From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6523072403514327040
X-Received: by 10.223.131.38 with SMTP id 35mr2219540wrd.4.1519108740042;
        Mon, 19 Feb 2018 22:39:00 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 10.28.199.10 with SMTP id x10ls1828992wmf.9.gmail; Mon, 19 Feb
 2018 22:38:59 -0800 (PST)
X-Google-Smtp-Source: AH8x225WqbkzKXnr4OOUOagfPg/EzBrnbA8wg7sTF+OGJ6IslpH+hLiZ2xi3FSsiWgtQCwK9sC4U
X-Received: by 10.28.156.21 with SMTP id f21mr2558985wme.10.1519108739548;
        Mon, 19 Feb 2018 22:38:59 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1519108739; cv=none;
        d=google.com; s=arc-20160816;
        b=eBRj7+vo3hght+omqq8ytTIQ5Z7bLc7YTPrCrnK2AxSLJKIX4dPs0iz158KF577L15
         OQz0qIdxqe2ruiPX3go6i08SGuyQzV6LStWQvsuzjmVFdbItOMiLcixdDfGfjwce/YvP
         1BsIkIBdzDcSdhXgYMRjrXyRA4bq7MG3xWagkPcdWs5YWCjgKdcfrYNtG0SkkxOjR1Rx
         Rj1qUw0d967BZNrXk2FNzAJvUfEi1UCS2UhtRArOukHhhVYUjutvKSVljZR3MPYHoHYs
         L40nyezx0RAj2nRYQ5LGLLAM1g76tM5xEfftluEdgCFbtxdAduPNp2FvdhbF3whG5+VW
         g51w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:content-language:in-reply-to:mime-version
         :user-agent:date:message-id:from:references:to:subject
         :arc-authentication-results;
        bh=WN2r5IvEvTcXLkQaHcHP+cZFs3U4iQyps+M3wd3KQwU=;
        b=JsTr9zLboPZ82WsVINSSAxPoHGBQ/JFEbYdyGAUyiOw/SQzCQoZnwEYTiDkGNQ9biE
         j+4uWntWxD7ua/Nv5UamaT35pKBwxSL+q1hliuErAKQKCxo7+LxXgONiWMVLMFDQbUKF
         V03igxl0HxFM0mQK58kjbufFwA4ifogwxMexJBdskUEHFnPdtpaoy8a40YiO15/Ni3Pq
         jTSBR2NM3r2tY1uY4vBugBbCYqO6cJ9SRhuhVO3B2kIcWaVN4vklKuOv+fSUTQVHrCA2
         i3AoOjS3zI+uh5S0GU8VDELfTyeuDzAZgSD4c0jE+NROEJ7QMekSUUBDOkYNYESOhGF5
         BaZA==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: best guess record for domain of asmirnov@ilbers.de designates 85.214.62.211 as permitted sender) smtp.mailfrom=asmirnov@ilbers.de
Return-Path: <asmirnov@ilbers.de>
Received: from aqmola.ilbers.de (aqmola.ilbers.de. [85.214.62.211])
        by gmr-mx.google.com with ESMTPS id a138si584045wmd.0.2018.02.19.22.38.59
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 19 Feb 2018 22:38:59 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of asmirnov@ilbers.de designates 85.214.62.211 as permitted sender) client-ip=85.214.62.211;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: best guess record for domain of asmirnov@ilbers.de designates 85.214.62.211 as permitted sender) smtp.mailfrom=asmirnov@ilbers.de
Received: from [10.0.2.15] ([188.227.110.165])
	(authenticated bits=0)
	by aqmola.ilbers.de (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id w1K6ctav002879
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT);
	Tue, 20 Feb 2018 07:38:57 +0100
Subject: Re: [PATCH 1/8] Mount devtmpfs read-only into chroot
To: Jan Kiszka <jan.kiszka@siemens.com>,
        isar-users <isar-users@googlegroups.com>
References: <cover.1518771143.git.jan.kiszka@siemens.com>
 <02a592150c34714e0729d4fc73f86ff031fee514.1518771143.git.jan.kiszka@siemens.com>
From: Alexander Smirnov <asmirnov@ilbers.de>
Message-ID: <7e4d36c6-9556-6a69-9ffa-dfbc2e1744ba@ilbers.de>
Date: Tue, 20 Feb 2018 09:38:50 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <02a592150c34714e0729d4fc73f86ff031fee514.1518771143.git.jan.kiszka@siemens.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-TUID: S8Q7sghAs50B

On 02/16/2018 11:52 AM, Jan Kiszka wrote:
> From: Jan Kiszka <jan.kiszka@siemens.com>
> 
> It's too easy to destroy the content of devtmpfs, which is shared with
> the host (including privileged container setups), by calling rm -rf on
> an output dir that still has devtmpfs mounted.
> 

Just tested this:

builder@zbook:~/isar/build$ mkdir aaa
builder@zbook:~/isar/build$ mount -t devtmpfs -o mode=0755,nosuid,ro 
devtmpfs aaa/

# Existing host /dev
[asmirnov@zbook patches]$ sudo rm /dev/ram16
OK

# RO mount point
builder@zbook:~/isar/build$ sudo rm aaa/ram15
rm: cannot remove ‘aaa/ram15’: Read-only file system

What I'm doing wrong?

BTW: started test build on server to check if problem with wheezy will go.

Alex

> To achieve write protection for device nodes, we can't mount devtmpfs
> directly in read-only mode as that will change all mounts to that mode.
> Luckily, doing a read-only bind-mount does the trick.
> 
> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> ---
>   meta/classes/dpkg-base.bbclass                   | 2 +-
>   meta/recipes-devtools/buildchroot/buildchroot.bb | 2 +-
>   2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/meta/classes/dpkg-base.bbclass b/meta/classes/dpkg-base.bbclass
> index 5eef11b..78709f9 100644
> --- a/meta/classes/dpkg-base.bbclass
> +++ b/meta/classes/dpkg-base.bbclass
> @@ -41,7 +41,7 @@ do_build() {
>           if ! grep -q ${BUILDCHROOT_DIR}/isar-apt /proc/mounts; then \
>               mount --bind ${DEPLOY_DIR_APT}/${DISTRO} ${BUILDCHROOT_DIR}/isar-apt; \
>               mount --bind ${DL_DIR} ${BUILDCHROOT_DIR}/downloads; \
> -            mount -t devtmpfs -o mode=0755,nosuid devtmpfs ${BUILDCHROOT_DIR}/dev; \
> +            mount --bind -o ro /dev ${BUILDCHROOT_DIR}/dev; \
>               mount -t proc none ${BUILDCHROOT_DIR}/proc; \
>           fi'
>   
> diff --git a/meta/recipes-devtools/buildchroot/buildchroot.bb b/meta/recipes-devtools/buildchroot/buildchroot.bb
> index 520daf9..1eca035 100644
> --- a/meta/recipes-devtools/buildchroot/buildchroot.bb
> +++ b/meta/recipes-devtools/buildchroot/buildchroot.bb
> @@ -66,7 +66,7 @@ do_build() {
>              "${WORKDIR}/multistrap.conf.in" > "${WORKDIR}/multistrap.conf"
>   
>       sudo mount --bind ${DEPLOY_DIR_APT}/${DISTRO} ${BUILDCHROOT_DIR}/isar-apt
> -    sudo mount -t devtmpfs -o mode=0755,nosuid devtmpfs ${BUILDCHROOT_DIR}/dev
> +    sudo mount --bind -o ro /dev ${BUILDCHROOT_DIR}/dev
>       sudo mount -t proc none ${BUILDCHROOT_DIR}/proc
>   
>       # Create root filesystem
> 

-- 
With best regards,
Alexander Smirnov

ilbers GmbH
Baierbrunner Str. 28c
D-81379 Munich
+49 (89) 122 67 24-0
http://ilbers.de/
Commercial register Munich, HRB 214197
General manager: Baurzhan Ismagulov