bst-here: Mitigate permission issuesbst-here-permissions

author: Tristan Maat <tristan.maat@codethink.co.uk> 2017-11-28 18:10:27 +0000
committer: Tristan Maat <tristan.maat@codethink.co.uk> 2017-11-29 10:52:09 +0000
commit: 546e7b3c45eadf91be82be97b39251afc6f276fb (patch)
tree: 1411fde1038ec8c2fe1012e01cfa73100b3c377b /contrib
parent: 3934ce81a29078495ec72c10577f998de1c2f6f5 (diff)
download: buildstream-546e7b3c45eadf91be82be97b39251afc6f276fb.tar.gz
1 files changed, 10 insertions, 2 deletions
diff --git a/contrib/bst-here b/contrib/bst-here
index 6b4e6b2f7..153d520f7 100755
--- a/contrib/bst-here
+++ b/contrib/bst-here
@@ -64,11 +64,19 @@ else
     command="/usr/bin/bst $@"
 fi
 
+# FIXME: We run with --privileged to allow bwrap to mount system
+#        directories, but this is overkill. We should add the correct
+#        --cap-add calls, or seccomp settings, but we are not sure
+#        what those are yet.
+#
+#        Old settings:
+#          --cap-add SYS_ADMIN
+#          --security-opt seccomp=unconfined
+#
 exec docker run --rm -i${is_tty:+ -t} \
-                --cap-add SYS_ADMIN \
+                --privileged \
                 --env PS1="$BST_HERE_PS1" \
                 --device /dev/fuse \
-                --security-opt seccomp=unconfined \
                 --volume buildstream-cache:/root/.cache/buildstream \
                 --volume buildstream-config:/root/.config \
                 --volume "$PWD":/src \
author	Tristan Maat <tristan.maat@codethink.co.uk>	2017-11-28 18:10:27 +0000
committer	Tristan Maat <tristan.maat@codethink.co.uk>	2017-11-29 10:52:09 +0000
commit	546e7b3c45eadf91be82be97b39251afc6f276fb (patch)
tree	1411fde1038ec8c2fe1012e01cfa73100b3c377b /contrib
parent	3934ce81a29078495ec72c10577f998de1c2f6f5 (diff)
download	buildstream-546e7b3c45eadf91be82be97b39251afc6f276fb.tar.gz