buildroot: mask /proc/cmdline
Since we bind `/proc` inside the container, we leak certain information that comes with it. One of this is the kernel command line. None of the decisions done by software running inside the container should depend on the kernel command line on the host, so overwrite the kernel command line by creating a temporary directory and mapping it inside the build- root. For now we default to a simple `root=/dev/osbuild` fake kernel command line. Add a simple check for it as well.
This commit is contained in:
Christian Kellner
Achilleas Koutsou
parent
4c54f7e4a6
commit
36356342b0
2 changed files with 52 additions and 0 deletions
|
|
@ -145,3 +145,22 @@ def test_selinuxfs_ro(tempdir):
|
|||
|
||||
r = root.run(cmd, monitor, readonly_binds=ro_binds)
|
||||
assert r.returncode == 0
|
||||
|
||||
|
||||
@pytest.mark.skipif(not TestBase.can_bind_mount(), reason="root only")
|
||||
def test_proc_overrides(tempdir):
|
||||
runner = detect_host_runner()
|
||||
libdir = os.path.abspath(os.curdir)
|
||||
var = pathlib.Path(tempdir, "var")
|
||||
var.mkdir()
|
||||
|
||||
cmdline = "is-this-the-real-world"
|
||||
|
||||
monitor = NullMonitor(sys.stderr.fileno())
|
||||
with BuildRoot("/", runner, libdir, var) as root:
|
||||
|
||||
root.proc.cmdline = cmdline
|
||||
|
||||
r = root.run(["cat", "/proc/cmdline"], monitor)
|
||||
assert r.returncode == 0
|
||||
assert cmdline in r.output.strip()
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue