From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.2 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7C78CC49EA6 for ; Sat, 26 Jun 2021 20:46:26 +0000 (UTC) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 5152861C31 for ; Sat, 26 Jun 2021 20:46:25 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5152861C31 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=konsulko.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 9B1D182C2E; Sat, 26 Jun 2021 22:46:21 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=konsulko.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; unprotected) header.d=konsulko.com header.i=@konsulko.com header.b="jJC7SBW8"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 2C3D682C3D; Sat, 26 Jun 2021 22:46:20 +0200 (CEST) Received: from mail-qk1-x72b.google.com (mail-qk1-x72b.google.com [IPv6:2607:f8b0:4864:20::72b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id B269382C03 for ; Sat, 26 Jun 2021 22:46:16 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=konsulko.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=trini@konsulko.com Received: by mail-qk1-x72b.google.com with SMTP id g4so23180805qkl.1 for ; Sat, 26 Jun 2021 13:46:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=iDlUMjxYfxF1MT+cn/uUBZcVlqixSLS9qp861Nh6YAs=; b=jJC7SBW8v+7CY/fkrpgeebGSN5HynPW4vrHd6Tl0JjMXcM6/19IWhbbrnFPeZHoTpu hQqatFfPesT1coxCUJD+Ia5kl6nyJ9C0ahBg7mpW0ZC71NfnNUqgdbcNP5Y1XhFKyT+M bGrKGycjgcbV/g7Ge31tDO+Odmq3GScofJx4w= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=iDlUMjxYfxF1MT+cn/uUBZcVlqixSLS9qp861Nh6YAs=; b=CRwjhCdY70xA0sQo7q0oEGNLz2gAmoTb0niYk+m5wGJe0TCmwfOn3NXR1GqliiGedK JWyjiRaWj1DMHKM/dehgLb4BXirJGPJ/txuxMutcZdEmpH4BMkCu/a+5gL1Fc+P1bGTP IDekgC4cMEqCJD0EPucF9PvvpIN6tMTTLK1kXzkBFO0tQ8hb57KyOSOUHCMZx1hIpgTZ TtBTVMl0gzFZO8O26kaTWj7K0gvqqpShHhhY41OkWE49fVC/WKEdZW0l0EPi6Wvy9k1l 7EyTZck08OnKJPKqw79WnfIp93MGJSQ4zuG/Hn+cxIavXUesq1aGDrC5dbprRrdLoCKr xFLg== X-Gm-Message-State: AOAM533MUVpZwPJpLfSjNKwTZYItjxIlm1ndGdo5Bea+yPclhmZ46uV0 MY83BX8z/vp1t7M/5v74xd2Nzg== X-Google-Smtp-Source: ABdhPJxc/Gfz4wUEO5IbSjy9CC/L0u7wAOgAYL9Rvhc9CdLH1nDxd2gBoDGodrKXXI815aLCTcfEAA== X-Received: by 2002:a05:620a:ed2:: with SMTP id x18mr2275177qkm.181.1624740375593; Sat, 26 Jun 2021 13:46:15 -0700 (PDT) Received: from bill-the-cat (2603-6081-7b01-cbda-d142-f169-5cf3-bb84.res6.spectrum.com. [2603:6081:7b01:cbda:d142:f169:5cf3:bb84]) by smtp.gmail.com with ESMTPSA id m14sm6068413qti.12.2021.06.26.13.46.14 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Sat, 26 Jun 2021 13:46:14 -0700 (PDT) Date: Sat, 26 Jun 2021 16:46:12 -0400 From: Tom Rini To: Simon Glass Cc: Alper Nebi Yasak , U-Boot Mailing List , Daniel Schwierzeck , Bin Meng , AKASHI Takahiro , Heinrich Schuchardt , Marek Vasut Subject: Re: [PATCH v3 3/3] Azure: Add loop devices and CAP_SYS_ADMIN for sandbox test.py tests Message-ID: <20210626204612.GU9516@bill-the-cat> References: <20210621185156.9108-1-alpernebiyasak@gmail.com> <20210621185156.9108-4-alpernebiyasak@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="GcJiPVV3q92wpaQk" Content-Disposition: inline In-Reply-To: X-Clacks-Overhead: GNU Terry Pratchett User-Agent: Mutt/1.9.4 (2018-02-28) X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean --GcJiPVV3q92wpaQk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jun 26, 2021 at 12:29:56PM -0600, Simon Glass wrote: > Hi Alper, >=20 > On Mon, 21 Jun 2021 at 12:52, Alper Nebi Yasak = wrote: > > > > The filesystem test setup needs to prepare disk images for its tests, > > with either guestmount or loop mounts. The former requires access to the > > host fuse device (added in a previous patch), the latter requires access > > to host loop devices. Both mounts also need additional privileges since > > docker's default configuration prevents the containers from mounting > > filesystems (for host security). > > > > Add any available loop devices to the container and try to add as few > > privileges as possible to run these tests, which narrow down to adding > > SYS_ADMIN capability and disabling apparmor confinement. However, this > > much still seems to be insecure enough to let malicious container > > processes escape as root on the host system [1]. > > > > [1] https://blog.trailofbits.com/2019/07/19/understanding-docker-contai= ner-escapes/ > > > > Since the mentioned tests are marked to run only on the sandbox board, > > add these additional devices and privileges only when testing with that. > > > > An alternative to using mounts is modifying the filesystem tests to use > > virt-make-fs (like some EFI tests do), but it fails to generate a > > partitionless FAT filesystem image on Debian systems. Other more > > feasible alternatives are using guestfish or directly using libguestfs > > Python bindings to create and populate the images, but switching the > > test setups to these is nontrivial and is left as future work. > > > > Signed-off-by: Alper Nebi Yasak > > --- > > > > (no changes since v2) > > > > Changes in v2: > > - Always pass in /dev/fuse to Azure's docker run invocation. > > - Remove "and some EFI tests" from comment (no longer applies to that > > block of code). > > > > .azure-pipelines.yml | 16 +++++++++++++++- > > 1 file changed, 15 insertions(+), 1 deletion(-) >=20 > Shouldn't this be done in gitlab too? In GitLab we don't control how docker is launched, is the problem. That's up to the admins and we sometimes do, sometimes don't have the capabilities enabled. That probably means we should update the CI doc and also email the various CI admins about updating things. --=20 Tom --GcJiPVV3q92wpaQk Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAABCgAdFiEEGjx/cOCPqxcHgJu/FHw5/5Y0tywFAmDXkhEACgkQFHw5/5Y0 tyzNhQv7BkYSU+/1zn1MXJQ8DEWsSn+Eq8rqhN0noXoeZQ53Bditc3GgrVLTokSA j+eQh3Q+Xes17P7m+5EipCpeBG1Y3etxBuzh7YFa5gu12KD9uF0hqGdGkyK3ZwTW z63TOS9+AUxxgq07QksHLbeKWDxqdzG+Vhm/u0uc2RSkx1XQMJuDcLrSLRAs9VnK ZF+NMPOEIIsJf+1kzPKR/iPkKuOdlxVV8d15Zr4BhbTd20AMBbTniO8TYsrWTq3Y 8F0fdXOzY/68FBag459n93v0rpFd1TfCZMByvpskLDR84xG+yWbt3HAmU7yBwprt KH8/2NBAohhMmsHHuaghm3sfeflZ193l3oP3ihyXeNzEfGWqI3g5WBc9Qv4fpJi3 P+4QP5g8HHIKWwd2QxwzcgVCdcDtHon2qD0pzps9NLl6Sn3a5WvGrnNlOjYnXhw/ 8T+bBzuWccBBR5va5hC0AobZw1hBhvfs9HAAUoweWodA1bk6ip+J1qTbVQ4nTTEM dC2T/vNQ =eVaV -----END PGP SIGNATURE----- --GcJiPVV3q92wpaQk--