481450 – sys-apps/portage: FEATURES=network-sandbox to unshare() networking in ebuilds

Bug 481450 - sys-apps/portage: FEATURES=network-sandbox to unshare() networking in ebuilds

Summary: sys-apps/portage: FEATURES=network-sandbox to unshare() networking in ebuilds

Status:	RESOLVED FIXED

Alias:	None

Product:	Portage Development
Classification:	Unclassified
Component:	Core - Ebuild Support (show other bugs)
Hardware:	All Linux

Importance:	Normal enhancement (vote)
Assignee:	Portage team

URL:
Whiteboard:
Keywords:	InVCS

Depends on:
Blocks:	472632
	Show dependency tree

Reported:	2013-08-17 10:49 UTC by Michał Górny
Modified:	2013-08-22 04:51 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Unshare networking in ebuilds (0001-Support-unsharing-network-namespaces-in-ebuild.patch,6.07 KB, patch) 2013-08-17 10:50 UTC, Michał Górny	Details \| Diff
2. Add FEATURES=network-sandbox (0002-Disable-networking-only-if-FEATURES-network-sandbox.patch,2.57 KB, patch) 2013-08-17 20:16 UTC, Michał Górny	Details \| Diff
3. Cache libc find_library() (0003-Cache-the-libc-library-search-in-parent-process-for-.patch,856 bytes, patch) 2013-08-17 20:16 UTC, Michał Górny	Details \| Diff
4. Enable loopback after unshare() (0004-Enable-the-loopback-interface-after-unsharing-networ.patch,1.37 KB, patch) 2013-08-17 20:17 UTC, Michał Górny	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2013-08-17 10:49:29 UTC

Since ebuilds are not supposed to access network directly, except for very special cases, let's ensure they don't.

I'm attaching a patch that uses Linux's unshare() syscall to detach phases other than pkg_*() and src_unpack() from host networking.

What still needs to be done:

1. Some FEATURES key should be added for it. So we could start testing and deploying it without causing world-spread breakage.

2. 'ifconfig lo up' or equivalent should be put somewhere. unshare() creates a new, local loopback that needs to be up'ed to let apps use it.


Advantages:

1. We no longer have to wait for Diego to point out that tests use network :).

2. The ugly things like setuptools fetching itself are caught before they do damage.

3. Tests no longer can interfere with host's daemons -- like mongodb front-end tests writing to the production database running on the host (not that mongodb is suitable for anything production).

4. Daemons spawned during tests can not be accessed outside of the namespace. That is, random broken tests don't spawn security holes.

Comment 1 Michał Górny archtester

2013-08-17 10:50:35 UTC

Created attachment 356282 [details, diff]
Unshare networking in ebuilds

Comment 2 Michał Górny archtester

2013-08-17 20:16:42 UTC

Created attachment 356320 [details, diff]
2. Add FEATURES=network-sandbox

Comment 3 Michał Górny archtester

2013-08-17 20:16:59 UTC

Created attachment 356322 [details, diff]
3. Cache libc find_library()

Comment 4 Michał Górny archtester

2013-08-17 20:17:10 UTC

Created attachment 356324 [details, diff]
4. Enable loopback after unshare()

Comment 5 Zac Medico gentoo-dev

2013-08-17 20:46:06 UTC

Thanks, this is in git:

http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=39db5201e087156ed46f6cac4dc9a69a2f3cc81c

Comment 6 Zac Medico gentoo-dev

2013-08-22 04:51:00 UTC

This is fixed in 2.2.1.