[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Network access during build

On Fri, 07 Oct 2016 at 10:09:34 +0200, Philip Hands wrote:
> I only stumbled across 'firejail' recently, but it seems possible that
> one could run the build under it, to lock things down and/or get reports
> of naughtiness.

firejail is a "do what I mean" approach to sandboxing, AIUI. It might
be too complicated or too thorough (too restrictive) for builds.

unshare(1) in the util-linux package is a more minimal approach to the
same syscalls that firejail presumably uses. You might need to be root
for that one.

bwrap(1) in the bubblewrap package is a middle-ground between the two.
Like firejail, it's setuid (on Debian - Ubuntu's kernel allows unprivileged
userns, so it doesn't need to be setuid there) and needs a semi-recent
kernel. It's how the sandboxing part of Flatpak works (and in fact is
a spin-off from Flatpak - it was separated out so that other projects
can share it, and only need one setuid binary between them).

I think schroot also has internal support for unsharing the network
namespace, which is what unshare(1) and bwrap do, and probably also what
firejail does.

    $ telnet 8.8.8.8
    Trying 8.8.8.8...
    ^C
    $ bwrap --unshare-net --ro-bind / / telnet 8.8.8.8
    Trying 8.8.8.8...
    telnet: Unable to connect to remote host: Network is unreachable

Regards,
    S
Reply to: