From: ChenQi <Qi.Chen@windriver.com>
To: Ross Burton <ross.burton@arm.com>,
"michalwsieron@gmail.com" <michalwsieron@gmail.com>
Cc: "openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH] sanity.bbclass: raise_sanity_error if /tmp is noexec
Date: Wed, 21 Feb 2024 15:18:44 +0800 [thread overview]
Message-ID: <b128ef22-03b4-ebd7-1b2d-40b2d8ab2201@windriver.com> (raw)
In-Reply-To: <94AE8BC1-9AA9-4DFB-B7B6-80CC83897ACD@arm.com>
Hi Michal,
I just noticed the change. I can't find the V2 in my mailbox, so I'm
going to reply here.
I'm a little concerned about forcing such requirement here. It does not
seem *necessary*.
As far as I know, the whole oe-core does not need /tmp to be exec. The
commit message says 'old meson', this means the current version of meson
works well, right?
Also, why is there 'no simple way to workaround'? Is the recipe
hardcoding '/tmp' instead of using API or command? Does exporting TMPDIR
work?
e.g.,
export TMPDIR="${B}/tmp"
Regards,
Qi
On 2/9/24 23:57, Ross Burton wrote:
> On 9 Feb 2024, at 14:09, Michal Sieron via lists.openembedded.org <michalwsieron=gmail.com@lists.openembedded.org> wrote:
>> + # Ensure /tmp is NOT mounted with noexec
>> + with open("/proc/mounts", "r") as f:
>> + for line in f:
>> + # format is described in fstab(5)
>> + _, fs_file, _, fs_mntops, *_ = line.split()
>> +
>> + # we only want to check /tmp
>> + if fs_file != "/tmp":
>> + continue
>> +
>> + # iterate through the options from the end
>> + for opt in reversed(fs_mntops.split(",")):
>> + if opt == "noexec":
>> + raise_sanity_error("/tmp shouldn't be mounted with noexec.", d)
>> +
> Alternatively, this is neater:
>
> os.statvfs("/tmp").f_flag & os.ST_NOEXEC
>
> Ross
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#195233): https://lists.openembedded.org/g/openembedded-core/message/195233
> Mute This Topic: https://lists.openembedded.org/mt/104258828/7304865
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [Qi.Chen@eng.windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
next prev parent reply other threads:[~2024-02-21 7:18 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-09 14:09 [PATCH] sanity.bbclass: raise_sanity_error if /tmp is noexec Michal Sieron
2024-02-09 15:57 ` [OE-core] " Ross Burton
2024-02-21 7:18 ` ChenQi [this message]
2024-02-21 9:48 ` Ross Burton
2024-02-21 10:08 ` Alexander Kanavin
2024-02-21 21:36 ` Randy MacLeod
2024-02-22 9:41 ` michalwsieron
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b128ef22-03b4-ebd7-1b2d-40b2d8ab2201@windriver.com \
--to=qi.chen@windriver.com \
--cc=michalwsieron@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=ross.burton@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox