On Thu, Sep 27, 2018 at 02:45:27PM -0300, Cristian Rodríguez wrote:
El 27-09-2018 a las 13:09, Matthias Gerstner escribió:
Hello packagers,
the SUSE security team wants to draw your attention to a potential security threat involving the use of `quilt setup ...` on untrusted RPM spec files.
You can do all of this with systemd-run, no need to install anything new something like:
systemd-run -q --wait --pty -p PrivateDevices=yes -p ProtectSystem=full -p BindPaths=... -p |ProtectHome=tmpfs| -p ... .. see the systemd.exec and systemd-run man pages for more details.
systemd-run -q --wait --pty -p PrivateDevices=yes ls /dev
This is nice, but it requires root privileges. nsjail has the advantage that you confine this as normal user Johannes -- GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg)