Hi, Quoting Simon McVittie (2019-07-26 09:51:24) > schroot is also setuid root, and sbuild relies on this to set up the > build-dependencies anyway, so in principle schroot/sbuild ought to be > able to do something like this: > > - preparation step (as real root, in the chroot, with networking): > - install build-dependencies > - either run bubblewrap or reimplement it > - build step (as ordinary user, entering the chroot as a container, > with no networking): > - dpkg-buildpackage > - cleanup step (as real root, in the chroot): > - destroy session chroot, if used > > Doing that internally in schroot would require it to be actively > developed, but maybe it would be feasible to have code in sbuild that > wrapped bwrap (or even the combination of unshare(1) and setpriv(1)) > around (only) the actual build step? > > With the Debian Policy requirements around not writing to directories other > than /tmp, /var/tmp and the build directory, this would look something like: > > bwrap \ > --unshare-all \ > --ro-bind / / \ # or --ro-bind /var/.../my-chroot / > --bind /tmp /tmp \ # or --tmpfs /tmp > --bind /var/tmp /var/tmp \ # or --tmpfs /var/tmp > --bind /build/hello-2.10-2 /build/hello-2.10-2 \ # or wherever the build directory is kept > --setenv TMPDIR /tmp \ > --dev-bind /dev /dev \ # or --dev /dev for a minimal version > --proc /proc \ > --die-with-parent \ > --chdir /build/hello-2.10-2 \ > dpkg-buildpackage > > This would break any package that relies on being able to run setuid > executables (such as bwrap itself), and get privileges that way, during > its build - but perhaps that's desirable, because buildd operators > probably don't want setuid to be allowed anyway, in case it can be used > to escape the chroot? this is all very interesting! Thanks for writing it up! I will not be spending time on writing a backend using bubble wrap but I'll accept patches if anybody would like to do that work. This could easily be done by extending the current "sudo" chroot mode and wrapping the package build step itself by bubblewrap. Indeed it could probably be already done today by setting the BUILD_ENV_CMND config value to the bwrap line you posted above with the sudo chroot mode. Thanks! cheers, josch
Attachment:
signature.asc
Description: signature