diff options
| author | Alexander Larsson <alexl@redhat.com> | 2016-05-20 15:13:57 +0200 |
|---|---|---|
| committer | Alexander Larsson <alexl@redhat.com> | 2016-05-31 13:36:42 +0200 |
| commit | 318cad39803c12f7e6ef46f328dcaa25c67749a5 (patch) | |
| tree | eaefee747460ecd51f15519cb6f16cd922e90303 | |
| parent | 068c810553a6dc0701983cd195a79c72b73c1b34 (diff) | |
| download | bubblewrap-export/flatpak/0.6.3.tar.gz | |
Add --unshare-user-tryexport/flatpak/0.6.3
This optionally enables user namespaces, but ignores it if its
not supported by the kernel.
Note: For this to make any sense, bwrap has to be setuid,
because unprivileged use requires user namespaces.
| -rw-r--r-- | bubblewrap.c | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/bubblewrap.c b/bubblewrap.c index fe6f86c..0bc94ef 100644 --- a/bubblewrap.c +++ b/bubblewrap.c @@ -148,6 +148,7 @@ usage (int ecode, FILE *out) " --version Print version\n" " --args FD Parse nul-separated args from FD\n" " --unshare-user Create new user namespace (may be automatically implied if not setuid)\n" + " --unshare-user-try Create new user namespace if possible else continue by skipping it\n" " --unshare-ipc Create new ipc namespace\n" " --unshare-pid Create new pid namespace\n" " --unshare-net Create new network namespace\n" @@ -848,6 +849,7 @@ read_priv_sec_op (int read_socket, char *opt_chdir_path = NULL; bool opt_unshare_user = FALSE; +bool opt_unshare_user_try = FALSE; bool opt_unshare_pid = FALSE; bool opt_unshare_ipc = FALSE; bool opt_unshare_net = FALSE; @@ -963,6 +965,10 @@ parse_args_recurse (int *argcp, { opt_unshare_user = TRUE; } + else if (strcmp (arg, "--unshare-user-try") == 0) + { + opt_unshare_user_try = TRUE; + } else if (strcmp (arg, "--unshare-ipc") == 0) { opt_unshare_ipc = TRUE; @@ -1335,6 +1341,28 @@ main (int argc, if (!is_privileged) opt_unshare_user = TRUE; + if (opt_unshare_user_try && + stat ("/proc/self/ns/user", &sbuf) == 0) + { + bool disabled = FALSE; + + /* RHEL7 has a kernel module parameter that lets you enable user namespaces */ + if (stat ("/sys/module/user_namespace/parameters/enable", &sbuf) == 0) + { + cleanup_free char *enable = NULL; + enable = load_file_at (AT_FDCWD, "/sys/module/user_namespace/parameters/enable"); + if (enable != NULL && enable[0] == 'N') + disabled = TRUE; + } + + /* Debian lets you disable *unprivileged* user namespaces. However this is not + a problem if we're privileged, and if we're not opt_unshare_user is TRUE + already, and there is not much we can do, its just a non-working setup. */ + + if (!disabled) + opt_unshare_user = TRUE; + } + if (argc == 0) usage (EXIT_FAILURE, stderr); |