In https://pagure.io/fesco/issue/2004 mizdebsk worries that enabling the pm request mock extension on Fedora build systems (copr and koji) would lead to evil, and that attackers could use it to convince mock to pass dangerous commands to dnf.
One could (and will) add some argument filtering mock-side, but that assumes mock devs are perfectly aware of all the settings added to dnf over time, and identify correctly and timely the dangerous combinations.
Therefore, from a security point of view, doing it at the mock level is a losing situation.
Please add a security jail setting to dnf, that could be put in the *repo files mock uses, and basically forbids dnf from doing anything except:
* installing/upgrading packages to the mock chroot or container from the repositories configured in the *repo files
* executing the corresponding scriptlets with the mock chroot or container
And that, no matter what CLI parameter overrides an attacker manages to get passed to dnf.
Regardless of what FESCO decides in the pagure ticket the same config is running on packager systems today, the mock on those systems is Fedora's first line of defense against compromised upstream sources, so it needs to be secured properly.
Please email@example.com can you look at the request?
So, to build on the ideas raised in https://pagure.io/fesco/issue/2004 and https://github.com/rpm-software-management/mock/issues/218
Have a safe/restricted/secure dnf switch with a directory as switch argument that basically says:
"from now on only take into account the dnf config/repo files in directory, only perform install/updates, only use packages taken from the repos defined here, ignore any further argument that says otherwise"