hosted reproducible package building with multiple developers?
Daniel P. Berrange
berrange at redhat.com
Fri Dec 10 18:08:11 UTC 2010
On Fri, Dec 10, 2010 at 06:06:47PM +0000, Richard W.M. Jones wrote:
> On Fri, Dec 10, 2010 at 03:06:59PM +0000, Daniel P. Berrange wrote:
> > The theory is as follows though
> >
> > 1. clone() with the CLONE_NEWNS set
> [...]
> > There are various other CLONE flags that lock down more
> > things if desired, eg to hide all host network interfaces.
>
> I don't think CLONE_* can stop them creating a /dev/hda-equivalent
> device node and then editing files on your real hard disk.
That's what the cgroups device ACL I mentioned is for. You
set it up to only allow /dev/null, /dev/zero & similar
nodes.
Daniel
More information about the devel
mailing list