[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Network access during build

2016-10-07 10:09 GMT+02:00 Philip Hands <phil@hands.com>:
Paul Wise <pabs@debian.org> writes:

> On Thu, Oct 6, 2016 at 11:48 PM, Jérémy Lal wrote:
>> Is there some simple way to check, when using sbuild, that the build
>> does not access network ?
> nsntrace could probably be used for this. I think lamby has another
> method too.

I only stumbled across 'firejail' recently, but it seems possible that
one could run the build under it, to lock things down and/or get reports
of naughtiness.

I've not done more than install it really, but it trivially lets you run
commands as though there were no network attached, and looking at the
man page it looks like one can set up fine-grained blacklists of things
you don't want to happen (so not only networking) and get errors logged
if they do.

Even is it's not possible to run it on buildds (it's SUID and needs
linux >= 3.x), one might be able to use it to detect dodgy unit tests,
and segregate them into only running when one can do so under firejail,

I tried building nodejs with firejail
- it's not possible to run `firejail sbuild` right away (some config is probably needed)
- it's possible to run `firejail debuild` and it works pretty well.

It really doesn't authorize much, as many tests fail with
Error: ENOTSUP: operation not supported on socket, uv_interface_addresses

There seems to be a way to configure firejail to be a little bit more permissive,
and it looks very straightforward to configure.

Thanks !

Reply to: