2016-10-07 10:09 GMT+02:00 Philip Hands <p...@hands.com>: > Paul Wise <p...@debian.org> writes: > > > On Thu, Oct 6, 2016 at 11:48 PM, Jérémy Lal wrote: > > > >> Is there some simple way to check, when using sbuild, that the build > >> does not access network ? > > > > nsntrace could probably be used for this. I think lamby has another > > method too. > > I only stumbled across 'firejail' recently, but it seems possible that > one could run the build under it, to lock things down and/or get reports > of naughtiness. > > I've not done more than install it really, but it trivially lets you run > commands as though there were no network attached, and looking at the > man page it looks like one can set up fine-grained blacklists of things > you don't want to happen (so not only networking) and get errors logged > if they do. > > Even is it's not possible to run it on buildds (it's SUID and needs > linux >= 3.x), one might be able to use it to detect dodgy unit tests, > and segregate them into only running when one can do so under firejail, > say. >
I tried building nodejs with firejail - it's not possible to run `firejail sbuild` right away (some config is probably needed) - it's possible to run `firejail debuild` and it works pretty well. It really doesn't authorize much, as many tests fail with Error: ENOTSUP: operation not supported on socket, uv_interface_addresses There seems to be a way to configure firejail to be a little bit more permissive, and it looks very straightforward to configure. Thanks ! Jérémy
