Paul Wise <pabs@debian.org> writes: > On Thu, Oct 6, 2016 at 11:48 PM, Jérémy Lal wrote: > >> Is there some simple way to check, when using sbuild, that the build >> does not access network ? > > nsntrace could probably be used for this. I think lamby has another > method too. I only stumbled across 'firejail' recently, but it seems possible that one could run the build under it, to lock things down and/or get reports of naughtiness. I've not done more than install it really, but it trivially lets you run commands as though there were no network attached, and looking at the man page it looks like one can set up fine-grained blacklists of things you don't want to happen (so not only networking) and get errors logged if they do. Even is it's not possible to run it on buildds (it's SUID and needs linux >= 3.x), one might be able to use it to detect dodgy unit tests, and segregate them into only running when one can do so under firejail, say. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/ http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY
Attachment:
signature.asc
Description: PGP signature