Hi, Quoting Paul Wise (2019-07-26 04:31:29) > > But you'd have to ask somebody who is more knowledgable about the security > > implications of such a change. There certainly is a reason why #898446 is still > > open. > > > > Furthermore, since buildds currently use the schroot backend, I guess that > > buildd admins already took all necessary precautions to secure their systems > > against arbitrary code running as part of the package build process. I do not > > know what benefit the "unshare" backend would have for buildds. > I think my mental model of what the "unshare" backend does was > incorrect. I didn't think it needed #898446 to be closed. I assumed it > was just like schroot except with the addition of moving all processes > run within the chroot into a separate network/process/mount/etc > namespace with no access to the host namespaces. Your initial intuition was correct. It is like a very primitive schroot with just enough functionality so that sbuild can build packages with it. It lacks all the advanced features that schroot has like configuration file management and session management and it is baked directly into sbuild so you cannot use it without sbuild. But feel free to steal the code for your own project! Sadly this functionality requires a horribly complicated fork/syscall dance [1] which I also had to copy to mmdebstrap because no existing tool seemed to do it already. [1] https://sources.debian.org/src/mmdebstrap/0.4.1-6/mmdebstrap/#L292 > The primary advantage of this would be to isolate the build chroot from the > network. Perhaps schroot is the component that should be adding support for > separate network/process/mount/etc namespaces? Yes, it should. There is this bug for it which I openend and I only wrote the "unshare" backend for sbuild when it became clear that schroot would not add this functionality any time soon: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802849 But to unshare all the namespaces, even schroot would need #898446 to be fixed. Thanks! cheers, josch
Attachment:
signature.asc
Description: signature