[sf-lug] specialized tools for building distro packages in chroot (Re: chroot(2): Re: Sandboxing Zoom (etc.))

[Michael Paoli]

> From: "Rick Moen" <rick at linuxmafia.com>
> Subject: Re: [sf-lug] chroot(2): Re:  Sandboxing Zoom (etc.)
> Date: Fri, 12 Jun 2020 04:36:40 -0700

> Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):
>
> [...]
>
>> And, ldd(1) and strace(1) come in quite handy for determining what's
>> needed and/or why it doesn't (quite) work.
>
> ltrace(1) is also useful, tracing library calls (as strace traces
> syscalls).
>
> Possibly of interest:
> http://www.wiredyne.com/software/chrootbuilder.html
>
> There are also a whole lot of specialsed tools for building distro
> packages in chroot envs.

Yes, many of those tools having a quite useful purpose not
particularly aiming at security.  Notably testing/verifying
what needs be present from the distro and packages for a
given package to generally successfully run.
E.g. if a chroot is set up having nothing but distro
required packages + packages required by the target
package, does the target package still pass all the
tests, including regression tests?
That's a pretty good check - for the vast majority of
packages.  There will be some, however, that will require a
more fully emulated environment, or in some cases,
very good emulation of specific hardware, or actual specific
physical hardware.
However, there may be useful overlaps, notably in determining,
at least to some extent, what's required in the chroot for
the package to function properly.  But most such tools won't,
for example, determine file-by-file what's not required (e.g.
a "required" part of the distro that's not needed for the
package in the chroot), nor determine bare minimum permissions
needed on what's otherwise needed in the chroot.