This allows a sandbox to share a pid namespace with another sandbox.
For this to work the namespace passed in must be owned by the user
namespace that bwrap is using, which implies either that you pass in
--userns pointing, or run under that user namespace already. In the
former case you'd typically take the userns from a running bwrap
--unshare-user instance, whereas the second case happens when using
bwrap in the setuid mode without user namespaces.
If both --unshare-pid and --pidns are specified then we first
switch to the pid namespace, and then unshare from there. This is
useful if you want a pid-isolated sandob that is visible to another
sandbox.
The implementation is a bit tricky, as it needs to fork() in order
to activate the setns():ed pid namespaces, which means we have to
pass through the final pid via a socket to make the kernel translate
the pid to the initial pid namespace for us to waitpid() on it.
This allows you to reuse an existing user namespace to set up all the
other namespaces, entering that instead of creating a new one. The
reason you want to do this is that you can then also reuse other
namespaces that are owned by the user namespace. Typically you use
this to partially re-enter a previoulsy created bubblewrap sandbox.
This also adds --userns2 which is similar to --userns, but this is
switched into at the end instead of the start. Bubblewrap sometimes
creates nested such user namespaces[1], and to be able to reuse such a
setup we need to similarly reuse both namespaces via --userns2.
Technically using setns() is probably safe even in the privileged
case, because we got passed in a file descriptor to the namespace, and
that can only be gotten if you have ptrace permissions against the
target, and then you could do whatever to the namespace
anyway. However, for practical reasons this isn't useable for bwrap,
because (as described in a comment in acquire_privs()) setuid mode
causes root to own the namespaces that it creates. So as you will not
be able to access these namespaces for reuse anyway, its best to
disable it (in case of unexpected security issues).
[1] This is to work around an issue with mounting devpts without uid 0
mapped in the user namespace, where the outer namespace owns all the
other namespaces but the inner one has the right mappings.
These ignore source files not existing which allows bwrap using
applications to avoid repeatedly checking if files exist.
Closes: #283
Approved by: alexlarsson
When using namespaces, permit to leave some capabilities in the
sandbox. This can be helpful to run a system instance of systemd.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #101
Approved by: alexlarsson
In scenarios such as running bwrap in test frameworks (`bwrap make check`),
one wants all of the processes to go away if the parent process
dies, or if the bwrap process is directly killed.
This ensures that in all cases (both with `--unshare-pid` and without), we use
`prctl(PR_SET_PDEATHSIG)` on both our outer and inner init procesesses if
`--die-with-parent` is specified.
Tests-by: Colin Walters <walters@verbum.org>
Closes: #165
Approved by: emdej
This means we stay compatible with apps using the old bwrap, yet
still makes it easy to avoid CVE-2017-5226 in apps using bwrap.
Also, recommend that applications not using --new-session should
use a seccomp filter for the TIOCSTI ioctl to avoid the input
injection issue.
Closes: #154
Approved by: cgwalters
This makes `--unshare-uts` actually useful by allowing the user to
specify a custom hostname for the newly created UTS namespace.
Implements #93.
Closes: #94
Approved by: alexlarsson
Add an interface for retrieving information about the child process.
For now the only information exported is the child pid, it is needed to
manage prestart OCI hooks, as the container pid must be provided to the
hook process.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
it is useful to manage OCI prestart hooks, as the container process is
blocked on block_fd until the hooks are processed.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
This flag will unshare cgroups only if supported else will skip it.
Closes: #62
Approved by: alexlarsson
This requires linux kernel version 4.6 or higher.
We check for the presence of /proc/self/ns/cgroup
to determine if it is supported or not.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
Closes: #62
Approved by: alexlarsson
This is very useful if you want to cover some area of the filesystem,
or if you want to make some part of a read-only tree writable.
Closes: #42
Approved by: cgwalters
