make.sh: Create lots more namespaces when we enter the chroot

This allows us to protect the host system a little bit more from the host system by decoupling all namespaces. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-27 19:23:24 +02:00 · 2024-07-04 17:09:53 +00:00
parent 99ce7cd2ce
commit 98ce3c7688
1 changed files with 31 additions and 1 deletions
--- a/make.sh
+++ b/make.sh
@@ -504,7 +504,37 @@ enterchroot() {
 		PATH="${CUSTOM_PATH}:${PATH}"
 	fi

-	PATH="${PATH}" chroot ${LFS} env -i \
+	# Configure a new namespace
+	local unshare=(
+		# Create a new cgroup namespace
+		"--cgroup"
+
+		# Create a new IPC namespace
+		"--ipc"
+
+		# Create a new mount namespace
+		"--mount"
+
+		# Create a new PID namespace and fork
+		"--pid"
+		"--fork"
+
+		# Create a new time namespace
+		"--time"
+
+		# Create a new UTS namespace
+		"--uts"
+
+		# Mount /proc so that the build environment does not see
+		# any foreign processes.
+		"--mount-proc=${LFS}/proc"
+	)
+
+	PATH="${PATH}" \
+	unshare \
+		"${unshare[@]}" \
+	chroot "${LFS}" \
+	env -i \
 		HOME="/root" \
 		TERM="${TERM}" \
 		PS1="${PS1}" \