Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: Ryan Hill <rhill@g.o>
To: gentoo-dev@l.g.o
Subject: [gentoo-dev] Re: RFC: enabling ipc-sandbox & network-sandbox by default
Date: Mon, 12 May 2014 06:48:02
Message-Id: 20140512004717.1db2e5e6@caribou.gateway.pace.com
In Reply to: [gentoo-dev] RFC: enabling ipc-sandbox & network-sandbox by default by "Michał Górny"
1 On Sun, 11 May 2014 23:42:38 +0200
2 Michał Górny <mgorny@g.o> wrote:
3
4 > Hi, everyone.
5 >
6 > Almost 9 months ago I've committed three new FEATURES for portage:
7 > cgroup, ipc-sandbox and network-sandbox. Today I'd like to propose
8 > enabling at least the latter two by default.
9 >
10 >
11 > Firstly, I'd like to shortly remind you what they do:
12 >
13 > 1. cgroup -- puts all processes spawned by ebuild to cgroup, and kills
14 > all of them once phase exits (prevents leaving orphans),
15 >
16 > 2. ipc-sandbox -- puts all processes spawned by ebuild to a separate
17 > IPC namespace, preventing them from interfacing other system services
18 > via IPC (message queues, semaphores, shared memory),
19 >
20 > 3. network-sandbox -- puts all processes spawned by ebuild to
21 > a separate network namespace with a private loopback interface,
22 > preventing them from interfacing other system services, local network
23 > and the Internet.
24
25 [snip]
26
27 All three of these require kernel support. It might be a good idea to add
28 the needed options to that Gentoo Linux menu we have in gentoo-sources and
29 enable them by default. I think it would be non-obvious to a new user that
30 they would have to enable network and ipc namespaces for portage to work
31 properly out of the box (and if they disable the latter they get a bunch of
32 cryptic "Unable to unshare: EINVAL" messages every time they build something
33 which isn't very helpful).
34
35 Do we know of any packages broken by these features? Maybe we can add them to
36 the dev profiles for a while before we dump it on everyone.
37
38 Otherwise +1.
39
40
41 --
42 Ryan Hill psn: dirtyepic_sk
43 gcc-porting/toolchain/wxwidgets @ gentoo.org
44
45 47C3 6D62 4864 0E49 8E9E 7F92 ED38 BD49 957A 8463

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-dev] Re: RFC: enabling ipc-sandbox & network-sandbox by default Tom Wijsman <TomWij@g.o>
Report Message
Find on MARC Find on Google Groups