Make virt scratch dir only conditionally 777, fix null isolation, etc.

Ian Jacksonrequested to merge
iwj/autopkgtest:security-1 into master
  • autopkgest-virt-* scratchdir is mode 777 (no longer 1777) iff we are advertising isolation. This fixes a security vulnerability.
  • autopkgtest-virt-null no longer advertises isolation-machine.

Supporting changes:

  • New --fake-capabilities option on autopkgtest-virt-null, to help people whose use case needs it. (Eg, using autopkgtest-virt-null inside some larger container or VM.)
  • A bit of refactoring and tidying.

From https://salsa.debian.org/ci-team/autopkgtest/-/issues/11#note_604032, this is items 1 and 2. They must be combined because otherwise the new check in the downtmp code triggers inside autopkgtest-virt-null.

Edited by Ian Jackson

Merge request reports