Skip to content

Add a new plugin to enable Linux-specific namespace functionality #2666

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 11, 2023
Merged

Add a new plugin to enable Linux-specific namespace functionality #2666

merged 1 commit into from
Oct 11, 2023

Conversation

@pmatilai
Copy link
Member

@pmatilai pmatilai commented Sep 15, 2023

A plugin is a convenient place to hide Linux-specific functionality. Implemented in this initial version are:

  • Optional private mounts during scriptlet execution, useful for protecting the system from scriptlets (eg /home) and the scriptlets from themselves (eg insecure /tmp usage)
  • Optionally disable network access during scriptlet execution

Note that at this time, scriplets executed with the embedded Lua interpreter are not covered by this because they run inside the main rpm process instead of forking (#2635).

Fixes: #2632
Fixes: #2665

@pmatilai pmatilai mentioned this pull request Sep 15, 2023
Closed
@pmatilai
Copy link
Member Author

pmatilai commented Sep 28, 2023

Added a testcase for private /tmp

Here's yet another thing we couldn't have tested with fakechroot...

@pmatilai
Add a new plugin to enable Linux-specific namespace functionality
2d79259 
A plugin is a convenient place to hide Linux-specific functionality.
Implemented in this initial version are:

- Optional private mounts during scriptlet execution, useful for
  protecting the system from scriptlets (eg /home) and the scriptlets
  from themselves (eg insecure /tmp usage)
- Optionally disable network access during scriptlet execution

Note that at this time, scriplets executed with the embedded Lua
interpreter are not covered by this because they run inside the main rpm
process instead of forking (rpm-software-management#2635).

Add a testcase for private /tmp

Suggested-by: Johannes Segitz <[email protected]>

Fixes: rpm-software-management#2632
Fixes: rpm-software-management#2665
@pmatilai
Copy link
Member Author

pmatilai commented Oct 11, 2023

Since there's no input, I conclude this is good enuf for a first version. No doubt there are various other enhancements we can do in this space.

@pmatilai pmatilai merged commit fd8eaa5 into rpm-software-management:master Oct 11, 2023
@pmatilai pmatilai deleted the unshare branch October 11, 2023 06:52
@dmnks dmnks added the plugins RPM plugins label Nov 28, 2023
@dmnks dmnks added the RFE label Mar 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

plugins RPM plugins RFE

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

RFE: run scriptlets in selective filesystem isolation RFE: prevent scriptlet network access

2 participants

@pmatilai @dmnks