Add a ld-preload library to forbid network access (!139) · Merge requests · freedesktop-sdk / Infrastructure / freedesktop-sdk-docker-images

To work-around missing featue in BuildStream to disable remote cache, we need to forbid network access to some calls to BuildStream.

See upstream Buildstream issue:

Unfortunately:

unshare --net requires root.
unshare --net --map-current-user loses setuid on fusermount.
unshare --net --map-root-user get wrong permissions on some created files, and messes with configuration paths.
fakeroot unshare --net messes with too many things that we do not want.

So the easiest is to just catch calls to connect.

Edited Sep 14, 2020 by Javier Jardón

Add a ld-preload library to forbid network access