| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
| |
This optionally enables user namespaces, but ignores it if its
not supported by the kernel.
Note: For this to make any sense, bwrap has to be setuid,
because unprivileged use requires user namespaces.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On e.g. debian by default unprivileged namespaces are not allowed.
Typically the setuid mode is then used. However, if /dev is mounted
(and thus devpts) then we need to do some workaround in how we
create the uid/gid maps so uid 0 is mapped while we mount devpts.
Unfortunately the way we were working around that is by using an
unprivileged unshare(NEWUSER) in the sandbox, which doesn't work.
See https://github.com/flatpak/flatpak/issues/2 for details.
We work around this by mapping uid/gid 0 + the user. However, since
this is a privileged operation we need to do that in the parent
namespace, and we need setuid/setgid rights.
|
|
|
|
|
|
|
|
|
|
| |
It's shorter and more reliable. Also GCC/CLang specific, but that's
fine because that's all we support anyways.
Closes: #69
Closes: #70
Approved by: mrunalp
|
|
|
|
|
|
|
| |
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
Closes: #68
Approved by: cgwalters
|
|
|
|
|
| |
Closes: #67
Approved by: cgwalters
|
|
|
|
|
| |
Closes: #67
Approved by: cgwalters
|
|
|
|
|
|
|
|
|
|
|
| |
sending --help output to stderr causing sadness and confusion when
someone tries something obvious like `bwrap --help | less`. This
commit modifies bubblewrap.c such that `--help` output will go to
stdout, while other invocations of `usage(...)` will continue to go
to stderr.
Closes: #66
Approved by: cgwalters
|
|
|
|
|
|
|
|
|
| |
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
This flag will unshare cgroups only if supported else will skip it.
Closes: #62
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
|
|
| |
This requires linux kernel version 4.6 or higher.
We check for the presence of /proc/self/ns/cgroup
to determine if it is supported or not.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
Closes: #62
Approved by: alexlarsson
|
|
|
|
|
|
|
| |
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
Closes: #65
Approved by: cgwalters
|
|
|
|
|
| |
Closes: #63
Approved by: cgwalters
|
|
|
|
|
|
|
|
| |
It turns out you can't readdir from an O_PATH file-descriptor, so
fdwalk didn't work. Spotted the BADFD in a strace.
Closes: #60
Approved by: cgwalters
|
|
|
|
|
|
|
| |
I find this clearer since I know about `asprintf`, and the `x` prefix.
Closes: #55
Approved by: alexlarsson
|
|
|
|
|
|
|
| |
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
Closes: #59
Approved by: alexlarsson
|
|
|
|
|
|
|
| |
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
Closes: #45
Approved by: cgwalters
|
|
|
|
|
|
|
| |
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
Closes: #58
Approved by: cgwalters
|
|
|
|
|
|
|
| |
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
Closes: #57
Approved by: cgwalters
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a variation on the previous commit to avoid recursive
parsing of `--args`. Here we limit the total number of options
to something reasonable.
This is inspired by
http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html
which required 15 million arguments. We come in a bit below that.
Closes: #50
Approved by: rhatdan
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we're not doing a PID namespace, we don't create a monitor
process, which means that the code in `monitor_child()` needs
to properly propagate the exit status from the signalfd.
It might be better to change `monitor_child()` to be a `waitpid()`
loop in this case, but I decided to go for the one liner fix that's an
improvement in both cases anyways.
I noticed this with:
```
bwrap --ro-bind / / --dev /dev true
```
exiting with code 1.
Closes: #49
Approved by: rhatdan
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All calls to set an SELinux label should call this function
die_unless_label_valid (opt_exec_label);
It will make sure SELinux is enabled and will make sure the user passed in a
valid label.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Closes: #53
Approved by: cgwalters
|
|
|
|
|
|
|
|
|
|
| |
This should hopefully get things more automatic for more
editors.
I didn't find in a quick search how to teach vim to DTRT by default.
Closes: #56
Approved by: rhatdan
|
|
|
|
|
|
|
|
| |
Let's be more explicit that we can target production distributions
today.
Closes: #54
Approved by: rhatdan
|
|
|
|
|
|
|
|
|
|
|
| |
It's likely possible for callers to use `ulimit()` to cause us to
fail `eventfd()` with `EMFILE` - we should handle that.
If a caller requests seccomp but for some reason we fail to install
it, we shouldn't silently continue.
Closes: #52
Approved by: rhatdan
|
|
|
|
|
|
|
|
|
|
|
| |
In particular `format` is important for validating strings. Luckily
we don't have any new warnings.
`noreturn` is mostly just helps avoid other warnings from unreachable
code.
Closes: #51
Approved by: rhatdan
|
|
|
|
|
|
|
|
| |
This would let you create a recursive operation filling up the stack
and causing a crash.
Closes: #47
Approved by: cgwalters
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If using --dev we need a special workaround to make it possible to
mount devpts. Unfortunately the workaround was erronously enabled
if you added --proc, not --dev. This moves this check to the right
place.
To test, try:
./bwrap --ro-bind / / --dev /dev true
Closes: #48
Approved by: cgwalters
|
|
|
|
|
|
|
|
| |
This is very useful if you want to cover some area of the filesystem,
or if you want to make some part of a read-only tree writable.
Closes: #42
Approved by: cgwalters
|
|
|
|
|
|
|
| |
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
Closes: #46
Approved by: rhatdan
|
|
|
|
|
| |
Closes: #44
Approved by: rhatdan
|
|
|
|
|
|
|
|
|
|
| |
Verify you are getting a valid SELinux label before proceeding. Some
SELinux checks were broken.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Closes: #43
Approved by: cgwalters
|
|
|
|
|
| |
Closes: #41
Approved by: rhatdan
|
|
|
|
|
|
|
| |
The spec file is really Fedora/RHEL specific.
Closes: #40
Approved by: alexlarsson
|
|
|
|
|
|
|
| |
Install the BRs, add the %files.
Closes: #40
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
| |
It turns out we need CAP_NET_ADMIN in the privileged case in order
to make --unshare-net work because otherwise we're not allowed to
set up the loopback device.
Closes: #38
Approved by: cgwalters
|
|
|
|
|
|
|
|
|
| |
This just makes it easier to build an RPM before it gets packaged
elsewhere. rpmdistro-gitoverlay e.g. can consume spec files internal
to git repos.
Closes: #35
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have to support two different ways to run:
- As setuid root, for systems without unprivileged userns support
- Non-setuid, but require unprivileged userns
The fact that we exposed `--share-user` is awkward, because it forced
tools that want to work in both case to basically reimplement the
logic for detecting userns support, if they didn't care whether
or not userns was enabled.
For example in the case of `demos/bubblewrap-shell.sh` where we
share the invoking UID.
This commit changes things so we now default to `--unshare-user` if
we're *not* installed privileged, since it's a requirement.
The end result here is that we just work out of the box in more
scenarios; callers that require the uid mapping portion of userns will
still be passing `--uid`, and this will still properly fail if the
kernel doesn't have userns.
Closes: #36
Closes: #37
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
|
|
|
| |
Not having this is a rather embarassing amateur mistake...one of us
should have caught it. We do have LGPLv2+ bits in the headers, but
this should make it unmistakable.
This code inherited from xdg-app and linux-user-chroot, both of which
are LGPLv2+.
Closes: #34
Approved by: alexlarsson
|
|
|
|
|
|
|
| |
It's less manual etc.
Closes: #33
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
|
| |
This is just the beginning of a framework for bash completions.
Current completions just give you the list of options available.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Closes: #30
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
|
|
| |
GCC was failing this because write is marked warn_unused_result.
Assigning it to a attribute unused variable is apparently "better"
than casting it to void...
Also, we avoid taking this path at all if event_fd is -1.
Closes: #32
Approved by: alexlarsson
|
|
|
|
|
|
|
| |
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Closes: #31
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
| |
The rawhide kernel has started to warn about applications using 32bit
capabilities calls. We don't actually need more than 32 bits, but
lets use the 64bit APIs anyway to stay safe.
Closes: #29
Approved by: cgwalters
|
|
|
|
|
|
|
| |
It's surprising that `security_context_t` isn't const.
Pull request: #27
Approved by: alexlarsson
|
|
|
|
|
|
|
|
| |
AFAICS it's not really possible for `write()` to an eventfd to fail,
so squash this warning from Travis.
Pull request: #27
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
|
|
|
| |
I noticed on Travis we had a warning about this, and it's actually
right, the man page says on OOM the contents of `*strp` are undefined,
not `NULL`.
(Now possibly it doesn't touch the value, but anyways this follows
the man page and fixes a compiler warning)
Pull request: #27
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
| |
Greater visibility for these is useful. (Alternatively, autoconf
could be less verbose but I'm assuming that's not going to happen
before the sun explodes).
Pull request: #28
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this you can e.g. :
./configure --enable-sudo --with-priv-mode=setcaps
make
make install
and it will ask you for sudo password and then make the final binary
have the right capabilities set.
This is not needed when setting such persmissions in e.g. a spec file, but
it is useful for developers building bubblewrap.
Pull request: #26
Approved by: cgwalters
|
|
|
|
|
|
|
| |
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Pull request: #25
Approved by: alexlarsson
|
|
|
|
|
| |
Pull request: #24
Approved by: alexlarsson
|