make.sh: Create lots more namespaces when we enter the chroot

This allows us to protect the host system a little bit more from the
host system by decoupling all namespaces.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/make.sh b/make.sh
index afd117b63386460f0798fc6a50ccb2793f145130..a7e5c26035a18bfc52b264e4f4768b8099699389 100755 (executable)
--- a/make.sh
+++ b/make.sh
@@ -504,7 +504,37 @@ enterchroot() {
                PATH="${CUSTOM_PATH}:${PATH}"
        fi
 
-       PATH="${PATH}" chroot ${LFS} env -i \
+       # Configure a new namespace
+       local unshare=(
+               # Create a new cgroup namespace
+               "--cgroup"
+
+               # Create a new IPC namespace
+               "--ipc"
+
+               # Create a new mount namespace
+               "--mount"
+
+               # Create a new PID namespace and fork
+               "--pid"
+               "--fork"
+
+               # Create a new time namespace
+               "--time"
+
+               # Create a new UTS namespace
+               "--uts"
+
+               # Mount /proc so that the build environment does not see
+               # any foreign processes.
+               "--mount-proc=${LFS}/proc"
+       )
+
+       PATH="${PATH}" \
+       unshare \
+               "${unshare[@]}" \
+       chroot "${LFS}" \
+       env -i \
                HOME="/root" \
                TERM="${TERM}" \
                PS1="${PS1}" \