Hello,
the patch which is available at
http://ensc.de/fedora/mock-namespace.diff
changes some things so that mock is a little bit more secure:
* everything except /var/lib/mock can be read-only now; this is done by
- avoiding modification of /etc/mtab* by using the '-n' switch for 'mount'
- executing all mach operations in an own namespace; so the cleanup of mounts happens automatically without relying on /etc/mtab
- workarounding the 'rpm --root'-touches-the-rpmdb-of-the-host bug; namespaces mentioned above make it possible to bind-mount the buildroot-rpmdb into the host
* mock works with removed CAP_MKNOD capabilities; instead of, a precreated /dev template will be bind-mounted into the buildroot. Ideally, this precreated template is a mounted cramfs as it can not be modified but still allows the devices to work (this would not be the case e.g. with a read-only mounted ext3 fs)
With these modifications, 'mock' can be used within VServers[1]. Please note that the patch above protects only the filesystem but not processes. So you will have to restart the buildsystem after each build (takes around 2-3 seconds with vservers and 1-2 minutes with regular hosts). Else, every hostile package can take control over subsequent builds.
Footnotes: [1] http://linux-vservers.org
buildsys@lists.fedoraproject.org