[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Network access during build

Paul Wise <pabs@debian.org> writes:

> On Thu, Oct 6, 2016 at 11:48 PM, Jérémy Lal wrote:
>> Is there some simple way to check, when using sbuild, that the build
>> does not access network ?
> nsntrace could probably be used for this. I think lamby has another
> method too.

I only stumbled across 'firejail' recently, but it seems possible that
one could run the build under it, to lock things down and/or get reports
of naughtiness.

I've not done more than install it really, but it trivially lets you run
commands as though there were no network attached, and looking at the
man page it looks like one can set up fine-grained blacklists of things
you don't want to happen (so not only networking) and get errors logged
if they do.

Even is it's not possible to run it on buildds (it's SUID and needs
linux >= 3.x), one might be able to use it to detect dodgy unit tests,
and segregate them into only running when one can do so under firejail,

Cheers, Phil.
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/    http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,    GERMANY

Attachment: signature.asc
Description: PGP signature

Reply to: