| Summary: | sys-apps/portage-2.2.20: FEATURES=cgroup is vulnerable interference between parallel builds of the same ${CATEGORY}:${PF} | ||
|---|---|---|---|
| Product: | Portage Development | Reporter: | Zac Medico <zmedico> |
| Component: | Core - Ebuild Support | Assignee: | Portage team <dev-portage> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | Keywords: | InVCS |
| Priority: | Normal | ||
| Version: | 2.2 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: | https://bugs.gentoo.org/show_bug.cgi?id=851015 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 549914 | ||
sounds good to me :) The number of temp dirs that we will create is unlimited, so we need to ensure that they are promptly destroyed. We can unshare the mount namespace and make /sys/fs/cgroup/portage a private mount which will automatically disappear when portage exits. There's a patch in the following branch: https://github.com/zmedico/portage/tree/bug_554108 I've posted it for review here: https://archives.gentoo.org/gentoo-portage-dev/message/86f2105d445897c3690df7856371093f This is in the master branch: https://gitweb.gentoo.org/proj/portage.git/commit/?id=551837f0de95cf8e3e741e76094b31cfc0d68bd5 Released in portage-2.2.21 |
The vulnerable code in AbstractEbuildProcess is as follows: cgroup_path = os.path.join(cgroup_portage, '%s:%s' % (self.settings["CATEGORY"], self.settings["PF"])) Instead, we should use tempfile.mkdtemp or something similar.