Add --unshare-user-tryexport/flatpak/0.6.1

This optionally enables user namespaces, but ignores it if its
not supported by the kernel.

Note: For this to make any sense, bwrap has to be setuid,
because unprivileged use requires user namespaces.

1 files changed, 10 insertions, 0 deletions

diff --git a/bubblewrap.c b/bubblewrap.c
index 65aa8ad..4c9c392 100644
--- a/bubblewrap.c
+++ b/bubblewrap.c
@@ -148,6 +148,7 @@ usage (int ecode, FILE *out)
            "    --version                    Print version\n"
            "    --args FD                    Parse nul-separated args from FD\n"
            "    --unshare-user               Create new user namespace (may be automatically implied if not setuid)\n"
+           "    --unshare-user-try           Create new user namespace if possible else continue by skipping it\n"
            "    --unshare-ipc                Create new ipc namespace\n"
            "    --unshare-pid                Create new pid namespace\n"
            "    --unshare-net                Create new network namespace\n"
@@ -840,6 +841,7 @@ read_priv_sec_op (int          read_socket,
 
 char *opt_chdir_path = NULL;
 bool opt_unshare_user = FALSE;
+bool opt_unshare_user_try = FALSE;
 bool opt_unshare_pid = FALSE;
 bool opt_unshare_ipc = FALSE;
 bool opt_unshare_net = FALSE;
@@ -955,6 +957,10 @@ parse_args_recurse (int    *argcp,
         {
           opt_unshare_user = TRUE;
         }
+      else if (strcmp (arg, "--unshare-user-try") == 0)
+        {
+          opt_unshare_user_try = TRUE;
+        }
       else if (strcmp (arg, "--unshare-ipc") == 0)
         {
           opt_unshare_ipc = TRUE;
@@ -1327,6 +1333,10 @@ main (int    argc,
   if (!is_privileged)
     opt_unshare_user = TRUE;
 
+  if (opt_unshare_user_try &&
+      stat ("/proc/self/ns/user", &sbuf) == 0)
+    opt_unshare_user = TRUE;
+
   if (argc == 0)
     usage (EXIT_FAILURE, stderr);