Ironically, if running sudo root the path to test-bwrap may
be unreachable in the user namespace as root does not have
permission, and CAP_DAC_OVERRIDE only works for mapped uids.
Fix by using /proc/self/exe for nested bwrap.
`--bind /proc /proc` and `--unshare-all` results in `/proc` being
for the wrong pid namespace causing `namespace_ids_read` to fail,
either reading the wrong process dying with an error.
For example try: unshare -rpfm --mount-proc make check
Make sure the namespace information that is written to info.json
and json-status.json matches the namespace id inside the sandbox.
Closes: #323
Approved by: alexlarsson
The exit code is only reported if it exited after a successful exec.
This is accomplished with a pipe, where the write end is closed on exec.
To distinguish between pipe-close pre-exec and at-exec,
data is written to the pipe immediately before calling exec
so if it is closed before exec the pipe is empty
and if it is closed during exec it contains a 1 byte value.
To further distinguish between a successful exec and a failed exec,
on exec failure a second value is written.
Signed-off-by: Richard Maw <richard.maw@codethink.co.uk>
Closes: #257
Closes: #293
Approved by: cgwalters
For the non-suid case, we were assuming that the host system would have
merged /usr (e.g. /bin -> /usr/bin). This isn't yet the case for all
distros, so let's handle both.
Closes: #290
Approved by: smcv
Keep a reference to the previous working directory and use it for the
umount.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #256
Approved by: cgwalters
Skip these mounts when the process will keep CAP_SYS_ADMIN as it will
anyway able to umount them.
This fix the case of running bwrap inside of a bwrap with a new pid
namespace and mount /proc.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #256
Approved by: cgwalters
This shouldn't matter unless someone wants to run an inadvisably-named
executable, but it's best-practice for commands that pass on some
of their arguments to a subsequent command.
It allows an invocation like:
bwrap --ro-bind /container / -- "$@"
to search PATH in the container for an executable named according to
"$1", even if $1 has a pathological value like
"--this-has-a-stupid-name--", or even a value that might be
deliberately trying to break bwrap's parsing like "--bind".
Fixes: #259
Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: #261
Approved by: cgwalters
A new test was added in commit c09c1e53, but the total number of tests
wasn’t incremented. Fix that.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #237
Approved by: smcv
It may not always be obvious what the source of any particular error
message is. For instance, "Can't find source path" errors could be
perceived as coming from either the shell, loader, bubblewrap, or the
wrapped application, especially when a previously-configured program
stops working due to some external circumstances.
Thus, disambiguate the source of bubblewrap's error messages by
printing them with a "bwrap: " prefix.
Closes: #234
Approved by: cgwalters
bwrap uses F_SETLK, not F_SETLKW, to implement --lock-file.
This means we have to be prepared to retry if another process -
like our own lockf-n.py - might already be holding it.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: #227
Approved by: cgwalters
On Debian systems, by default only root has /{usr/,}sbin in PATH.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: #228
Approved by: cgwalters
The main thing this gets us is the ability to see when the build-time
test was skipped.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: #229
Approved by: cgwalters
If stderr and stdout are going to the same place, it doesn't matter
either way. If they are separated (as they are in the Debian
autopkgtest environment), we want the diagnostic that indicates "this
next warning is OK" to end up in the same place as the warning.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: #229
Approved by: cgwalters
Redirecting stderr to a file is unhelpful, if the command fails and we
have no chance to see why.
assert_not_file_has_content seems a little clearer than using grep
directly.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: #229
Approved by: cgwalters
Most Linux distributions should have deployed
/proc/sys/fs/protected_symlinks by now, preventing the usual
symlink-traversal vulnerability; but avoiding predictable filenames in
/tmp is a good habit to get into.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: #229
Approved by: cgwalters
`systemd-nspawn` and `docker` at least both have these by default;
the only difference AFAICS now is that nspawn also adds `/dev/mqueue`
by default, but we require a separate arg for that.
This should increase compatibility with apps using the `/dev/fd`.
Closes: https://github.com/projectatomic/bubblewrap/issues/191
Closes: #207
Approved by: alexlarsson
In <https://github.com/projectatomic/bubblewrap/pull/101>, specifically
commit cde7fab7ec we started dropping
all capabilities, even if the caller was privileged.
This broke rpm-ostree, which runs RPM scripts using bwrap, and some
of those scripts depend on capabilities (mostly `CAP_DAC_OVERRIDE`).
Fix this by retaining capabilities by default if the caller's uid is zero.
I considered having the logic be to simply retain any capabilities the invoking
process has (imagine filecaps binaries like `ping` or
`/usr/bin/gnome-keyring-daemon` using bwrap) but we currently explicitly abort
in that scenario to catch broken packages which used file capabilites for bwrap
itself (we switched to suid). For now this works, and if down the line there's a
real-world use case for capability-bearing non-zero-uid processes to invoke
bwrap *and* retain those privileges, we can revisit.
Another twist here is that we need to do some gymnastics to first avoid calling
`capset()` if we don't need to, as that can fail due to systemd installing a
seccomp filter that denies it (for dubious reasons). Then we also need to ignore
`EPERM` when dropping caps in the init process. (I considered unilaterally
handling `EPERM`, but it seems nicer to avoid calling `capset()` unless we need to)
Closes: https://github.com/projectatomic/bubblewrap/issues/197
Closes: #205
Approved by: alexlarsson
In scenarios such as running bwrap in test frameworks (`bwrap make check`),
one wants all of the processes to go away if the parent process
dies, or if the bwrap process is directly killed.
This ensures that in all cases (both with `--unshare-pid` and without), we use
`prctl(PR_SET_PDEATHSIG)` on both our outer and inner init procesesses if
`--die-with-parent` is specified.
Tests-by: Colin Walters <walters@verbum.org>
Closes: #165
Approved by: emdej
It was never that useful, just a quick stub to get Travis going, which we don't
use right now. Let's just move it into the `test-run.sh`.
Closes: #163
Approved by: alexlarsson
Look for bwrap on PATH by default, but allow it to be overridden with
BWRAP, and set that variable in TESTS_ENVIRONMENT so we are testing
the just-built version in "make check".
Signed-off-by: Simon McVittie <smcv@debian.org>
Closes: #120
Approved by: alexlarsson
set -o pipefail is a bashism, and doesn't work in an ordinary POSIX sh;
in particular, /bin/sh in Debian and Ubuntu is usually dash, which
doesn't have set -o.
Signed-off-by: Simon McVittie <smcv@debian.org>
Closes: #120
Approved by: alexlarsson
The mount operation always fully resolves any symlinks before mounting
so we need to do the same when we're looking for the new mount
in the mount tables.
Without this something like
--symlink /dst /link --bind-mount /src /link
would fail because it would look for mount flags in /link, but the
mount would be on /dst.
Closes: #119
Approved by: alexlarsson
Tests like
flatpak --unshare-pid --bind / / --proc /proc true
Failed before, because it tried to bind-mount over /proc/sys which
typically had other mountpoints under it (like
/proc/sys/fs/binfmt_misc), which caused issue with our bind-mount
implementation.
This works fine with the new implementation though, so add these
tests.
Closes: #118
Approved by: alexlarsson
This runs a set of very basic operations that use the host root fs as
the sandbox root. Ensuring that we're at least able to start a sandbox
with various options, and that a setuid bwrap can't read files that
should otherwise not be readable.
Note, this SKIPs the test instead of FAILing if the most basic
operation doesn't work, because our test suite doesn't support
running the setuid test.
Closes: #116
Approved by: cgwalters
Imported a little bit of code from OSTree's shell `libtest.sh`. I'm
mostly doing this to test Travis and Homu, but hey, we get a little
bit of coverage.
Pull request: #21
Approved by: alexlarsson
