From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6523072403514327040
X-Received: by 10.25.39.65 with SMTP id n62mr388116lfn.0.1518771147255;
        Fri, 16 Feb 2018 00:52:27 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 10.25.148.3 with SMTP id w3ls188034lfd.3.gmail; Fri, 16 Feb 2018
 00:52:26 -0800 (PST)
X-Google-Smtp-Source: AH8x226ZfcjZfS81p0jK79W0jKKxNLikzFPwRR8l/k3b7vEAH4efi7pY7xWBjhZuJwBTQ/tr/5oy
X-Received: by 10.25.160.195 with SMTP id j186mr395986lfe.44.1518771146425;
        Fri, 16 Feb 2018 00:52:26 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518771146; cv=none;
        d=google.com; s=arc-20160816;
        b=IEsXOalkKSWVUI3TZtSzqhuG0FBJn1u526FAif2/mEkTaSBkXoJDlL/vnquAQ7U4lS
         F+akcOK7Hfd1iqsc/keH6S3M1Ndb9Sei+x96GnjRp+9PNt6zcELvlx4ibs6iT/rHlKLY
         b7Gwu5oURaI48JgmoL+qHOfa820cMxUQyEFh68gw5duiEzB8uh5ZS50vQYqbSmps+/0Y
         u48BXA2z//oxtJ9pNgIGVx/YNXGAxoU9lmhEM/vsQqr20m5z0cousGGe5aPtpX4jS2dV
         WDWA7VzK6QUzeABOA3BTKItytBJfCMM8gJ5YVCHQ1t0+t2j38Daesrb3lyU6HR85WSeH
         xbYA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=references:in-reply-to:references:in-reply-to:message-id:date
         :subject:to:from:arc-authentication-results;
        bh=LH81RWsOaa62Ay6kGqP0uPYxKCS9TDfJAw+LLfhPoVI=;
        b=EFetnlTFNOKchXL6jMeTOzhNAewHgsCx8e/TSDKBVpqNuoMXsKhtIYVgxUKS7jMXyd
         wAmrhRVxcDy3zWJILZPkNW/4Jgng1om5SIvH0zmUpaSxXPXi5+/sgN03n5I6gOsGlZNu
         lKkrAtmHMalqyBR0tjKo5+dxeHcHMmyU+6aPYCuLsk1GisjVO4Y0RAHqyg5AGsV4xA7k
         QyF4apbgxBhlCjVHK26latYQhAaTbJAJb8SoBvq3K16c2c5B50D2+4KJ3D280UtAF4D4
         r4m6N7mt2+nyGmUXlrp8Tte8ggWZ1WNFFHLXJIsNKzd/HL7Cx6QfFjJAQT0M2ZcsitdP
         6p0g==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com
Return-Path: <jan.kiszka@siemens.com>
Received: from thoth.sbs.de (thoth.sbs.de. [192.35.17.2])
        by gmr-mx.google.com with ESMTPS id 25si969774ljt.1.2018.02.16.00.52.26
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 16 Feb 2018 00:52:26 -0800 (PST)
Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.2 as permitted sender) client-ip=192.35.17.2;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com
Received: from mail1.siemens.de (mail1.siemens.de [139.23.33.14])
	by thoth.sbs.de (8.15.2/8.15.2) with ESMTPS id w1G8qPHn026146
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)
	for <isar-users@googlegroups.com>; Fri, 16 Feb 2018 09:52:25 +0100
Received: from md1f2u6c.ww002.siemens.net ([167.87.7.207])
	by mail1.siemens.de (8.15.2/8.15.2) with ESMTP id w1G8qPVO025341
	for <isar-users@googlegroups.com>; Fri, 16 Feb 2018 09:52:25 +0100
From: Jan Kiszka <jan.kiszka@siemens.com>
To: isar-users <isar-users@googlegroups.com>
Subject: [PATCH 1/8] Mount devtmpfs read-only into chroot
Date: Fri, 16 Feb 2018 09:52:17 +0100
Message-Id: <02a592150c34714e0729d4fc73f86ff031fee514.1518771143.git.jan.kiszka@siemens.com>
X-Mailer: git-send-email 2.13.6
In-Reply-To: <cover.1518771143.git.jan.kiszka@siemens.com>
References: <cover.1518771143.git.jan.kiszka@siemens.com>
In-Reply-To: <cover.1518771143.git.jan.kiszka@siemens.com>
References: <cover.1518771143.git.jan.kiszka@siemens.com>
X-TUID: p3IUTTK8tcrj

From: Jan Kiszka <jan.kiszka@siemens.com>

It's too easy to destroy the content of devtmpfs, which is shared with
the host (including privileged container setups), by calling rm -rf on
an output dir that still has devtmpfs mounted.

To achieve write protection for device nodes, we can't mount devtmpfs
directly in read-only mode as that will change all mounts to that mode.
Luckily, doing a read-only bind-mount does the trick.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 meta/classes/dpkg-base.bbclass                   | 2 +-
 meta/recipes-devtools/buildchroot/buildchroot.bb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/classes/dpkg-base.bbclass b/meta/classes/dpkg-base.bbclass
index 5eef11b..78709f9 100644
--- a/meta/classes/dpkg-base.bbclass
+++ b/meta/classes/dpkg-base.bbclass
@@ -41,7 +41,7 @@ do_build() {
         if ! grep -q ${BUILDCHROOT_DIR}/isar-apt /proc/mounts; then \
             mount --bind ${DEPLOY_DIR_APT}/${DISTRO} ${BUILDCHROOT_DIR}/isar-apt; \
             mount --bind ${DL_DIR} ${BUILDCHROOT_DIR}/downloads; \
-            mount -t devtmpfs -o mode=0755,nosuid devtmpfs ${BUILDCHROOT_DIR}/dev; \
+            mount --bind -o ro /dev ${BUILDCHROOT_DIR}/dev; \
             mount -t proc none ${BUILDCHROOT_DIR}/proc; \
         fi'
 
diff --git a/meta/recipes-devtools/buildchroot/buildchroot.bb b/meta/recipes-devtools/buildchroot/buildchroot.bb
index 520daf9..1eca035 100644
--- a/meta/recipes-devtools/buildchroot/buildchroot.bb
+++ b/meta/recipes-devtools/buildchroot/buildchroot.bb
@@ -66,7 +66,7 @@ do_build() {
            "${WORKDIR}/multistrap.conf.in" > "${WORKDIR}/multistrap.conf"
 
     sudo mount --bind ${DEPLOY_DIR_APT}/${DISTRO} ${BUILDCHROOT_DIR}/isar-apt
-    sudo mount -t devtmpfs -o mode=0755,nosuid devtmpfs ${BUILDCHROOT_DIR}/dev
+    sudo mount --bind -o ro /dev ${BUILDCHROOT_DIR}/dev
     sudo mount -t proc none ${BUILDCHROOT_DIR}/proc
 
     # Create root filesystem
-- 
2.13.6