From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 51E95138247 for ; Wed, 1 Jan 2014 21:40:07 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AE959E098A; Wed, 1 Jan 2014 21:40:05 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2F081E098A for ; Wed, 1 Jan 2014 21:40:05 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 8CA3333D762 for ; Wed, 1 Jan 2014 21:40:03 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id D0DCEE54AB for ; Wed, 1 Jan 2014 21:40:01 +0000 (UTC) From: "Brian Dolbec" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Brian Dolbec" Message-ID: <1388612308.11735664906bc4a3c9a5cc155414958adecda1d4.dol-sen@gentoo> Subject: [gentoo-commits] proj/catalyst:2.X commit in: modules/ X-VCS-Repository: proj/catalyst X-VCS-Files: modules/generic_stage_target.py X-VCS-Directories: modules/ X-VCS-Committer: dol-sen X-VCS-Committer-Name: Brian Dolbec X-VCS-Revision: 11735664906bc4a3c9a5cc155414958adecda1d4 X-VCS-Branch: 2.X Date: Wed, 1 Jan 2014 21:40:01 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 54fdc002-e233-48a9-8749-76a9e932c29c X-Archives-Hash: d48e03a4e95428f8a7299a34893d0eff commit: 11735664906bc4a3c9a5cc155414958adecda1d4 Author: Douglas Freed mtu edu> AuthorDate: Wed Jan 1 21:18:22 2014 +0000 Commit: Brian Dolbec gmail com> CommitDate: Wed Jan 1 21:38:28 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/catalyst.git;a=commit;h=11735664 Mount /dev/shm in the chroot with the right options Bind mounting /dev/shm into the chroot isn't a good idea, as there may be collisions and result in weird side effects. Instead, we can just mount a new tmpfs there, with the right options to ensure security. --- modules/generic_stage_target.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/modules/generic_stage_target.py b/modules/generic_stage_target.py index 9edafe9..10b367d 100644 --- a/modules/generic_stage_target.py +++ b/modules/generic_stage_target.py @@ -179,13 +179,13 @@ class generic_stage_target(generic_target): self.mountmap={"/proc":"/proc","/dev":"/dev","/dev/pts":"/dev/pts",\ "/usr/portage":self.settings["snapshot_cache_path"]+"/portage",\ "/usr/portage/distfiles":self.settings["distdir"],"/var/tmp/portage":"tmpfs", - "/dev/shm": "/dev/shm"} + "/dev/shm": "shmfs"} else: self.mounts=["/proc", "/dev", "/usr/portage/distfiles", "/var/tmp/portage"] self.mountmap={"/proc":"/proc","/dev":"/dev","/dev/pts":"/dev/pts",\ "/usr/portage/distfiles":self.settings["distdir"],"/var/tmp/portage":"tmpfs", - "/dev/shm": "/dev/shm"} + "/dev/shm": "shmfs"} if os.uname()[0] == "Linux": self.mounts.append("/dev/pts") self.mounts.append("/dev/shm") @@ -904,7 +904,7 @@ class generic_stage_target(generic_target): os.makedirs(self.settings["chroot_path"]+x,0755) if not os.path.exists(self.mountmap[x]): - if not self.mountmap[x] == "tmpfs": + if self.mountmap[x] != "tmpfs" and self.mountmap[x] != "shmfs": os.makedirs(self.mountmap[x],0755) src=self.mountmap[x] @@ -923,6 +923,9 @@ class generic_stage_target(generic_target): retval=os.system("mount -t tmpfs -o size="+\ self.settings["var_tmpfs_portage"]+"G "+src+" "+\ self.settings["chroot_path"]+x) + else if src == "shmfs": + retval=os.system("mount -t tmpfs -o noexec,nosuid,nodev shm "+\ + self.settings["chroot_path"]+x) else: retval=os.system("mount --bind "+src+" "+\ self.settings["chroot_path"]+x)