From e2b1ad956622c4b4b6d98e412013e433411c7aac Mon Sep 17 00:00:00 2001
From: Stephen Rothwell <sfr@canb.auug.org.au>
Date: Thu, 15 Nov 2018 16:39:29 +1100
Subject: [PATCH] use firejail for builds

---
 build.profile | 25 +++++++++++++++++++++++++
 do_build      |  2 +-
 do_last_build |  2 +-
 3 files changed, 27 insertions(+), 2 deletions(-)
 create mode 100644 build.profile

diff --git a/build.profile b/build.profile
new file mode 100644
index 0000000..cbf7b50
--- /dev/null
+++ b/build.profile
@@ -0,0 +1,25 @@
+quiet
+disable-mnt
+net none
+no3d
+noautopulse
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+shell none
+whitelist /home/sfr/bin
+whitelist /home/sfr/kernels/next/etc
+whitelist /home/sfr/kernels/next/tools
+whitelist /home/sfr/next
+read-only /home/sfr/bin
+read-only /home/sfr/kernels/next/etc
+read-only /home/sfr/kernels/next/tools
+x11 none
+private-dev
+#tracelog
diff --git a/do_build b/do_build
index 70cafc1..a90373d 100755
--- a/do_build
+++ b/do_build
@@ -27,7 +27,7 @@ else
 fi
 obdir="$bparent/old/$tree"
 
-cmd="/bin/sh"
+cmd="firejail --profile=$bin_dir/build.profile /bin/sh"
 [ "$build_host" ] &&
 	cmd="ssh root@$build_host unshare -n su $(id -u -n)"
 
diff --git a/do_last_build b/do_last_build
index 64e7585..80cfe3c 100755
--- a/do_last_build
+++ b/do_last_build
@@ -4,7 +4,7 @@
 
 set -e
 
-cmd="/bin/sh"
+cmd="firejail --profile=$bin_dir/build.profile /bin/sh"
 [ "$build_host" ] &&
 	cmd="ssh root@$build_host unshare -n su $(id -u -n)"
 
-- 
2.39.5