Mount a new tmpfs on /tmp and drop all capabilities

This mounts a new tmpfs on /tmp so any files residing there would be hidden from the sandbox. Many programs store some files in there that might be useful to an attacker.

It also drops all capabilities incase it is ever run with extra capabilities for whatever reason.

enabled an automatic merge when the pipeline for a197e7b3 succeeds

@madaidan Please enable the shared CI runners in your fork, via Settings -> CI/CD -> Runners -> Enable shared Runners, and force push this branch afterwards. Thank you!

I've enabled the shared CI runners but how do I force push it? I've never done this before.

@madaidan Thanks -- it's not that important anymore, as the CI jobs were executed in the meantime. Thank you!

added 1 commit

• c79e673b - Update subprocess.py

Compare with previous version

Is there a way to make the tests skip the "B108" test? It doesn't apply for this.

Sure, just edit the .gitlab-ci.yml file :)

added 1 commit

• 24f17f06 - Skip B108

Compare with previous version

Thanks!

Why is the pipeline still failing? Does MAT2 uses /tmp for tests?

It seems that something is wrong with the runner, and I can't relaunch the pipeline, meh.

Manually merged via 58773088.

Thanks you very much!

closed

mentioned in merge request !80 (merged)