Add optional whitelisting for allowed buildroots and parameters

Based on a patch from Matias Hilden and Juha Kallioinen. Can be used to make multi-user environments more secure. Does not change functionality if /etc/obs/build.conf is not present on system.
author: Michael Schroeder <mls@suse.de> 2016-09-19 12:59:35 +0200
committer: Michael Schroeder <mls@suse.de> 2016-09-19 13:02:41 +0200
commit: 346b96dbaa1b65d9632724c1f2963b4735594b26 (patch)
tree: 321d42acabf5e72736b049f5f8ddafece609f8c9 /build.conf.example
parent: d92b95aa9be3c935a3ee2abb001f141192cda78e (diff)
1 files changed, 27 insertions, 0 deletions
diff --git a/build.conf.example b/build.conf.example
new file mode 100644
index 0000000..6f85a6d
--- /dev/null
+++ b/build.conf.example
@@ -0,0 +1,27 @@
+# Example configuration for buildroot and parameter whitelisting.
+# Can be used to make multi-user environments more secure. Everything is
+# allowed by default if no whitelist is defined.
+#
+# List of whitelisted build roots.
+# %user will be replaced with $SUDO_USER (or $USER when running without sudo)
+#
+# ALLOW_BUILD_ROOT: /var/tmp/%user/build-root
+# ALLOW_BUILD_ROOT: /var/tmp/build-root
+
+# List of whitelisted parameters. Allowed parameters
+# must be listed in double dash format.
+#
+# ALLOW_PARAM:    --arch
+# ALLOW_PARAM:    --changelog
+# ALLOW_PARAM:    --clean
+# ALLOW_PARAM:    --dist
+# ALLOW_PARAM:    --jobs
+# ALLOW_PARAM:    --noinit
+# ALLOW_PARAM:    --norootforbuild
+# ALLOW_PARAM:    --root
+# ALLOW_PARAM:    --rpmlist
+#
+# Specific parameter arguments can be whitelisted (other arguments
+# are not allowed in that case):
+#
+# ALLOW_PARAM:    --jobs 1
author	Michael Schroeder <mls@suse.de>	2016-09-19 12:59:35 +0200
committer	Michael Schroeder <mls@suse.de>	2016-09-19 13:02:41 +0200
commit	346b96dbaa1b65d9632724c1f2963b4735594b26 (patch)
tree	321d42acabf5e72736b049f5f8ddafece609f8c9 /build.conf.example
parent	d92b95aa9be3c935a3ee2abb001f141192cda78e (diff)