Use a sandbox with mkcomposefs --from-file #221
Conversation
This will help with reuse. Signed-off-by: Alexander Larsson <[email protected]>
This helps protecting the parsing code if some external process is feeding data to mkcomposefs to create an image. Its not really useful to use a sandbox when a directory is specified though, as it needs to do way to many different kinds of operations, as well as reading actual uid/gid:s etc. Signed-off-by: Alexander Larsson <[email protected]>
Add some extra syscalls that are used on other arches: fstate: fstat64 newfstatat: fstatat64 mmap: mmap2 Signed-off-by: Alexander Larsson <[email protected]>
|
==5399==Can't open /proc/5384/task for reading. I wonder if we need to add a /proc to the sandbox. That should be relatively safe. |
Signed-off-by: Alexander Larsson <[email protected]>
|
I'm not opposed to this but I find it strange...I think most sandboxing like this is much better done externally. I mean we're talking about having this code be run from a thing that's a container runtime already. |
It is somewhat uncommon, but not totally. Its more like the openbsd pledge thing, where you do some setup, including opening all fd:s that you need, and then limit yourself for the actual work. For example, we run the parser code without any access to the open/creat syscalls, which isn't really possible to do from the caller, as we need to open things in the ssetup. That said, maybe it does overcomplicate things... For example with the CI failure... |
|
closing this for now, not sure its right |
This is for similar reasons as it being used with composefs-from-json.