public inbox for gentoo-catalyst@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-catalyst] [PATCH] Mount /dev/shm in the chroot with the right options
@ 2014-01-01 21:18 Douglas Freed
  2014-01-01 21:22 ` [gentoo-catalyst] " Douglas Freed
  2014-01-01 21:30 ` [gentoo-catalyst] " W. Trevor King
  0 siblings, 2 replies; 3+ messages in thread
From: Douglas Freed @ 2014-01-01 21:18 UTC (permalink / raw
  To: gentoo-catalyst; +Cc: Douglas Freed

Bind mounting /dev/shm into the chroot isn't a good idea, as there may
be collisions and result in weird side effects.  Instead, we can just
mount a new tmpfs there, with the right options to ensure security.
---
 modules/generic_stage_target.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/modules/generic_stage_target.py b/modules/generic_stage_target.py
index 9edafe9..10b367d 100644
--- a/modules/generic_stage_target.py
+++ b/modules/generic_stage_target.py
@@ -179,13 +179,13 @@ class generic_stage_target(generic_target):
 			self.mountmap={"/proc":"/proc","/dev":"/dev","/dev/pts":"/dev/pts",\
 				"/usr/portage":self.settings["snapshot_cache_path"]+"/portage",\
 				"/usr/portage/distfiles":self.settings["distdir"],"/var/tmp/portage":"tmpfs",
-				"/dev/shm": "/dev/shm"}
+				"/dev/shm": "shmfs"}
 		else:
 			self.mounts=["/proc", "/dev", "/usr/portage/distfiles",
 				"/var/tmp/portage"]
 			self.mountmap={"/proc":"/proc","/dev":"/dev","/dev/pts":"/dev/pts",\
 				"/usr/portage/distfiles":self.settings["distdir"],"/var/tmp/portage":"tmpfs",
-				"/dev/shm": "/dev/shm"}
+				"/dev/shm": "shmfs"}
 		if os.uname()[0] == "Linux":
 			self.mounts.append("/dev/pts")
 			self.mounts.append("/dev/shm")
@@ -904,7 +904,7 @@ class generic_stage_target(generic_target):
 				os.makedirs(self.settings["chroot_path"]+x,0755)
 
 			if not os.path.exists(self.mountmap[x]):
-				if not self.mountmap[x] == "tmpfs":
+				if self.mountmap[x] != "tmpfs" and self.mountmap[x] != "shmfs":
 					os.makedirs(self.mountmap[x],0755)
 
 			src=self.mountmap[x]
@@ -923,6 +923,9 @@ class generic_stage_target(generic_target):
 						retval=os.system("mount -t tmpfs -o size="+\
 							self.settings["var_tmpfs_portage"]+"G "+src+" "+\
 							self.settings["chroot_path"]+x)
+				else if src == "shmfs":
+					retval=os.system("mount -t tmpfs -o noexec,nosuid,nodev shm "+\
+						self.settings["chroot_path"]+x)
 				else:
 					retval=os.system("mount --bind "+src+" "+\
 						self.settings["chroot_path"]+x)
-- 
1.8.4.3



^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [gentoo-catalyst] Re: [PATCH] Mount /dev/shm in the chroot with the right options
  2014-01-01 21:18 [gentoo-catalyst] [PATCH] Mount /dev/shm in the chroot with the right options Douglas Freed
@ 2014-01-01 21:22 ` Douglas Freed
  2014-01-01 21:30 ` [gentoo-catalyst] " W. Trevor King
  1 sibling, 0 replies; 3+ messages in thread
From: Douglas Freed @ 2014-01-01 21:22 UTC (permalink / raw
  To: gentoo-catalyst

On Wed, Jan 1, 2014 at 1:18 PM, Douglas Freed <dwfreed@mtu.edu> wrote:
> Bind mounting /dev/shm into the chroot isn't a good idea, as there may
> be collisions and result in weird side effects.  Instead, we can just
> mount a new tmpfs there, with the right options to ensure security.
> ---
>  modules/generic_stage_target.py | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/modules/generic_stage_target.py b/modules/generic_stage_target.py
> index 9edafe9..10b367d 100644
> --- a/modules/generic_stage_target.py
> +++ b/modules/generic_stage_target.py
> @@ -179,13 +179,13 @@ class generic_stage_target(generic_target):
>                         self.mountmap={"/proc":"/proc","/dev":"/dev","/dev/pts":"/dev/pts",\
>                                 "/usr/portage":self.settings["snapshot_cache_path"]+"/portage",\
>                                 "/usr/portage/distfiles":self.settings["distdir"],"/var/tmp/portage":"tmpfs",
> -                               "/dev/shm": "/dev/shm"}
> +                               "/dev/shm": "shmfs"}
>                 else:
>                         self.mounts=["/proc", "/dev", "/usr/portage/distfiles",
>                                 "/var/tmp/portage"]
>                         self.mountmap={"/proc":"/proc","/dev":"/dev","/dev/pts":"/dev/pts",\
>                                 "/usr/portage/distfiles":self.settings["distdir"],"/var/tmp/portage":"tmpfs",
> -                               "/dev/shm": "/dev/shm"}
> +                               "/dev/shm": "shmfs"}
>                 if os.uname()[0] == "Linux":
>                         self.mounts.append("/dev/pts")
>                         self.mounts.append("/dev/shm")
> @@ -904,7 +904,7 @@ class generic_stage_target(generic_target):
>                                 os.makedirs(self.settings["chroot_path"]+x,0755)
>
>                         if not os.path.exists(self.mountmap[x]):
> -                               if not self.mountmap[x] == "tmpfs":
> +                               if self.mountmap[x] != "tmpfs" and self.mountmap[x] != "shmfs":
>                                         os.makedirs(self.mountmap[x],0755)
>
>                         src=self.mountmap[x]
> @@ -923,6 +923,9 @@ class generic_stage_target(generic_target):
>                                                 retval=os.system("mount -t tmpfs -o size="+\
>                                                         self.settings["var_tmpfs_portage"]+"G "+src+" "+\
>                                                         self.settings["chroot_path"]+x)
> +                               else if src == "shmfs":
> +                                       retval=os.system("mount -t tmpfs -o noexec,nosuid,nodev shm "+\
> +                                               self.settings["chroot_path"]+x)
>                                 else:
>                                         retval=os.system("mount --bind "+src+" "+\
>                                                 self.settings["chroot_path"]+x)
> --
> 1.8.4.3
>

Oh, I forgot to mention that this is for 2.X, not master.

-Doug


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [gentoo-catalyst] [PATCH] Mount /dev/shm in the chroot with the right options
  2014-01-01 21:18 [gentoo-catalyst] [PATCH] Mount /dev/shm in the chroot with the right options Douglas Freed
  2014-01-01 21:22 ` [gentoo-catalyst] " Douglas Freed
@ 2014-01-01 21:30 ` W. Trevor King
  1 sibling, 0 replies; 3+ messages in thread
From: W. Trevor King @ 2014-01-01 21:30 UTC (permalink / raw
  To: gentoo-catalyst

[-- Attachment #1: Type: text/plain, Size: 2873 bytes --]

On Wed, Jan 01, 2014 at 09:18:22PM +0000, Douglas Freed wrote:
> Bind mounting /dev/shm into the chroot isn't a good idea, as there may
> be collisions and result in weird side effects.  Instead, we can just
> mount a new tmpfs there, with the right options to ensure security.
> ---
>  modules/generic_stage_target.py | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
> 
> diff --git a/modules/generic_stage_target.py b/modules/generic_stage_target.py
> index 9edafe9..10b367d 100644
> --- a/modules/generic_stage_target.py
> +++ b/modules/generic_stage_target.py
> @@ -179,13 +179,13 @@ class generic_stage_target(generic_target):
>  			self.mountmap={"/proc":"/proc","/dev":"/dev","/dev/pts":"/dev/pts",\
>  				"/usr/portage":self.settings["snapshot_cache_path"]+"/portage",\
>  				"/usr/portage/distfiles":self.settings["distdir"],"/var/tmp/portage":"tmpfs",
> -				"/dev/shm": "/dev/shm"}
> +				"/dev/shm": "shmfs"}
>  		else:
>  			self.mounts=["/proc", "/dev", "/usr/portage/distfiles",
>  				"/var/tmp/portage"]
>  			self.mountmap={"/proc":"/proc","/dev":"/dev","/dev/pts":"/dev/pts",\
>  				"/usr/portage/distfiles":self.settings["distdir"],"/var/tmp/portage":"tmpfs",
> -				"/dev/shm": "/dev/shm"}
> +				"/dev/shm": "shmfs"}
>  		if os.uname()[0] == "Linux":
>  			self.mounts.append("/dev/pts")
>  			self.mounts.append("/dev/shm")
> @@ -904,7 +904,7 @@ class generic_stage_target(generic_target):
>  				os.makedirs(self.settings["chroot_path"]+x,0755)
>  
>  			if not os.path.exists(self.mountmap[x]):
> -				if not self.mountmap[x] == "tmpfs":
> +				if self.mountmap[x] != "tmpfs" and self.mountmap[x] != "shmfs":
>  					os.makedirs(self.mountmap[x],0755)
>  
>  			src=self.mountmap[x]
> @@ -923,6 +923,9 @@ class generic_stage_target(generic_target):
>  						retval=os.system("mount -t tmpfs -o size="+\
>  							self.settings["var_tmpfs_portage"]+"G "+src+" "+\
>  							self.settings["chroot_path"]+x)
> +				else if src == "shmfs":
> +					retval=os.system("mount -t tmpfs -o noexec,nosuid,nodev shm "+\
> +						self.settings["chroot_path"]+x)
>  				else:
>  					retval=os.system("mount --bind "+src+" "+\
>  						self.settings["chroot_path"]+x)

Looks good enough to me.  Are we forward-porting this onto blueness'
pending patch?

I'll wait until more of the pending branch has been absorbed into
master before working up a more thorough patch to support
user-configurable:

* '--bind $SOURCE' vs. '--rbind $SOURCE' vs. '-t $TYPE'
* '-o $OPTIONS'

Which will take care of my --rbind goals [1] in a more flexible way.

Cheers,
Trevor

[1]: http://mid.gmane.org/20140101185335.GK29195@odin.tremily.us

-- 
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-01-01 21:30 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-01-01 21:18 [gentoo-catalyst] [PATCH] Mount /dev/shm in the chroot with the right options Douglas Freed
2014-01-01 21:22 ` [gentoo-catalyst] " Douglas Freed
2014-01-01 21:30 ` [gentoo-catalyst] " W. Trevor King

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox