From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.2 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 973ECC07E99 for ; Tue, 6 Jul 2021 00:59:43 +0000 (UTC) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 188126195D for ; Tue, 6 Jul 2021 00:59:43 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 188126195D Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=konsulko.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 68B8182C47; Tue, 6 Jul 2021 02:59:16 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=konsulko.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; unprotected) header.d=konsulko.com header.i=@konsulko.com header.b="Oj7G0IxM"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id E0A3782C34; Tue, 6 Jul 2021 02:59:13 +0200 (CEST) Received: from mail-qv1-xf29.google.com (mail-qv1-xf29.google.com [IPv6:2607:f8b0:4864:20::f29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 3EB0C82C19 for ; Tue, 6 Jul 2021 02:59:10 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=konsulko.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=trini@konsulko.com Received: by mail-qv1-xf29.google.com with SMTP id cz7so5455098qvb.9 for ; Mon, 05 Jul 2021 17:59:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=xxVo2TzNpQlo6w4zS0zLHQ4uEctLAl7veMZ9F8sOpy8=; b=Oj7G0IxM+Z5KIgjtt4ujuaIBtDN6wpAsPoUaNpX6wBCymxntU00BfOPtQASYrFYIv2 uFDIDSi1BY+tt4wPfp+aLkwgWJ4tUZex/+XDuSXpCPVIDkSc88hrekQQTJxjTcx7hBHq S+gibBhagu4BcLW4p7l/JMTrqjLHli02Pu08s= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=xxVo2TzNpQlo6w4zS0zLHQ4uEctLAl7veMZ9F8sOpy8=; b=JL/CkUO2pTBguA18myavPz+XVBc2hChff49GCUPvoYChz/l4Y7kqILhe0qsdAOGJta nUdtd1R63uVYiVh6TjWB61i/O7DTagkl5FSlqZHdT+Zd2TeGd20z8GWqkBugiyTSm2Pv h3nKeRlzX/O7vfO2BaSO0zue8NIkfUaghVLVQd2AocajgBm7VMaEUmaGsG7QsTOF86Ua a+ZZwvP9ZTvR373qvkUAd0RMbjxTIpr9ZMFOZyBLg03diQ3U0wGvdNr9wCbaQ/nGWNIn 5yuiEN/dI944n9jBS1LK3nc96sj3GvSN398N8D/VM1bzoq9mDYKvVVP8MShk/JTcnOLr O+lw== X-Gm-Message-State: AOAM5319Dil3raJNUvPahTAKUW+OCW/chcO1/DSltqKwwrN6f3dDaytj LjuI2rC2rBSl0D6eTXobAkwUuA== X-Google-Smtp-Source: ABdhPJy2ZAYJaiN0uiI2ZvI7H+0ZbcIPudWeVhNmq6+B45ezRSibZPcs7CIjUcvthGKwqfomjlh0ig== X-Received: by 2002:a05:6214:1028:: with SMTP id k8mr15640143qvr.13.1625533149152; Mon, 05 Jul 2021 17:59:09 -0700 (PDT) Received: from bill-the-cat (2603-6081-7b01-cbda-5170-f33c-21eb-73eb.res6.spectrum.com. [2603:6081:7b01:cbda:5170:f33c:21eb:73eb]) by smtp.gmail.com with ESMTPSA id z188sm6358583qkd.68.2021.07.05.17.59.07 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Mon, 05 Jul 2021 17:59:08 -0700 (PDT) Date: Mon, 5 Jul 2021 20:59:06 -0400 From: Tom Rini To: Alper Nebi Yasak Cc: u-boot@lists.denx.de, Daniel Schwierzeck , Simon Glass , Bin Meng , AKASHI Takahiro , Heinrich Schuchardt , Marek Vasut Subject: Re: [PATCH v3 3/3] Azure: Add loop devices and CAP_SYS_ADMIN for sandbox test.py tests Message-ID: <20210706005906.GK9516@bill-the-cat> References: <20210621185156.9108-1-alpernebiyasak@gmail.com> <20210621185156.9108-4-alpernebiyasak@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="zPX9MbtoQtLNAi0K" Content-Disposition: inline In-Reply-To: <20210621185156.9108-4-alpernebiyasak@gmail.com> X-Clacks-Overhead: GNU Terry Pratchett User-Agent: Mutt/1.9.4 (2018-02-28) X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean --zPX9MbtoQtLNAi0K Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jun 21, 2021 at 09:51:56PM +0300, Alper Nebi Yasak wrote: > The filesystem test setup needs to prepare disk images for its tests, > with either guestmount or loop mounts. The former requires access to the > host fuse device (added in a previous patch), the latter requires access > to host loop devices. Both mounts also need additional privileges since > docker's default configuration prevents the containers from mounting > filesystems (for host security). >=20 > Add any available loop devices to the container and try to add as few > privileges as possible to run these tests, which narrow down to adding > SYS_ADMIN capability and disabling apparmor confinement. However, this > much still seems to be insecure enough to let malicious container > processes escape as root on the host system [1]. >=20 > [1] https://blog.trailofbits.com/2019/07/19/understanding-docker-containe= r-escapes/ >=20 > Since the mentioned tests are marked to run only on the sandbox board, > add these additional devices and privileges only when testing with that. >=20 > An alternative to using mounts is modifying the filesystem tests to use > virt-make-fs (like some EFI tests do), but it fails to generate a > partitionless FAT filesystem image on Debian systems. Other more > feasible alternatives are using guestfish or directly using libguestfs > Python bindings to create and populate the images, but switching the > test setups to these is nontrivial and is left as future work. >=20 > Signed-off-by: Alper Nebi Yasak Applied to u-boot/master, thanks! --=20 Tom --zPX9MbtoQtLNAi0K Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAABCgAdFiEEGjx/cOCPqxcHgJu/FHw5/5Y0tywFAmDjqtoACgkQFHw5/5Y0 tyyvVgwAhodmalDPKr6id33p0t3B8Rh2zs5QZtPbsnCKv5bOAzlJWfkrq0a0U7oY 9F5B6DXwajjG2h8w62VxrBec0BShWxRfj+Vkl7vDNML/7YboVjZfMeedtup6qVkL EYaqf0/Mjt2rMzVlaqLwWiw2/n8ZSqS4w3KBWHZn7SXBt7Z3fQ5Jv3z7Hhy6tjW3 RrwHFPl/s4Zu87jTpnWFa2uO1fNW8Mm+xrqOitNB5WvG/liM3KVYAJ4BaXdZwVFI R4RnyVc11tiCfZIRLRVWQz3IAYrnhyYn27R6Hf6mHHRJYghL917yccnxFcR0Z2er pbK9IdUGiiL9elQvpdsfRJ/5kjiqM+EONGYh/05HI5kZfsbcn4Ln4tJ1oPugiaxH YTP7t13kH1HqBS+3EpdmacvZYSojhwHETqReEGsvcds09QUuv1R1faS4ITGW5aJx uuK/KZC7fbEPqtO0oRLlTGLrMBQ9yZj2LZdyODDJ+LG4MDvRDaQy2cPFOVfURx4W AC5p0K2N =a5Qa -----END PGP SIGNATURE----- --zPX9MbtoQtLNAi0K--