diff options
| author | Alexander Larsson <alexl@redhat.com> | 2020-02-17 09:08:38 +0100 |
|---|---|---|
| committer | Alexander Larsson <alexl@redhat.com> | 2020-02-17 09:17:28 +0100 |
| commit | a9556223de5a5531c2aa3cbb992bbd09893d0f34 (patch) | |
| tree | 3865baa2f1dc47136e861ccdf09a11c5063f7179 | |
| parent | 8e27bbbde7876d84b5c169b9f05e8db14af63a45 (diff) | |
| download | bubblewrap-drop-cap-bounding-set-2.tar.gz | |
Ensure we're always clearing the cap bounding setdrop-cap-bounding-set-2
In the non-setuid case if we're not running as uid 0 in the final
namespace but we need devpts (e.g. use --dev) we mount the devpts as
uid and then change to the actual numberical uid at the end. This
final unshare(CLONE_NEWPID) will reset tha cap bounding set we
previously cleared.
This change clears the cap bounding set again after the unshare call.
This is not really a security problem because we always set
NO_NEW_PRIVS which is essentially a superset of capability bounds, so
there is no way the container can use the bounding set to gain
caps. However its nice to be consistent and not display setting
which look like potential problems.
Fixes https://github.com/containers/bubblewrap/issues/350
See 6b3dd4f10c23f23a2f3c3ec0f0d27ffc1149194c for the original change
the drops the cap bounding set in the first location.
| -rw-r--r-- | bubblewrap.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/bubblewrap.c b/bubblewrap.c index 89b696a..3b6b645 100644 --- a/bubblewrap.c +++ b/bubblewrap.c @@ -2766,6 +2766,9 @@ main (int argc, if (unshare (CLONE_NEWUSER)) die_with_error ("unshare user ns"); + /* We're in a new user namespace, we got back the bounding set, clear it again */ + drop_cap_bounding_set (FALSE); + write_uid_gid_map (opt_sandbox_uid, ns_uid, opt_sandbox_gid, ns_gid, -1, FALSE, FALSE); |