mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-07-12 14:48:13 +00:00
obs-packaging: install images as read-only files
In order to improve the security of Kata, nothing should be able to modify the images. It would be really bad if a malicious container or process modified them. fixes #631 Signed-off-by: Julio Montes <julio.montes@intel.com>
This commit is contained in:
Julio Montes
parent
3df25f25b7
commit
54f37864f6
@ -9,8 +9,8 @@ override_dh_auto_install:
|
||||
tar xzf /usr/src/packages/SOURCES/kata-containers.tar.gz -C /usr/src/packages/SOURCES/ ; \
|
||||
image=$$(find /usr/src/packages/SOURCES/ -type f -name '*.img') ; \
|
||||
initrd=$$(find /usr/src/packages/SOURCES/ -type f -name '*.initrd') ; \
|
||||
install -D $${image} ./debian/kata-containers-image/usr/share/kata-containers/ ; \
|
||||
install -D $${initrd} ./debian/kata-containers-image/usr/share/kata-containers/ ; \
|
||||
install -m 0400 -D $${image} ./debian/kata-containers-image/usr/share/kata-containers/ ; \
|
||||
install -m 0400 -D $${initrd} ./debian/kata-containers-image/usr/share/kata-containers/ ; \
|
||||
ln -s /usr/share/kata-containers/$$(basename $${image}) \
|
||||
./debian/kata-containers-image/usr/share/kata-containers/kata-containers.img ; \
|
||||
ln -s /usr/share/kata-containers/$$(basename $${initrd}) \
|
||||
|
||||
@ -28,8 +28,8 @@ tar xfz kata-containers.tar.gz
|
||||
image=$(find ${PWD} -type f -name '*.img')
|
||||
initrd=$(find ${PWD} -type f -name '*.initrd')
|
||||
popd
|
||||
install -p "${image}" ${ImageDir}/
|
||||
install -p "${initrd}" ${ImageDir}/
|
||||
install -m 0400 -p "${image}" ${ImageDir}/
|
||||
install -m 0400 -p "${initrd}" ${ImageDir}/
|
||||
ln -s /usr/share/kata-containers/$(basename "${image}") ${ImageDir}/kata-containers.img
|
||||
ln -s /usr/share/kata-containers/$(basename "${initrd}") ${ImageDir}/kata-containers-initrd.img
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user