diff options
| author | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-12-21 17:38:07 +0000 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-01-12 21:10:24 +0000 |
| commit | 60d25f278c9cc4d6288166aba4b5c8927d32f84c (patch) | |
| tree | 9d66658e3bd655f884baf86851552a8ec420b293 | |
| parent | 6a2dfdf27a6829df9f58e825af2f90f0297a3aa0 (diff) | |
| download | poky-60d25f278c9cc4d6288166aba4b5c8927d32f84c.tar.gz | |
bitbake: utils: Add disable_network function
Add a function which uses the unshare glibc call to disable networking
in the current process. This doesn't work on older distros/kernels
but will on more recent ones so for now we simply ignore the cases we
can't execute on. uid/gid can be passed in externally so this can
work with pseudo/fakeroot contexts.
(Bitbake rev: 9d6341df611a1725090444f6f8eb0244aed08213)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | bitbake/lib/bb/utils.py | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/bitbake/lib/bb/utils.py b/bitbake/lib/bb/utils.py index 1a51589704..0312231933 100644 --- a/bitbake/lib/bb/utils.py +++ b/bitbake/lib/bb/utils.py | |||
| @@ -27,6 +27,7 @@ import errno | |||
| 27 | import signal | 27 | import signal |
| 28 | import collections | 28 | import collections |
| 29 | import copy | 29 | import copy |
| 30 | import ctypes | ||
| 30 | from subprocess import getstatusoutput | 31 | from subprocess import getstatusoutput |
| 31 | from contextlib import contextmanager | 32 | from contextlib import contextmanager |
| 32 | from ctypes import cdll | 33 | from ctypes import cdll |
| @@ -1595,6 +1596,36 @@ def set_process_name(name): | |||
| 1595 | except: | 1596 | except: |
| 1596 | pass | 1597 | pass |
| 1597 | 1598 | ||
| 1599 | def disable_network(uid=None, gid=None): | ||
| 1600 | """ | ||
| 1601 | Disable networking in the current process if the kernel supports it, else | ||
| 1602 | just return after logging to debug. To do this we need to create a new user | ||
| 1603 | namespace, then map back to the original uid/gid. | ||
| 1604 | """ | ||
| 1605 | libc = ctypes.CDLL('libc.so.6') | ||
| 1606 | |||
| 1607 | # From sched.h | ||
| 1608 | # New user namespace | ||
| 1609 | CLONE_NEWUSER = 0x10000000 | ||
| 1610 | # New network namespace | ||
| 1611 | CLONE_NEWNET = 0x40000000 | ||
| 1612 | |||
| 1613 | if uid is None: | ||
| 1614 | uid = os.getuid() | ||
| 1615 | if gid is None: | ||
| 1616 | gid = os.getgid() | ||
| 1617 | |||
| 1618 | ret = libc.unshare(CLONE_NEWNET | CLONE_NEWUSER) | ||
| 1619 | if ret != 0: | ||
| 1620 | logger.debug("System doesn't suport disabling network without admin privs") | ||
| 1621 | return | ||
| 1622 | with open("/proc/self/uid_map", "w") as f: | ||
| 1623 | f.write("%s %s 1" % (uid, uid)) | ||
| 1624 | with open("/proc/self/setgroups", "w") as f: | ||
| 1625 | f.write("deny") | ||
| 1626 | with open("/proc/self/gid_map", "w") as f: | ||
| 1627 | f.write("%s %s 1" % (gid, gid)) | ||
| 1628 | |||
| 1598 | def export_proxies(d): | 1629 | def export_proxies(d): |
| 1599 | """ export common proxies variables from datastore to environment """ | 1630 | """ export common proxies variables from datastore to environment """ |
| 1600 | import os | 1631 | import os |