Re: [BuildStream] Sandboxing backends and platforms: Drop chroot in favor of buildbox-run
- From: Jürg Billeter <j bitron ch>
- To: Tristan Daniël Maat <tristan maat codethink co uk>, buildstream-list gnome org
- Subject: Re: [BuildStream] Sandboxing backends and platforms: Drop chroot in favor of buildbox-run
- Date: Fri, 20 Dec 2019 12:38:05 +0100
Hi Tristan,
Thanks for the additional details and links.
On Fri, 2019-12-20 at 11:27 +0000, Tristan Daniël Maat via buildstream-
list wrote:
In essence, a directory with permissions set according to the userchroot
project's scheme [3] must be set up, and configured as a possible root
directory in /etc/userchroot.conf. buildbox-run-userchroot must then be
setuid'd to the user who has permissions to use that userchroot root
directory. It's not exactly as nice as user namespaces, but should be
safer than the old chroot sandbox.
Just a small correction. In the userchroot CI setup buildbox-casd is
the process running as a different user (via setuid) with an entry in
userchroot.conf, not buildbox-run-userchroot. buildbox-run-userchroot
runs as the same user as buildstream and talks to buildbox-casd.
Jürg
[
Date Prev][Date Next] [
Thread Prev][Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
