Mailinglist Archive: opensuse-buildservice (137 mails)

< Previous Next >
Re: [opensuse-buildservice] OBS ARM build discussion I would like to start
On 30/12/11 15:17, Marcus Meissner wrote:
On Fri, Dec 30, 2011 at 03:05:57PM -0300, Cristian Rodríguez wrote:
On 30/12/11 15:04, Marcus Meissner wrote:
On Fri, Dec 30, 2011 at 03:01:37PM -0300, Cristian Rodríguez wrote:
On 21/12/11 07:34, Joop Boonen wrote:
Hi all,

Currently we have the following problem.
Due to security issues we only have native ARM workers for the internal
openSUSE buildservice. For the external build service we only use qemu.


Huh ? LXC or simple the systemd-nspawn util does not provide enough
security for building packages ?

No.


really ? why ? or we are once again trading usability for paranoia ?

We currently consider it not being able to confine root processes.


If you can think a method where you can do the full build process as non-root
it might be usable.

https://bugzilla.novell.com/show_bug.cgi?id=708989 is our audit tracker bug,
but we really have not looked that deep.

Ok, the above mentioned report, there is this sentence

"cannot really jail a root process as all containers share
the same host kernel and f.e. LKM's can easily bypass it."

what does he mean with "LKM's can easily bypass it" ?.. when using systemd-nspawn the following is the expected behaviour:

"Network interfaces and the system clock may not be changed from within the container. Device nodes may not be created. The
host system cannot be rebooted and **kernel modules may not be loaded from within the container**"



--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >