When using namespaces, permit to leave some capabilities in the
sandbox. This can be helpful to run a system instance of systemd.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #101
Approved by: alexlarsson
In scenarios such as running bwrap in test frameworks (`bwrap make check`),
one wants all of the processes to go away if the parent process
dies, or if the bwrap process is directly killed.
This ensures that in all cases (both with `--unshare-pid` and without), we use
`prctl(PR_SET_PDEATHSIG)` on both our outer and inner init procesesses if
`--die-with-parent` is specified.
Tests-by: Colin Walters <walters@verbum.org>
Closes: #165
Approved by: emdej
This means we stay compatible with apps using the old bwrap, yet
still makes it easy to avoid CVE-2017-5226 in apps using bwrap.
Also, recommend that applications not using --new-session should
use a seccomp filter for the TIOCSTI ioctl to avoid the input
injection issue.
Closes: #154
Approved by: cgwalters
This makes `--unshare-uts` actually useful by allowing the user to
specify a custom hostname for the newly created UTS namespace.
Implements #93.
Closes: #94
Approved by: alexlarsson
Add an interface for retrieving information about the child process.
For now the only information exported is the child pid, it is needed to
manage prestart OCI hooks, as the container pid must be provided to the
hook process.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
it is useful to manage OCI prestart hooks, as the container process is
blocked on block_fd until the hooks are processed.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
This flag will unshare cgroups only if supported else will skip it.
Closes: #62
Approved by: alexlarsson
This requires linux kernel version 4.6 or higher.
We check for the presence of /proc/self/ns/cgroup
to determine if it is supported or not.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
Closes: #62
Approved by: alexlarsson
This is very useful if you want to cover some area of the filesystem,
or if you want to make some part of a read-only tree writable.
Closes: #42
Approved by: cgwalters
