From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6523072403514327040 X-Received: by 10.28.45.201 with SMTP id t192mr2355563wmt.26.1519110211875; Mon, 19 Feb 2018 23:03:31 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 10.223.187.140 with SMTP id q12ls2771748wrg.9.gmail; Mon, 19 Feb 2018 23:03:31 -0800 (PST) X-Google-Smtp-Source: AH8x226z5O9D9Xe+sqICmgliSgQRiNtssO00fjM427+PwAbBHvZHqGon4I1wiiTqlYMxKsiRramY X-Received: by 10.223.164.149 with SMTP id g21mr2225902wrb.21.1519110211260; Mon, 19 Feb 2018 23:03:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519110211; cv=none; d=google.com; s=arc-20160816; b=rS/UIjqPOdb1gdXnOXGi61TjA5vZbb13Dgiol+QrpXCPs0pm35galIVgns+pRXotvy aaojMTd7noKpNqzYabDCfAYaE1ecRT3BnA+pcPkfRV2lOZHT9iSflhTy0FDESSHjUPNm YvVy6Tp8JJ6ZABB25co+CJiIXcbfPAk/ZPtX2ONjPbzDuX+FtUw0tdqKwVUzDu61vz40 V0YPIzsoGlxcXyzmqvq8bDelKEzV29eJQiPldXV2YXY13TB2x7GuNa1bV4P1ZJShTATG xjqQMwlbzkhaMe3HiMfj+P6k0hYQ1/fPwiibGFAW7a0kBSK/aiBlxRgOIuaxl5kpqykP tIng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:to:subject :arc-authentication-results; bh=F6FpngSIFO2IcjFmVpyx+6rlICXGTF4kxLVoUK7IQ3k=; b=Lhb9yatrfK0CzRfGr5HG+8sopbVK4GQWRhtMjviLhTWZiTFJKZjzNryGbStGnM+dxd TEw+gZrQ8FbBXqKwlgwx/DHi97/rvXp/tE4KQO6NW7r5IFvJ5tO9XZfB5NoG10b2MT82 dq4sueucfKv9Zsqtbq/pJc6EHRVi1i8So6WSlEh9uMgkU5XuXLCEf3sul7mBLUb+KnVc 7z4RNKYs63VxmQprtMj03uc8iHOvwlZg65ZHcQDpGs6PHx9esxaNBrECMHxyNQs2RRxJ fih/Nw9P+7VxRK+GJxJ4uffmRJ1OfoOg3sKK2Ppm5iZiQVrZADZqGvs8ENNqipbz6Bjh BmIQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.28 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com Return-Path: Received: from goliath.siemens.de (goliath.siemens.de. [192.35.17.28]) by gmr-mx.google.com with ESMTPS id g70si666796wmc.2.2018.02.19.23.03.31 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Feb 2018 23:03:31 -0800 (PST) Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.28 as permitted sender) client-ip=192.35.17.28; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.28 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com Received: from mail3.siemens.de (mail3.siemens.de [139.25.208.14]) by goliath.siemens.de (8.15.2/8.15.2) with ESMTPS id w1K73UhX011626 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 20 Feb 2018 08:03:30 +0100 Received: from [167.87.8.110] ([167.87.8.110]) by mail3.siemens.de (8.15.2/8.15.2) with ESMTP id w1K73U5g030616; Tue, 20 Feb 2018 08:03:30 +0100 Subject: Re: [PATCH 1/8] Mount devtmpfs read-only into chroot To: Alexander Smirnov , isar-users References: <02a592150c34714e0729d4fc73f86ff031fee514.1518771143.git.jan.kiszka@siemens.com> <7e4d36c6-9556-6a69-9ffa-dfbc2e1744ba@ilbers.de> From: Jan Kiszka Message-ID: <04a11ae7-172c-474d-8e59-a0f5e5465884@siemens.com> Date: Tue, 20 Feb 2018 08:03:30 +0100 User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.8.1.12) Gecko/20080226 SUSE/2.0.0.12-1.1 Thunderbird/2.0.0.12 Mnenhy/0.7.5.666 MIME-Version: 1.0 In-Reply-To: <7e4d36c6-9556-6a69-9ffa-dfbc2e1744ba@ilbers.de> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-TUID: Vz+hFv8wpTlO On 2018-02-20 07:38, Alexander Smirnov wrote: > On 02/16/2018 11:52 AM, Jan Kiszka wrote: >> From: Jan Kiszka >> >> It's too easy to destroy the content of devtmpfs, which is shared with >> the host (including privileged container setups), by calling rm -rf on >> an output dir that still has devtmpfs mounted. >> > > Just tested this: > > builder@zbook:~/isar/build$ mkdir aaa > builder@zbook:~/isar/build$ mount -t devtmpfs -o mode=0755,nosuid,ro > devtmpfs aaa/ I've tried that path first, but it turns all mount points of devtmpfs into read-only mode - not a good idea... I think we need to go back to mknod for the rootfs. Jan > > # Existing host /dev > [asmirnov@zbook patches]$ sudo rm /dev/ram16 > OK > > # RO mount point > builder@zbook:~/isar/build$ sudo rm aaa/ram15 > rm: cannot remove ‘aaa/ram15’: Read-only file system > > What I'm doing wrong? > > BTW: started test build on server to check if problem with wheezy will go. > > Alex > >> To achieve write protection for device nodes, we can't mount devtmpfs >> directly in read-only mode as that will change all mounts to that mode. >> Luckily, doing a read-only bind-mount does the trick. >> >> Signed-off-by: Jan Kiszka >> --- >>   meta/classes/dpkg-base.bbclass                   | 2 +- >>   meta/recipes-devtools/buildchroot/buildchroot.bb | 2 +- >>   2 files changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/meta/classes/dpkg-base.bbclass >> b/meta/classes/dpkg-base.bbclass >> index 5eef11b..78709f9 100644 >> --- a/meta/classes/dpkg-base.bbclass >> +++ b/meta/classes/dpkg-base.bbclass >> @@ -41,7 +41,7 @@ do_build() { >>           if ! grep -q ${BUILDCHROOT_DIR}/isar-apt /proc/mounts; then \ >>               mount --bind ${DEPLOY_DIR_APT}/${DISTRO} >> ${BUILDCHROOT_DIR}/isar-apt; \ >>               mount --bind ${DL_DIR} ${BUILDCHROOT_DIR}/downloads; \ >> -            mount -t devtmpfs -o mode=0755,nosuid devtmpfs >> ${BUILDCHROOT_DIR}/dev; \ >> +            mount --bind -o ro /dev ${BUILDCHROOT_DIR}/dev; \ >>               mount -t proc none ${BUILDCHROOT_DIR}/proc; \ >>           fi' >>   diff --git a/meta/recipes-devtools/buildchroot/buildchroot.bb >> b/meta/recipes-devtools/buildchroot/buildchroot.bb >> index 520daf9..1eca035 100644 >> --- a/meta/recipes-devtools/buildchroot/buildchroot.bb >> +++ b/meta/recipes-devtools/buildchroot/buildchroot.bb >> @@ -66,7 +66,7 @@ do_build() { >>              "${WORKDIR}/multistrap.conf.in" > >> "${WORKDIR}/multistrap.conf" >>         sudo mount --bind ${DEPLOY_DIR_APT}/${DISTRO} >> ${BUILDCHROOT_DIR}/isar-apt >> -    sudo mount -t devtmpfs -o mode=0755,nosuid devtmpfs >> ${BUILDCHROOT_DIR}/dev >> +    sudo mount --bind -o ro /dev ${BUILDCHROOT_DIR}/dev >>       sudo mount -t proc none ${BUILDCHROOT_DIR}/proc >>         # Create root filesystem >> > -- Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux