diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2016-09-23 14:44:36 +0200 |
---|---|---|
committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2017-06-13 22:13:51 +0200 |
commit | 6e778109aa0f2488a153475cbe3b2cd89e240084 (patch) | |
tree | cc998ebc76f7e9e8411a332f144cc0e20b6b52d4 | |
parent | 6ef45aae778b6ce68c39d97089479fdfe6b441b3 (diff) | |
download | bubblewrap-6e778109aa0f2488a153475cbe3b2cd89e240084.tar.gz |
bubblewrap: add --as-pid-1
It allows to run a process with PID=1 in the new pid namespace.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-rw-r--r-- | bubblewrap.c | 25 | ||||
-rw-r--r-- | bwrap.xml | 6 | ||||
-rw-r--r-- | completions/bash/bwrap | 1 | ||||
-rwxr-xr-x | tests/test-run.sh | 4 |
4 files changed, 32 insertions, 4 deletions
diff --git a/bubblewrap.c b/bubblewrap.c index 5adb0e5..ed94923 100644 --- a/bubblewrap.c +++ b/bubblewrap.c @@ -53,6 +53,7 @@ static const char *host_tty_dev; static int proc_fd = -1; static char *opt_exec_label = NULL; static char *opt_file_label = NULL; +static bool opt_as_pid_1; char *opt_chdir_path = NULL; bool opt_unshare_user = FALSE; @@ -219,6 +220,7 @@ usage (int ecode, FILE *out) " --info-fd FD Write information about the running container to FD\n" " --new-session Create a new terminal session\n" " --die-with-parent Kills with SIGKILL child process (COMMAND) when bwrap or bwrap's parent dies.\n" + " --as-pid-1 Do not install a reaper process with PID=1\n" ); exit (ecode); } @@ -1652,6 +1654,10 @@ parse_args_recurse (int *argcp, { opt_die_with_parent = TRUE; } + else if (strcmp (arg, "--as-pid-1") == 0) + { + opt_as_pid_1 = TRUE; + } else if (*arg == '-') { die ("Unknown option %s", arg); @@ -1810,6 +1816,12 @@ main (int argc, if (!opt_unshare_uts && opt_sandbox_hostname != NULL) die ("Specifying --hostname requires --unshare-uts"); + if (opt_as_pid_1 && !opt_unshare_pid) + die ("Specifying --as-pid-1 requires --unshare-pid"); + + if (opt_as_pid_1 && lock_files != NULL) + die ("Specifying --as-pid-1 and --lock-file is not permitted"); + /* We need to read stuff from proc during the pivot_root dance, etc. Lets keep a fd to it open */ proc_fd = open ("/proc", O_RDONLY | O_PATH); @@ -1829,7 +1841,7 @@ main (int argc, __debug__ (("creating new namespace\n")); - if (opt_unshare_pid) + if (opt_unshare_pid && !opt_as_pid_1) { event_fd = eventfd (0, EFD_CLOEXEC | EFD_NONBLOCK); if (event_fd == -1) @@ -2162,7 +2174,7 @@ main (int argc, __debug__ (("forking for child\n")); - if (opt_unshare_pid || lock_files != NULL || opt_sync_fd != -1) + if (!opt_as_pid_1 && (opt_unshare_pid || lock_files != NULL || opt_sync_fd != -1)) { /* We have to have a pid 1 in the pid namespace, because * otherwise we'll get a bunch of zombies as nothing reaps @@ -2201,8 +2213,13 @@ main (int argc, if (proc_fd != -1) close (proc_fd); - if (opt_sync_fd != -1) - close (opt_sync_fd); + /* If we are using --as-pid-1 leak the sync fd into the sandbox. + --sync-fd will still work unless the container process doesn't close this file. */ + if (!opt_as_pid_1) + { + if (opt_sync_fd != -1) + close (opt_sync_fd); + } /* We want sigchild in the child */ unblock_sigchild (); @@ -289,6 +289,12 @@ See prctl, PR_SET_PDEATHSIG. </para></listitem> </varlistentry> + <varlistentry> + <term><option>--as-pid-1</option></term> + <listitem><para> + Do not create a process with PID=1 in the sandbox to reap child processes. + </para></listitem> + </varlistentry> </variablelist> </refsect1> diff --git a/completions/bash/bwrap b/completions/bash/bwrap index 57d9677..6378164 100644 --- a/completions/bash/bwrap +++ b/completions/bash/bwrap @@ -18,6 +18,7 @@ _bwrap() { --unshare-pid --unshare-uts --version + --as-pid-1 " local options_with_args=" diff --git a/tests/test-run.sh b/tests/test-run.sh index 4c74f09..e79d51c 100755 --- a/tests/test-run.sh +++ b/tests/test-run.sh @@ -85,6 +85,10 @@ for ALT in "" "--unshare-user-try" "--unshare-pid" "--unshare-user-try --unshar $RUN $ALT --dir /tmp/dir --symlink dir /tmp/link --bind /etc /tmp/link true done +# Test --as-pid-1 +$RUN --unshare-pid --as-pid-1 --bind / / bash -c 'echo $$' > as_pid_1.txt +assert_file_has_content as_pid_1.txt "1" + # Test --die-with-parent cat >lockf-n.py <<EOF |