From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 02F0913888F for ; Tue, 6 Oct 2015 20:33:02 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5FCDD21C00D; Tue, 6 Oct 2015 20:32:59 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id EF49D21C00D for ; Tue, 6 Oct 2015 20:32:58 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 0ED5D3406C2 for ; Tue, 6 Oct 2015 20:32:56 +0000 (UTC) From: Mike Frysinger To: gentoo-catalyst@lists.gentoo.org Subject: [gentoo-catalyst] [PATCH 2/2] catalyst: create namespaces for building Date: Tue, 6 Oct 2015 16:32:53 -0400 Message-Id: <1444163573-11337-2-git-send-email-vapier@gentoo.org> X-Mailer: git-send-email 2.5.2 In-Reply-To: <1444163573-11337-1-git-send-email-vapier@gentoo.org> References: <1444163573-11337-1-git-send-email-vapier@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-catalyst@lists.gentoo.org Reply-to: gentoo-catalyst@lists.gentoo.org X-Archives-Salt: f9857dd1-38fb-4f5e-8ac1-09d8145c605f X-Archives-Hash: 3d8aa7e57e7a53660b06b0fa5cb0d57a This helps isolate the catalyst builds from the rest of the system and allows us to build as non-root user in more cases. This might not work everywhere, but it's a start (snapshot generation works). --- catalyst/main.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/catalyst/main.py b/catalyst/main.py index 65e1431..f984653 100644 --- a/catalyst/main.py +++ b/catalyst/main.py @@ -10,6 +10,8 @@ import argparse import os import sys +from snakeoil.process import namespaces + __selfpath__ = os.path.abspath(os.path.dirname(__file__)) from DeComp.definitions import (COMPRESS_DEFINITIONS, DECOMPRESS_DEFINITIONS, @@ -336,6 +338,13 @@ def main(): if "target" not in addlargs: raise CatalystError("Required value \"target\" not specified.") + # Start off by creating unique namespaces to run in. + namespaces.simple_unshare( + mount=True, uts=True, ipc=True, pid=True, net=False, user=True, + hostname='catalyst') + + # We should be root now, either a real root, or in a userns as root. + # If we aren't, then we've failed, and need to abort. if os.getuid() != 0: # catalyst cannot be run as a normal user due to chroots, mounts, etc print "!!! catalyst: This script requires root privileges to operate" -- 2.5.2