On Fri, 07 Oct 2016 at 10:09:34 +0200, Philip Hands wrote:
> I only stumbled across 'firejail' recently, but it seems possible that
> one could run the build under it, to lock things down and/or get reports
> of naughtiness.
firejail is a "do what I mean" approach to sandboxing, AIUI. It might
be too complicated or too thorough (too restrictive) for builds.
unshare(1) in the util-linux package is a more minimal approach to the
same syscalls that firejail presumably uses. You might need to be root
for that one.
bwrap(1) in the bubblewrap package is a middle-ground between the two.
Like firejail, it's setuid (on Debian - Ubuntu's kernel allows unprivileged
userns, so it doesn't need to be setuid there) and needs a semi-recent
kernel. It's how the sandboxing part of Flatpak works (and in fact is
a spin-off from Flatpak - it was separated out so that other projects
can share it, and only need one setuid binary between them).
I think schroot also has internal support for unsharing the network
namespace, which is what unshare(1) and bwrap do, and probably also what
firejail does.
$ telnet 8.8.8.8
Trying 8.8.8.8...
^C
$ bwrap --unshare-net --ro-bind / / telnet 8.8.8.8
Trying 8.8.8.8...
telnet: Unable to connect to remote host: Network is unreachable
Regards,
S
