[gnome-continuous] build: Update to use new linux-user-chroot APIs

From: Colin Walters <walters src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-continuous] build: Update to use new linux-user-chroot APIs
Date: Tue, 8 Sep 2015 16:48:20 +0000 (UTC)
commit 89638a4117f783429567934a41e8d555f952692c
Author: Colin Walters <walters verbum org>
Date:   Tue Sep 8 12:47:08 2015 -0400

    build: Update to use new linux-user-chroot APIs
    
    We're now filtering devices and using seccomp for increased security.

 src/js/buildutil.js        |   13 +++++++++++--
 src/js/tasks/task-build.js |    9 +--------
 2 files changed, 12 insertions(+), 10 deletions(-)
---
diff --git a/src/js/buildutil.js b/src/js/buildutil.js
index 5309d41..3c8140a 100644
--- a/src/js/buildutil.js
+++ b/src/js/buildutil.js
@@ -19,6 +19,7 @@ const GLib = imports.gi.GLib;
 const Gio = imports.gi.Gio;
 const Lang = imports.lang;
 const Format = imports.format;
+const Params = imports.params;
 
 const GSystem = imports.gi.GSystem;
 
@@ -69,9 +70,17 @@ function findUserChrootPath() {
     return userChrootPath;
 }
 
-function getBaseUserChrootArgs() {
+function getBaseUserChrootArgs(params) {
+    params = Params.parse(params, { readonlyroot: false });
     let path = findUserChrootPath();
-    return [path.get_path(), '--unshare-pid', '--unshare-ipc', '--unshare-net'];
+    let argv = [path.get_path()];
+    // This has to go first, as later mounts will be on top
+    if (params.readonlyroot)
+        Array.prototype.push.apply(argv, ['--mount-readonly', '/'])
+    // If you bump the seccomp profile version, be sure to test some builds.
+    Array.prototype.push.apply(argv, ['--mount-devapi', '/dev', '--mount-proc', '/proc', '--unshare-pid', 
'--unshare-ipc', '--unshare-net',
+             '--seccomp-profile-version', '0']);
+    return argv;
 }
 
 function compareVersions(a, b) {
diff --git a/src/js/tasks/task-build.js b/src/js/tasks/task-build.js
index 934588f..7457754 100644
--- a/src/js/tasks/task-build.js
+++ b/src/js/tasks/task-build.js
@@ -748,12 +748,9 @@ const TaskBuild = new Lang.Class({
        }
 
         childArgs = ['setarch', architecture];
-        childArgs.push.apply(childArgs, BuildUtil.getBaseUserChrootArgs());
+        childArgs.push.apply(childArgs, BuildUtil.getBaseUserChrootArgs({readonlyroot: true}));
         childArgs.push.apply(childArgs, [
-            '--mount-readonly', '/',
             '--mount-bind', '/', '/sysroot',
-            '--mount-proc', '/proc', 
-            '--mount-bind', '/dev', '/dev',
             '--mount-bind', '/tmp', '/tmp',
             '--mount-bind', componentSrc.get_path(), chrootSourcedir.get_path(),
             '--mount-bind', componentResultdir.get_path(), '/ostbuild/results',
@@ -935,8 +932,6 @@ const TaskBuild = new Lang.Class({
        let childArgs = BuildUtil.getBaseUserChrootArgs();
         childArgs.push.apply(childArgs, [
            '--mount-bind', '/', '/sysroot',
-            '--mount-proc', '/proc', 
-            '--mount-bind', '/dev', '/dev',
             '--mount-bind', '/tmp', '/tmp',
             rootdir.get_path(), rootdir.get_relative_path(tmpTriggersScriptPath),
            rootdir.get_relative_path(tmpTriggersPath)]);
@@ -1088,8 +1083,6 @@ const TaskBuild = new Lang.Class({
            let usrEtcDir = composeRootdir.resolve_relative_path('usr/etc');
            GSystem.file_rename(usrEtcDir, etcDir, cancellable);
            let args = [this._linuxUserChrootPath.get_path(),
-                       '--mount-proc', '/proc',
-                       '--mount-bind', '/dev', '/dev',
                        '--mount-bind', '/', '/sysroot',
                        '--mount-bind', tmpDir.get_path(), '/tmp',
                        '--mount-bind', varDir.get_path(), '/var',
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]