
32	> if not os.path.exists(self.mountmap[x]):
33	> - if not self.mountmap[x] == "tmpfs":
34	> + if self.mountmap[x] != "tmpfs" and self.mountmap[x] != "shmfs":
35	> os.makedirs(self.mountmap[x],0755)
36	>
37	> src=self.mountmap[x]
38	> @@ -923,6 +923,9 @@ class generic_stage_target(generic_target):
39	> retval=os.system("mount -t tmpfs -o size="+\
40	> self.settings["var_tmpfs_portage"]+"G "+src+" "+\
41	> self.settings["chroot_path"]+x)
42	> + else if src == "shmfs":
43	> + retval=os.system("mount -t tmpfs -o noexec,nosuid,nodev shm "+\
44	> + self.settings["chroot_path"]+x)
45	> else:
46	> retval=os.system("mount --bind "+src+" "+\
47	> self.settings["chroot_path"]+x)
48	> --
49	> 1.8.4.3
50	>
51
52	Oh, I forgot to mention that this is for 2.X, not master.
53
54	-Doug

Gentoo Archives: gentoo-catalyst