From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id A8AE51387FD for ; Wed, 10 Sep 2014 20:35:53 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 39FD5E086A; Wed, 10 Sep 2014 20:35:52 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 51209E085D for ; Wed, 10 Sep 2014 20:35:51 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 59520340033 for ; Wed, 10 Sep 2014 20:35:50 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 1146A52BA for ; Wed, 10 Sep 2014 20:35:49 +0000 (UTC) From: "Mike Frysinger" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Mike Frysinger" Message-ID: <1410378856.187e786116b56b60bf1a84d44094619843214920.vapier@gentoo> Subject: [gentoo-commits] proj/releng:master commit in: tools/ X-VCS-Repository: proj/releng X-VCS-Files: tools/catalyst-auto X-VCS-Directories: tools/ X-VCS-Committer: vapier X-VCS-Committer-Name: Mike Frysinger X-VCS-Revision: 187e786116b56b60bf1a84d44094619843214920 X-VCS-Branch: master Date: Wed, 10 Sep 2014 20:35:49 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 9f7c21cf-deec-4553-89e0-75f9485efef9 X-Archives-Hash: 79e0eae1697f15cab5fe4c1d6a96ad64 commit: 187e786116b56b60bf1a84d44094619843214920 Author: Mike Frysinger gentoo org> AuthorDate: Wed Sep 10 19:54:16 2014 +0000 Commit: Mike Frysinger gentoo org> CommitDate: Wed Sep 10 19:54:16 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/releng.git;a=commit;h=187e7861 catalyst-auto: automatically use uts/ipc/pid namespaces If the system can support them, throw the build process into various namespaces to further isolate ourselves from the host system. --- tools/catalyst-auto | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/tools/catalyst-auto b/tools/catalyst-auto index ebdb7c7..4453009 100755 --- a/tools/catalyst-auto +++ b/tools/catalyst-auto @@ -2,10 +2,17 @@ # Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# First let's get our own mount namespace to avoid leaking crap. +# First let's get our own namespaces to avoid leaking crap. if [[ -z ${UNSHARE} ]] ; then if type -P unshare >&/dev/null ; then - UNSHARE=true exec unshare -m -- "$0" "$@" + uargs=() + # Probe the namespaces as some can be disabled (or we are not root). + unshare -m -- true >&/dev/null && uargs+=( -m ) + unshare -u -- true >&/dev/null && uargs+=( -u ) + unshare -i -- true >&/dev/null && uargs+=( -i ) + unshare -p -- true >&/dev/null && uargs+=( -p -f --mount-proc ) + # Re-exec ourselves in the new namespace. + UNSHARE=true exec unshare "${uargs[@]}" -- "$0" "$@" fi fi unset UNSHARE