use firejail for builds

diff --git a/build.profile b/build.profile
new file mode 100644 (file)
index 0000000..cbf7b50
--- /dev/null
+++ b/build.profile
@@ -0,0 +1,25 @@
+quiet
+disable-mnt
+net none
+no3d
+noautopulse
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+shell none
+whitelist /home/sfr/bin
+whitelist /home/sfr/kernels/next/etc
+whitelist /home/sfr/kernels/next/tools
+whitelist /home/sfr/next
+read-only /home/sfr/bin
+read-only /home/sfr/kernels/next/etc
+read-only /home/sfr/kernels/next/tools
+x11 none
+private-dev
+#tracelog

diff --git a/do_build b/do_build
index 70cafc154cf216278ce0d5d7697fe2efda5c7192..a90373dc057d5cf6a4dec55b86a73374a743bb3a 100755 (executable)
--- a/do_build
+++ b/do_build
@@ -27,7 +27,7 @@ else
 fi
 obdir="$bparent/old/$tree"
 
-cmd="/bin/sh"
+cmd="firejail --profile=$bin_dir/build.profile /bin/sh"
 [ "$build_host" ] &&
        cmd="ssh root@$build_host unshare -n su $(id -u -n)"
 

diff --git a/do_last_build b/do_last_build
index 64e75853d267975d8e79a7954e4e985c24465970..80cfe3c98e22f34c639265064f50f3894a347bad 100755 (executable)
--- a/do_last_build
+++ b/do_last_build
@@ -4,7 +4,7 @@
 
 set -e
 
-cmd="/bin/sh"
+cmd="firejail --profile=$bin_dir/build.profile /bin/sh"
 [ "$build_host" ] &&
        cmd="ssh root@$build_host unshare -n su $(id -u -n)"