This removes the temporary file after it has been mounted into
place, thus making sure its not accessible via any other name.
This isn't strictly needed, because the file is in the root tmpfs,
outside the final "newroot" chroot subdir. However, lets make it
absolutely sure.
Closes: #98
Approved by: alexlarsson
This makes `--unshare-uts` actually useful by allowing the user to
specify a custom hostname for the newly created UTS namespace.
Implements #93.
Closes: #94
Approved by: alexlarsson
Add an interface for retrieving information about the child process.
For now the only information exported is the child pid, it is needed to
manage prestart OCI hooks, as the container pid must be provided to the
hook process.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
it is useful to manage OCI prestart hooks, as the container process is
blocked on block_fd until the hooks are processed.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
canonicalize_file_name is glibc specific. The realpath(3) provide
essentially the same thing but is much more portable. For instance, this
change made it possible to build bubblewrap against musl libc.
Closes: #77
Approved by: cgwalters
Automake linking looks like this (I'm simplifying a bit):
$(CC) $(foo_CFLAGS) $(foo_LDFLAGS) -ofoo $(objects) $(foo_LDADD)
The correct order is that if a library A is used to satisfy the symbol
requirements of an object or library B, then A must come after B on the
link line. Otherwise, static linking or linking with -Wl,--as-needed
will fail. As a result, libraries and the -L options used to locate them
should always be in LDADD (for executables) or LIBADD (for libraries),
never in LDFLAGS.
Ubuntu's linker defaults to the equivalent of -Wl,--as-needed, so
this causes failure to build on Ubuntu, which can be reproduced with
./autogen.sh CC="gcc -Wl,--as-needed" && make
on other distributions.
Signed-off-by: Simon McVittie <smcv@debian.org>
Closes: #75
Approved by: alexlarsson
This optionally enables user namespaces, but ignores it if its
not supported by the kernel.
Note: For this to make any sense, bwrap has to be setuid,
because unprivileged use requires user namespaces.
Closes: #71
Approved by: cgwalters
For some people it can cost a lot to upgrade their kernel, allow
operation of bubblewrap on kernels which at least have namespace
support but lack the additional setgroups proc file introduced
to address vulnerability CVE-2014-8989.
Closes: #73
Approved by: alexlarsson
On e.g. debian by default unprivileged namespaces are not allowed.
Typically the setuid mode is then used. However, if /dev is mounted
(and thus devpts) then we need to do some workaround in how we
create the uid/gid maps so uid 0 is mapped while we mount devpts.
Unfortunately the way we were working around that is by using an
unprivileged unshare(NEWUSER) in the sandbox, which doesn't work.
See https://github.com/flatpak/flatpak/issues/2 for details.
We work around this by mapping uid/gid 0 + the user. However, since
this is a privileged operation we need to do that in the parent
namespace, and we need setuid/setgid rights.
Closes: #72
Approved by: cgwalters
It's shorter and more reliable. Also GCC/CLang specific, but that's
fine because that's all we support anyways.
Closes: #69
Closes: #70
Approved by: mrunalp
sending --help output to stderr causing sadness and confusion when
someone tries something obvious like `bwrap --help | less`. This
commit modifies bubblewrap.c such that `--help` output will go to
stdout, while other invocations of `usage(...)` will continue to go
to stderr.
Closes: #66
Approved by: cgwalters
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
This flag will unshare cgroups only if supported else will skip it.
Closes: #62
Approved by: alexlarsson
This requires linux kernel version 4.6 or higher.
We check for the presence of /proc/self/ns/cgroup
to determine if it is supported or not.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
Closes: #62
Approved by: alexlarsson
It turns out you can't readdir from an O_PATH file-descriptor, so
fdwalk didn't work. Spotted the BADFD in a strace.
Closes: #60
Approved by: cgwalters
This is a variation on the previous commit to avoid recursive
parsing of `--args`. Here we limit the total number of options
to something reasonable.
This is inspired by
http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html
which required 15 million arguments. We come in a bit below that.
Closes: #50
Approved by: rhatdan
If we're not doing a PID namespace, we don't create a monitor
process, which means that the code in `monitor_child()` needs
to properly propagate the exit status from the signalfd.
It might be better to change `monitor_child()` to be a `waitpid()`
loop in this case, but I decided to go for the one liner fix that's an
improvement in both cases anyways.
I noticed this with:
```
bwrap --ro-bind / / --dev /dev true
```
exiting with code 1.
Closes: #49
Approved by: rhatdan
All calls to set an SELinux label should call this function
die_unless_label_valid (opt_exec_label);
It will make sure SELinux is enabled and will make sure the user passed in a
valid label.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Closes: #53
Approved by: cgwalters
This should hopefully get things more automatic for more
editors.
I didn't find in a quick search how to teach vim to DTRT by default.
Closes: #56
Approved by: rhatdan
It's likely possible for callers to use `ulimit()` to cause us to
fail `eventfd()` with `EMFILE` - we should handle that.
If a caller requests seccomp but for some reason we fail to install
it, we shouldn't silently continue.
Closes: #52
Approved by: rhatdan
In particular `format` is important for validating strings. Luckily
we don't have any new warnings.
`noreturn` is mostly just helps avoid other warnings from unreachable
code.
Closes: #51
Approved by: rhatdan
If using --dev we need a special workaround to make it possible to
mount devpts. Unfortunately the workaround was erronously enabled
if you added --proc, not --dev. This moves this check to the right
place.
To test, try:
./bwrap --ro-bind / / --dev /dev true
Closes: #48
Approved by: cgwalters
This is very useful if you want to cover some area of the filesystem,
or if you want to make some part of a read-only tree writable.
Closes: #42
Approved by: cgwalters
