On Fri, Dec 10, 2010 at 12:43:04PM -0500, Matt McCutchen wrote: > On Fri, 2010-12-10 at 15:06 +0000, Daniel P. Berrange wrote: > > Adding CLONE_NEWPID would be worthwhile to stop the > > mock process seeing any other PIDs on the machine. > > It's critical, or mock could ptrace some process running as root on the > host and inject arbitrary code. That is true. I forgot to mention that you'd probably need to block a large number capabilities while the 'root' part of mock were executing. eg while mock needs things like CAP_DAC_OVERRIDE, CAP_FOWNER, CAP_MKNOD, etc to put down files during RPM install, you don't want it having SYS_ADMIN, MAC_ADMIN, AUDIT_CONTROL, SYS_BOOT, SYS_MODULE, or SYS_TIME and some others (PTRACE if not using CLONE_NEWPID). Regards, Daniel -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
