| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
|
|
|
|
| |
--pidns acts on a pid namespace, not a user namespace.
Resolves: https://github.com/containers/bubblewrap/issues/531
Thanks: hadess
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|\
| |
| | |
build: Consistently use AS_IF instead of if/then/fi
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
AS_IF is best-practice for Autoconf, because it resolves conditional
dependencies correctly; for example, if the first use of
PKG_CHECK_MODULES is inside an if/then/fi block, then
PKG_CHECK_PKG_CONFIG will also be conditional, but if the first use of
PKG_CHECK_MODULES is inside AS_IF, then PKG_CHECK_PKG_CONFIG will be
done unconditionally.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|\ \
| | |
| | | |
Add --size option to control size of a --tmpfs
|
| | |
| | |
| | |
| | | |
Signed-off-by: Tom Smeding <tom@tomsmeding.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Tom Smeding <tom@tomsmeding.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Tom Smeding <tom@tomsmeding.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Tom Smeding <tom@tomsmeding.com>
|
|\ \ \
| | | |
| | | | |
Improve error message when clone() fails with ENOSPC
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
In particular, this would have given #371 a clearer error message.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|\ \ \ \
| | | | |
| | | | | |
test-run: replace nonstandard `which`
|
|/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
`command -v` is the standardized replacement for `which` and never
writes to stderr
Signed-off-by: a1346054 <36859588+a1346054@users.noreply.github.com>
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Prompted by flatpak/flatpak#4731, in which a misconfigured SMB automount
was failing to be remounted with ENODEV. This would have been easier to
debug if we knew which path could not be remounted.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|\ \ \ \
| | | | |
| | | | | |
Adjust tests related to /etc/shadow
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The goal of this assertion was to demonstrate that a setuid bwrap does
not give us access to otherwise unreadable files, but if we want to
check that, we should probably be looking at the bind-mount destination
instead of the source file.
Leave the old assertion in too, just in case *that* fails.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| | |/ /
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Ordinarily, we would not be able to read /etc/shadow if we're not uid 0;
but when building in a sysroot owned by the current user (for example
by setting it up using bwrap, as steam-runtime-tools does), we might
actually be able to read it. Skip the assertion that we cannot read it
in this case.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is useful when building a self-contained, relocatable tree
containing a build of bubblewrap and all of its non-glibc dependencies
(in practice this means libcap and maybe libselinux), as is done in
the Steam container runtime. A RPATH/RUNPATH pointing to ${ORIGIN}/../lib
allows bwrap to find an adjacent, bundled copy of libcap.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|\ \ \
| | | |
| | | | |
Annotate some variables as sometimes-unused
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
These parameters are unused if SELinux happens to be disabled.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This variable is only used for lifetime tracking (autocleanup), but
clang warns on that.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|\ \ \ \
| | | | |
| | | | | |
try-syscall: Use compiler-predefined macros to detect mips ABI
|
| |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
_MIPS_SIM_ABI32 etc. are defined by Linux <asm/sgidefs.h>, which is
included by glibc <sys/syscall.h> (which defers to Linux headers to
get syscall numbers), but not by musl <sys/syscall.h>.
_ABIO32 etc. are predefined by the compiler, so they are always
available, regardless of libc. References:
https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=27d54b2a6c18ef1ae50f1a5b432d590438445b90
https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=0ea339ea4d9c3e04ae17da6bf389617eb0251e57
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|\ \ \ \
| | | | |
| | | | | |
meson: Allow installation directory to be set explicitly
|
| |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Overriding the libexecdir via default_options doesn't always work when
used as a subproject.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|\ \ \ \
| | | | |
| | | | | |
Allow building on old glibc without PR_SET_CHILD_SUBREAPER defined
|
| |/ / /
| | | |
| | | |
| | | | |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
If we don't do this, AddressSanitizer busy-loops with this backtrace:
#0 in sched_yield
#1 in __sanitizer::StopTheWorld
#2 in __lsan::LockStuffAndStopTheWorldCallback
#3 in __GI___dl_iterate_phdr
#4 in __lsan::LockStuffAndStopTheWorld
#5 in __lsan::CheckForLeaks
#6 in __lsan::DoLeakCheck
#7 __lsan::DoLeakCheck
#8 in __cxa_finalize
#9 in __do_global_dtors_aux
#10 in ??
#11 in _dl_fini
This fixes the hang described in commit 2e3d6e7d, so remove the
workarounds from that commit.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
gcc's AddressSanitizer makes system calls that our filter doesn't
allow for, resulting in a fatal error when run under a restrictive
seccomp filter.
try-syscall is a helper for the test, rather than being code under test
itself, so we don't really need this instrumentation in it: all we want
it to do is make some specific syscalls.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This follows the usual feature semantics: they're mandatory if the
feature is enabled, aren't checked if the feature is disabled, and are
optional if the feature is in the auto state (which is the default for
this particular feature).
The logic used here is similar to AX_CHECK_DOCBOOK_XSLT in
autoconf-archive.
Resolves: https://github.com/containers/bubblewrap/issues/500
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|\ \ \ \
| | | | |
| | | | | |
Add --share-net & --json-status-fd to the manpage
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Fixes #469
Fixes #499
Signed-off-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
|\ \ \ \ \
| |/ / / /
|/| | | | |
meson: add tests option
|
| |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Allow the user to disable tests, for example to avoid the following
build failure on mips32:
FAILED: tests/try-syscall.p/try-syscall.c.o
/home/autobuild/autobuild/instance-11/output-1/host/bin/mipsel-buildroot-linux-musl-gcc -Itests/try-syscall.p -Itests -I../tests -fdiagnostics-color=always -Wall -Winvalid-pch -Wextra -O3 -D_GNU_SOURCE -Werror=shadow -Werror=empty-body -Werror=strict-prototypes -Werror=missing-prototypes -Werror=implicit-function-declaration -Werror=pointer-arith -Werror=init-self -Werror=missing-declarations -Werror=return-type -Werror=overflow -Werror=int-conversion -Werror=incompatible-pointer-types -Werror=misleading-indentation -Werror=missing-include-dirs -Werror=aggregate-return -Werror=switch-default -Wswitch-enum -Wno-sign-compare -Wno-error=sign-compare -Wno-missing-field-initializers -Wno-error=missing-field-initializers -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -O1 -g0 -MD -MQ tests/try-syscall.p/try-syscall.c.o -MF tests/try-syscall.p/try-syscall.c.o.d -o tests/try-syscall.p/try-syscall.c.o -c ../tests/try-syscall.c
../tests/try-syscall.c:34:5: error: #error "Unknown MIPS ABI"
34 | # error "Unknown MIPS ABI"
| ^~~~~
Fixes:
- http://autobuild.buildroot.org/results/cf0365354fc8c16e5871d561daae0fa5039d0bee
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
|\ \ \ \
| |/ / /
|/| | | |
Link to the last commit where xdg-app-helper.c existed
|
|/ / /
| | |
| | |
| | |
| | |
| | | |
Right now this link just opens a "path not found" page, so let's fix that by linking to the last commit where it existed instead.
Signed-off-by: Newbyte <newbie13xd@gmail.com>
|
|\ \ \
| | | |
| | | | |
Add install instruction to README.md
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | | |
Closes #315
Closes #363
Signed-off-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
|\ \ \
| | | |
| | | | |
Add --add-seccomp-fd to bash/zsh completion
|
| |/ /
| | |
| | |
| | | |
Signed-off-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
|\ \ \
| |/ /
|/| | |
Fix --add-seccomp-fd argument name in usage
|
|/ /
| |
| |
| |
| |
| |
| | |
--help shows --add-seccomp instead of --add-seccomp-fd which is the
correct argument.
Signed-off-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
|\ \
| | |
| | | |
tests: fix build with clang
|
|/ /
| |
| |
| |
| |
| |
| |
| | |
Avoids breaking warning with clang
Fixes #478
Signed-off-by: Marc-Antoine Perennou <Marc-Antoine@Perennou.com>
|
| |
| |
| |
| | |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
| |
| |
| | |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|\ \
| | |
| | | |
completions: Make zsh completion non-executable
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The Autotools build system installed it with 0644 permissions because
it's listed as DATA, but the Meson build system installs executable
files as executable by default.
zsh completions don't need to be executable to work, and this one doesn't
have the `#!` marker that should start an executable script.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
| |
| |
| | |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|