diff options
author | Alexander Larsson <alexl@redhat.com> | 2016-05-20 15:13:57 +0200 |
---|---|---|
committer | Alexander Larsson <alexl@redhat.com> | 2016-05-23 08:46:14 +0200 |
commit | 2bdd130981ffafe56ab462b4e55f32c9072b5dee (patch) | |
tree | 9f21336c491ca364b17353ec720c18dccea22c49 | |
parent | c75b765d073d1f1f8cd4d92a775ca1912ea21d24 (diff) | |
download | bubblewrap-export/flatpak/0.6.1.tar.gz |
Add --unshare-user-tryexport/flatpak/0.6.1
This optionally enables user namespaces, but ignores it if its
not supported by the kernel.
Note: For this to make any sense, bwrap has to be setuid,
because unprivileged use requires user namespaces.
-rw-r--r-- | bubblewrap.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/bubblewrap.c b/bubblewrap.c index 65aa8ad..4c9c392 100644 --- a/bubblewrap.c +++ b/bubblewrap.c @@ -148,6 +148,7 @@ usage (int ecode, FILE *out) " --version Print version\n" " --args FD Parse nul-separated args from FD\n" " --unshare-user Create new user namespace (may be automatically implied if not setuid)\n" + " --unshare-user-try Create new user namespace if possible else continue by skipping it\n" " --unshare-ipc Create new ipc namespace\n" " --unshare-pid Create new pid namespace\n" " --unshare-net Create new network namespace\n" @@ -840,6 +841,7 @@ read_priv_sec_op (int read_socket, char *opt_chdir_path = NULL; bool opt_unshare_user = FALSE; +bool opt_unshare_user_try = FALSE; bool opt_unshare_pid = FALSE; bool opt_unshare_ipc = FALSE; bool opt_unshare_net = FALSE; @@ -955,6 +957,10 @@ parse_args_recurse (int *argcp, { opt_unshare_user = TRUE; } + else if (strcmp (arg, "--unshare-user-try") == 0) + { + opt_unshare_user_try = TRUE; + } else if (strcmp (arg, "--unshare-ipc") == 0) { opt_unshare_ipc = TRUE; @@ -1327,6 +1333,10 @@ main (int argc, if (!is_privileged) opt_unshare_user = TRUE; + if (opt_unshare_user_try && + stat ("/proc/self/ns/user", &sbuf) == 0) + opt_unshare_user = TRUE; + if (argc == 0) usage (EXIT_FAILURE, stderr); |