diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2018-02-23 12:52:02 +0100 |
---|---|---|
committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-04-30 16:50:19 +0000 |
commit | 04a212062bf653202cf4e6e94d52308c956182d6 (patch) | |
tree | 33938f07ffe85b1ef956c95ba4ad108ecbe9ec5f | |
parent | 3ce7c8281fb535007949dca9035dab0194d0ea35 (diff) | |
download | bubblewrap-04a212062bf653202cf4e6e94d52308c956182d6.tar.gz |
bwrap: do not always make /proc/{sys,sysrq-trigger,irq} ro
Skip these mounts when the process will keep CAP_SYS_ADMIN as it will
anyway able to umount them.
This fix the case of running bwrap inside of a bwrap with a new pid
namespace and mount /proc.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #256
Approved by: cgwalters
-rw-r--r-- | bubblewrap.c | 12 | ||||
-rwxr-xr-x | tests/test-run.sh | 11 |
2 files changed, 19 insertions, 4 deletions
diff --git a/bubblewrap.c b/bubblewrap.c index c7b5ee6..aae2217 100644 --- a/bubblewrap.c +++ b/bubblewrap.c @@ -1025,9 +1025,15 @@ setup_newroot (bool unshare_pid, for (i = 0; i < N_ELEMENTS (cover_proc_dirs); i++) { cleanup_free char *subdir = strconcat3 (dest, "/", cover_proc_dirs[i]); - /* Some of these may not exist */ - if (get_file_mode (subdir) == -1) - continue; + if (access (subdir, W_OK) < 0) + { + /* The file is already read-only or doesn't exist. */ + if (errno == EACCES || errno == ENOENT) + continue; + + die_with_error ("Can't access %s", subdir); + } + privileged_op (privileged_op_socket, PRIV_SEP_OP_BIND_MOUNT, BIND_READONLY, subdir, subdir); diff --git a/tests/test-run.sh b/tests/test-run.sh index 2dcc5ce..07f0e2b 100755 --- a/tests/test-run.sh +++ b/tests/test-run.sh @@ -53,7 +53,7 @@ if ! $RUN true; then skip Seems like bwrap is not working at all. Maybe setuid is not working fi -echo "1..36" +echo "1..37" # Test help ${BWRAP} --help > help.txt @@ -113,6 +113,15 @@ $RUN --unshare-pid --as-pid-1 --bind / / bash -c 'echo $$' > as_pid_1.txt assert_file_has_content as_pid_1.txt "1" echo "ok - can run as pid 1" +if ! test -u ${BWRAP}; then + echo "ok - # SKIP no --cap-add support" +else + $BWRAP --unshare-all --uid 0 --gid 0 --cap-add ALL --bind / / --proc /proc \ + $BWRAP --unshare-all --bind / / --proc /proc echo hello > recursive_proc.txt + assert_file_has_content recursive_proc.txt "hello" + echo "ok - can mount /proc recursively" +fi + # Test error prefixing if $RUN --unshare-pid --bind /source-enoent /dest true 2>err.txt; then assert_not_reached "bound nonexistent source" |