x32 builder has network access
Jan Palus
atler at pld-linux.org
Wed Jan 18 20:22:31 CET 2023
On 18.01.2023 16:48, Jakub Bogusz wrote:
> On Wed, Jan 18, 2023 at 01:02:34PM +0100, Arkadiusz Miśkiewicz via pld-devel-en wrote:
> > On 18.01.2023 09:56, Jan Palus wrote:
> > >On 18.01.2023 07:54, Arkadiusz Miśkiewicz via pld-devel-en wrote:
> > >>On 17.01.2023 12:23, Jan Palus wrote:
> > >>>Noticed during build of kodi-addon-inputstream-adaptive that contrary to
> > >>>x86_64 and i686, x32 builder downloaded external sources successfully:
> > >>
> > >>bind was installed there and seems that even if there is no access to
> > >>/etc/resolv.conf glibc fallbacks to querying 127.0.0.1:53
> > >>
> > >>Uninstalled.
> > >>
> > >>The best would be to change UID of "builder" user used inside of chroot
> > >>and drop all outgoing packets coming from it at iptables level.
> > >
> > >Or perhaps modify pld-builder to make each rpmbuild invocation in a new
> > >network namespace via `unshare -n -c`. That would effectively cut whole
> > >network for the process.
> >
> > We can try that... commited.
>
> i686 and x86_64 say:
> "unshare: unshare failed: Operation not permitted"
Unfortunately it appears it's not possible to create user namespaces in
a chroot:
EPERM (since Linux 3.9)
CLONE_NEWUSER was specified in flags and the caller is in a chroot environment
(i.e., the caller's root directory does not match the root directory of the
mount namespace in which it resides).
More information about the pld-devel-en
mailing list