Mount /sys RO

As noted inline, this works around potential issues by being a strong
indication you are in a container (e.g. [1]).  Since nothing should be
changing anything on the host/build system, this is a generically
safer way to operate.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1975588

Change-Id: Ic6802c4ffc2e825f129af10717860a2d1770fe80
This commit is contained in:
Ian Wienand 2021-07-02 09:26:20 +10:00
parent 75ee18b01b
commit 12b60c4088
8 changed files with 22 additions and 7 deletions

View File

@ -48,7 +48,7 @@ function apt_sources_write {
} }
sudo mount -t proc none $TARGET_ROOT/proc sudo mount -t proc none $TARGET_ROOT/proc
sudo mount -t sysfs none $TARGET_ROOT/sys sudo mount -o ro -t sysfs none $TARGET_ROOT/sys
trap "sudo umount $TARGET_ROOT/proc; sudo umount $TARGET_ROOT/sys" EXIT trap "sudo umount $TARGET_ROOT/proc; sudo umount $TARGET_ROOT/sys" EXIT
apt_get="sudo chroot $TARGET_ROOT /usr/bin/apt-get" apt_get="sudo chroot $TARGET_ROOT /usr/bin/apt-get"

View File

@ -2,7 +2,7 @@ mkdir -p /proc /sys /dev /boot /etc /mnt /lib/modules
mount -t proc proc /proc mount -t proc proc /proc
mount -t sysfs none /sys mount -o ro -t sysfs none /sys
UDEVD= UDEVD=
if [ -x "/bin/systemd-udevd" ]; then if [ -x "/bin/systemd-udevd" ]; then

View File

@ -41,7 +41,7 @@ done
sudo mount -t proc none $TARGET_ROOT/proc sudo mount -t proc none $TARGET_ROOT/proc
sudo mount -t sysfs none $TARGET_ROOT/sys sudo mount -o ro -t sysfs none $TARGET_ROOT/sys
trap "sudo umount $TARGET_ROOT/proc; sudo umount $TARGET_ROOT/sys" EXIT trap "sudo umount $TARGET_ROOT/proc; sudo umount $TARGET_ROOT/sys" EXIT
apt_get="sudo chroot $TARGET_ROOT /usr/bin/apt-get" # dib-lint: safe_sudo apt_get="sudo chroot $TARGET_ROOT /usr/bin/apt-get" # dib-lint: safe_sudo

View File

@ -30,7 +30,7 @@ deb $DIB_DISTRIBUTION_MIRROR $DIB_RELEASE-security ${DIB_DEBIAN_COMPONENTS//,/ }
EOF" EOF"
sudo mount -t proc none $TARGET_ROOT/proc sudo mount -t proc none $TARGET_ROOT/proc
sudo mount -t sysfs none $TARGET_ROOT/sys sudo mount -o ro -t sysfs none $TARGET_ROOT/sys
trap "sudo umount $TARGET_ROOT/proc; sudo umount $TARGET_ROOT/sys" EXIT trap "sudo umount $TARGET_ROOT/proc; sudo umount $TARGET_ROOT/sys" EXIT
apt_get="sudo chroot $TARGET_ROOT /usr/bin/apt-get" # dib-lint: safe_sudo apt_get="sudo chroot $TARGET_ROOT /usr/bin/apt-get" # dib-lint: safe_sudo

View File

@ -256,7 +256,9 @@ sudo mkdir -p $TARGET_ROOT/proc $TARGET_ROOT/dev $TARGET_ROOT/sys
sudo mount -t proc none $TARGET_ROOT/proc sudo mount -t proc none $TARGET_ROOT/proc
sudo mount --bind /dev $TARGET_ROOT/dev sudo mount --bind /dev $TARGET_ROOT/dev
sudo mount -t devpts $(mount_dev_pts_options) devpts $TARGET_ROOT/dev/pts sudo mount -t devpts $(mount_dev_pts_options) devpts $TARGET_ROOT/dev/pts
sudo mount -t sysfs none $TARGET_ROOT/sys # Mounting /sys as RO indicates to various systemd things
# that we are in a container
sudo mount -o ro -t sysfs none $TARGET_ROOT/sys
# initalize rpmdb # initalize rpmdb
sudo mkdir -p $TARGET_ROOT/var/lib/rpm sudo mkdir -p $TARGET_ROOT/var/lib/rpm

View File

@ -96,7 +96,7 @@ sudo mkdir -p $TARGET_ROOT/proc $TARGET_ROOT/dev $TARGET_ROOT/sys
sudo mount -t proc none $TARGET_ROOT/proc sudo mount -t proc none $TARGET_ROOT/proc
sudo mount --bind /dev $TARGET_ROOT/dev sudo mount --bind /dev $TARGET_ROOT/dev
sudo mount -t devpts $(mount_dev_pts_options) devpts $TARGET_ROOT/dev/pts sudo mount -t devpts $(mount_dev_pts_options) devpts $TARGET_ROOT/dev/pts
sudo mount -t sysfs none $TARGET_ROOT/sys sudo mount -o ro -t sysfs none $TARGET_ROOT/sys
# Install filesystem, base and useful tools # Install filesystem, base and useful tools
sudo zypper ${ZYPPER_TARGET_OPTS} install --no-recommends filesystem sudo zypper ${ZYPPER_TARGET_OPTS} install --no-recommends filesystem

View File

@ -404,7 +404,14 @@ function mount_proc_dev_sys () {
sudo mount -t proc none $TMP_MOUNT_PATH/proc sudo mount -t proc none $TMP_MOUNT_PATH/proc
sudo mount --bind /dev $TMP_MOUNT_PATH/dev sudo mount --bind /dev $TMP_MOUNT_PATH/dev
sudo mount -t devpts $(mount_dev_pts_options) devpts $TMP_MOUNT_PATH/dev/pts sudo mount -t devpts $(mount_dev_pts_options) devpts $TMP_MOUNT_PATH/dev/pts
sudo mount -t sysfs none $TMP_MOUNT_PATH/sys # /sys is mounted RO inside non-privledged containers, thus
# mounting this RO in the chroot here is an indication to
# systemd/udev and other things that you are inside a container.
# This is generically safe and can help avoid issues where things
# we don't control like pre/post scripts try to do things that
# don't work when building inside a dib container like udevadm
# --settle calls, etc.
sudo mount -o ro -t sysfs none $TMP_MOUNT_PATH/sys
} }
# Recursively unmount directories under a given directory DIR # Recursively unmount directories under a given directory DIR

View File

@ -0,0 +1,6 @@
---
upgrade:
- |
Base installs now mount ``/sys`` read-only in chroot environemnts.
This is a good indication to various tools and scripts that that
they are running in a unprivileged/containerised environment.