Re: [PATCH v3 3/3] Azure: Add loop devices and CAP_SYS_ADMIN for sandbox test.py tests

[Tom Rini <trini@konsulko.com>]

[-- Attachment #1: Type: text/plain, Size: 1611 bytes --]

On Mon, Jun 21, 2021 at 09:51:56PM +0300, Alper Nebi Yasak wrote:

> The filesystem test setup needs to prepare disk images for its tests,
> with either guestmount or loop mounts. The former requires access to the
> host fuse device (added in a previous patch), the latter requires access
> to host loop devices. Both mounts also need additional privileges since
> docker's default configuration prevents the containers from mounting
> filesystems (for host security).
> 
> Add any available loop devices to the container and try to add as few
> privileges as possible to run these tests, which narrow down to adding
> SYS_ADMIN capability and disabling apparmor confinement. However, this
> much still seems to be insecure enough to let malicious container
> processes escape as root on the host system [1].
> 
> [1] https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
> 
> Since the mentioned tests are marked to run only on the sandbox board,
> add these additional devices and privileges only when testing with that.
> 
> An alternative to using mounts is modifying the filesystem tests to use
> virt-make-fs (like some EFI tests do), but it fails to generate a
> partitionless FAT filesystem image on Debian systems. Other more
> feasible alternatives are using guestfish or directly using libguestfs
> Python bindings to create and populate the images, but switching the
> test setups to these is nontrivial and is left as future work.
> 
> Signed-off-by: Alper Nebi Yasak <alpernebiyasak@gmail.com>

Applied to u-boot/master, thanks!

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]