All of lore.kernel.org
 help / color / mirror / Atom feed
* Re: [OE-core] [PATCH] classes: Only allow network in existing network accessing code
       [not found] <16C8200D7F471EEB.16815@lists.openembedded.org>
@ 2022-01-07 23:17 ` Richard Purdie
  2022-01-11 20:39   ` Alexander Kanavin
  0 siblings, 1 reply; 2+ messages in thread
From: Richard Purdie @ 2022-01-07 23:17 UTC (permalink / raw)
  To: openembedded-core

On Fri, 2022-01-07 at 23:15 +0000, Richard Purdie via lists.openembedded.org
wrote:
> Use the newly added network task flag against tasks where network
> access is expected. This is do_fetch, do_checkuri, do_testimage, do_testsdk
> and do_testsdkext.
> 
> We can't disable networking in sstate tasks due to sstate downloads and
> also so we can report hash equivalence to the server so network access
> is enabled in sstate tasks.
> 
> Access within build-appliance do_image is also allowed due to the use
> of pip, this is a poor example made rather obvious now and needs to be reworked.
> 
> Network access anywhere else in any other task isn't allowed.
> 
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> ---
>  meta/classes/base.bbclass                                | 1 +
>  meta/classes/sstate.bbclass                              | 2 ++
>  meta/classes/testimage.bbclass                           | 1 +
>  meta/classes/testsdk.bbclass                             | 2 ++
>  meta/classes/utility-tasks.bbclass                       | 1 +
>  meta/recipes-core/images/build-appliance-image_15.0.0.bb | 2 ++
>  6 files changed, 9 insertions(+)

This patch (and corresponding bitbake patches) does the opposite of the previous
version, it uses a network flag which allows network access in a task and
network access is otherwise disabled. I've shared it since several people
requested this form of patch instead of the other.

I think this version may be easier to "abuse". It does highlight the rather poor
design choices to support toaster in build-appliance.

Cheers,

Richard



^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [OE-core] [PATCH] classes: Only allow network in existing network accessing code
  2022-01-07 23:17 ` [OE-core] [PATCH] classes: Only allow network in existing network accessing code Richard Purdie
@ 2022-01-11 20:39   ` Alexander Kanavin
  0 siblings, 0 replies; 2+ messages in thread
From: Alexander Kanavin @ 2022-01-11 20:39 UTC (permalink / raw)
  To: Richard Purdie; +Cc: OE-core

[-- Attachment #1: Type: text/plain, Size: 2378 bytes --]

I think this is the right way to go. To me, it seems equally easy to
subvert both forms, but with this one, the abuse can be easily seen and
exposed as such.

Alex

On Sat, 8 Jan 2022 at 00:17, Richard Purdie <
richard.purdie@linuxfoundation.org> wrote:

> On Fri, 2022-01-07 at 23:15 +0000, Richard Purdie via
> lists.openembedded.org
> wrote:
> > Use the newly added network task flag against tasks where network
> > access is expected. This is do_fetch, do_checkuri, do_testimage,
> do_testsdk
> > and do_testsdkext.
> >
> > We can't disable networking in sstate tasks due to sstate downloads and
> > also so we can report hash equivalence to the server so network access
> > is enabled in sstate tasks.
> >
> > Access within build-appliance do_image is also allowed due to the use
> > of pip, this is a poor example made rather obvious now and needs to be
> reworked.
> >
> > Network access anywhere else in any other task isn't allowed.
> >
> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > ---
> >  meta/classes/base.bbclass                                | 1 +
> >  meta/classes/sstate.bbclass                              | 2 ++
> >  meta/classes/testimage.bbclass                           | 1 +
> >  meta/classes/testsdk.bbclass                             | 2 ++
> >  meta/classes/utility-tasks.bbclass                       | 1 +
> >  meta/recipes-core/images/build-appliance-image_15.0.0.bb | 2 ++
> >  6 files changed, 9 insertions(+)
>
> This patch (and corresponding bitbake patches) does the opposite of the
> previous
> version, it uses a network flag which allows network access in a task and
> network access is otherwise disabled. I've shared it since several people
> requested this form of patch instead of the other.
>
> I think this version may be easier to "abuse". It does highlight the
> rather poor
> design choices to support toaster in build-appliance.
>
> Cheers,
>
> Richard
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#160272):
> https://lists.openembedded.org/g/openembedded-core/message/160272
> Mute This Topic: https://lists.openembedded.org/mt/88273730/1686489
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> alex.kanavin@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

[-- Attachment #2: Type: text/html, Size: 3711 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-01-11 20:39 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <16C8200D7F471EEB.16815@lists.openembedded.org>
2022-01-07 23:17 ` [OE-core] [PATCH] classes: Only allow network in existing network accessing code Richard Purdie
2022-01-11 20:39   ` Alexander Kanavin

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.