mike(a)redhat.com (Mike McLean) writes:
Attached are a couple of patches that expand the mounts created in
the
chroot by mock. These are mounts that we've used for builds within Red
Hat for years and some packages need them to compile properly.
1. 'mock' should be run in an own namespace; then you would not need to
track the mounted filesystems
2. most of the mounts should be done directly with the mount(2) syscall;
NFS filesystem are the only exception I am aware of
3. a secure way to mount the filesystems is
| chroot(ROOTDIR);
| mount(...);
Current path-checks (e.g. for '/../') are completely useless because
they will not protect against symlink attacks.
more_mounts.patch is the larger patch, it refactors _mount() so that
the mounts to be created are specified in a list and looped over.
I've also changed to the unmounting code to make it more paranoid.
With namespaces, unmounting would not be needed...
In order to allow these mounts, I had to make some changes to
mock-helper.
bind_dev.patch builds on the the previous patch and provides an option
to have /dev bind mounted in the chroot (instead of the skeletal /dev
that mock sets up).
When packages require special devices to build these packages are
broken...
Making a full /dev available lowers security significantly in environments
which remove CAP_MKNOD for the buildsys.
Enrico