From: Stephen Rothwell <sfr@canb.auug.org.au>
Date: Thu, 15 Nov 2018 05:39:29 +0000 (+1100)
Subject: use firejail for builds
X-Git-Url: https://git.ozlabs.org/?a=commitdiff_plain;h=e2b1ad956622c4b4b6d98e412013e433411c7aac;p=next-scripts

use firejail for builds
---

diff --git a/build.profile b/build.profile
new file mode 100644
index 0000000..cbf7b50
--- /dev/null
+++ b/build.profile
@@ -0,0 +1,25 @@
+quiet
+disable-mnt
+net none
+no3d
+noautopulse
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+shell none
+whitelist /home/sfr/bin
+whitelist /home/sfr/kernels/next/etc
+whitelist /home/sfr/kernels/next/tools
+whitelist /home/sfr/next
+read-only /home/sfr/bin
+read-only /home/sfr/kernels/next/etc
+read-only /home/sfr/kernels/next/tools
+x11 none
+private-dev
+#tracelog
diff --git a/do_build b/do_build
index 70cafc1..a90373d 100755
--- a/do_build
+++ b/do_build
@@ -27,7 +27,7 @@ else
 fi
 obdir="$bparent/old/$tree"
 
-cmd="/bin/sh"
+cmd="firejail --profile=$bin_dir/build.profile /bin/sh"
 [ "$build_host" ] &&
 	cmd="ssh root@$build_host unshare -n su $(id -u -n)"
 
diff --git a/do_last_build b/do_last_build
index 64e7585..80cfe3c 100755
--- a/do_last_build
+++ b/do_last_build
@@ -4,7 +4,7 @@
 
 set -e
 
-cmd="/bin/sh"
+cmd="firejail --profile=$bin_dir/build.profile /bin/sh"
 [ "$build_host" ] &&
 	cmd="ssh root@$build_host unshare -n su $(id -u -n)"