Patchwatcher security improvements

Ambroz Bizjak ambro at
Wed Sep 10 11:04:53 CDT 2008

Dan Kegel wrote:
> So the slave can be in another real machine, another virtual machine, or 
running as another user; anything as long as it can get read/write access to 
its subdirectory of the shared directory.

The problem with your design right now is that you want to run the slave in 
some isolated environment and expect it to be secure. The build slave itself 
is a mission-critical process and putting it in a quarantine to run together 
with untrusted code allows malicious patches to interfere with its operation. 
This means an attacker can just kill it from inside his patch, causing the 
whole patch building operation to fail, or corrupt the baseline tree, or send 
hundreds of fake emails through the slave interface.
So I plan to run the build slave itself in a trusted environment, but make it 
quarantine individual build operations (similar to my previous design with 
user switching). This way the impact of an attack is highly limited - all it 
can theoretically do is fake his own patch results.

More information about the wine-devel mailing list