| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
| |
I saw a typo `Custon`, and while here did a quick pass and
cleaned a few other things up a bit.
Closes: #211
Approved by: jlebon
|
|
|
|
|
|
|
|
|
|
|
| |
These make explicit various implicit assumptions about how the SetupOps
are constructed. This fixes various Coverity issues about potential NULL
pointer dereferences.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #209
Approved by: cgwalters
|
|
|
|
|
|
|
|
|
|
|
| |
This is pretty unnecessary, since they will automatically be closed by
the kernel when bubblewrap’s PID 1 exits, but cleaning them up shuts up
Coverity.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #209
Approved by: cgwalters
|
|
|
|
|
|
|
|
|
| |
Fixes Coverity issue 1376583.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #209
Approved by: cgwalters
|
|
|
|
|
|
|
| |
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #209
Approved by: cgwalters
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In <https://github.com/projectatomic/bubblewrap/pull/101>, specifically
commit cde7fab7ec4aafd9386a41e2e10a6af07fda3eb8 we started dropping
all capabilities, even if the caller was privileged.
This broke rpm-ostree, which runs RPM scripts using bwrap, and some
of those scripts depend on capabilities (mostly `CAP_DAC_OVERRIDE`).
Fix this by retaining capabilities by default if the caller's uid is zero.
I considered having the logic be to simply retain any capabilities the invoking
process has (imagine filecaps binaries like `ping` or
`/usr/bin/gnome-keyring-daemon` using bwrap) but we currently explicitly abort
in that scenario to catch broken packages which used file capabilites for bwrap
itself (we switched to suid). For now this works, and if down the line there's a
real-world use case for capability-bearing non-zero-uid processes to invoke
bwrap *and* retain those privileges, we can revisit.
Another twist here is that we need to do some gymnastics to first avoid calling
`capset()` if we don't need to, as that can fail due to systemd installing a
seccomp filter that denies it (for dubious reasons). Then we also need to ignore
`EPERM` when dropping caps in the init process. (I considered unilaterally
handling `EPERM`, but it seems nicer to avoid calling `capset()` unless we need to)
Closes: https://github.com/projectatomic/bubblewrap/issues/197
Closes: #205
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
|
|
| |
The cat is cute, but let's not hinder adoption anywhere based on this. If
someone cares, we could probably project the Internet emergency logo into the
sky, requesting a cat picture with bubblewrap that is *also* DFSG compliant.
Closes: https://github.com/projectatomic/bubblewrap/issues/204
Closes: #206
Approved by: alexlarsson
|
|
|
|
|
|
|
| |
This was factored out to be sharable with other projects, let's do so.
Closes: #203
Approved by: jlebon
|
|
|
|
|
|
|
|
| |
Rename the YAML file and its auxiliary files to the newly supported
name and bump tests to use F26.
Closes: #202
Approved by: cgwalters
|
|
|
|
|
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #199
Approved by: cgwalters
|
|
|
|
|
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #101
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
|
|
| |
When --unshare-user is used in the unprivileged case, all caps are
left to the sandboxed application. Change it to leave only the
specified ones.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #101
Approved by: alexlarsson
|
|
|
|
|
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #101
Approved by: alexlarsson
|
|
|
|
|
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #101
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
| |
It allows to configure the user namespace from outside.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #101
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
|
| |
When using namespaces, permit to leave some capabilities in the
sandbox. This can be helpful to run a system instance of systemd.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #101
Approved by: alexlarsson
|
|\
| |
| | |
bubblewrap: add --as-pid-1
|
|/
|
|
|
|
| |
It allows to run a process with PID=1 in the new pid namespace.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This apparently only is emitted with `CFLAGS='-O2 -Wp,-D_FORTIFY_SOURCE=2'`,
which is used by RPM builds in Fedora at least. Enable that by default.
Note that I fixed it by using `TEMP_FAILURE_RETRY`, which should also ensure
that we don't spuriously continue if the `read` was interrupted by `EINTR` for
some reason.
Closes: #190
Approved by: alexlarsson
|
|
|
|
|
|
|
|
| |
As I said in the release notes, I think the majority of use cases want this,
which includes this interactive shell.
Closes: #189
Approved by: alexlarsson
|
|
|
|
|
|
|
| |
Closes: https://github.com/projectatomic/bubblewrap/issues/186
Closes: #188
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
| |
This should fix querying the bwrap version in flatpak's `configure.ac`.
Closes: https://github.com/projectatomic/bubblewrap/issues/185
Closes: #187
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
| |
Otherwise the test fails when setting BWRAP
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #183
Approved by: cgwalters
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In scenarios such as running bwrap in test frameworks (`bwrap make check`),
one wants all of the processes to go away if the parent process
dies, or if the bwrap process is directly killed.
This ensures that in all cases (both with `--unshare-pid` and without), we use
`prctl(PR_SET_PDEATHSIG)` on both our outer and inner init procesesses if
`--die-with-parent` is specified.
Tests-by: Colin Walters <walters@verbum.org>
Closes: #165
Approved by: emdej
|
|
|
|
|
|
|
|
| |
Bwrap fails to start on host missing the magic sysrq-trigger file,
this change skips the read only bind mount when the file is absent.
Closes: #179
Approved by: cgwalters
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we are working on implementing rootless containers, where no
privileges are required during any part of the process of installing
runC or the management of containers. We are solving a different problem
to bubblewrap with this feature, in the hopes that users on machines
where they have no ability to create a setuid binary will be able to
still use containers.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Closes: #84
Approved by: cgwalters
|
|
|
|
|
| |
Closes: #177
Approved by: cgwalters
|
|
|
|
|
| |
Closes: #176
Approved by: cgwalters
|
|
|
|
|
|
|
|
|
|
|
| |
Some older kernels are buggy with respect to this; see
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/commoncap.c?id=160da84dbb39443fdade7151bc63a88f8e953077
Fixes: https://github.com/projectatomic/bubblewrap/issues/174
Closes: #175
Approved by: mariospr
|
|
|
|
|
|
|
|
|
|
|
| |
If you read the logs, ASAN gets confused by us using PID namespaces.
Perhaps we could figure out an API to change this later, but in
the meantime, let's disable leak checks.
We still get use-after-free detection.
Closes: #170
Approved by: alexlarsson
|
|
|
|
|
|
|
|
| |
It was never that useful, just a quick stub to get Travis going, which we don't
use right now. Let's just move it into the `test-run.sh`.
Closes: #163
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We're seeing loopback setup fail in Fedora infrastructure for rpm-ostree
composes: https://pagure.io/releng/issue/6602
This should help debug. Tested with strace fault injection:
```
$ strace -o strace.log -f -e fault=bind:error=EPERM bwrap --unshare-net --bind / / true
loopback: Failed to bind NETLINK_ROUTE socket: Operation not permitted
$
```
Closes: #166
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously we were just building in a container, now we actually run the test
script.
This explicitly does builds in a container still, and only installs
the bwrap binaries into the host's `/usr`. Down the line I think
we can enable better support for this model in redhat-ci.
Closes: #160
Approved by: jlebon
|
|
|
|
|
|
|
| |
Otherwise we fail on CentOS 7.
Closes: #160
Approved by: jlebon
|
|
|
|
|
|
| |
Updated the manpage to include the new --unshare-all option
Closes: #161
Approved by: cgwalters
|
|
|
|
|
|
|
|
|
|
|
| |
Some distributions may want to enforce this in the privileged case;
it enforces stronger isolation rather than allowing users to
cherry-pick namespaces.
Closes: #141
Closes: #159
Approved by: valoq
|
|
|
|
|
|
|
| |
This caused Emacs syntax highlighting to get confused.
Closes: #159
Approved by: valoq
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In discussion in https://github.com/projectatomic/bubblewrap/pull/150
it was noted that most of the bwrap command line tends towards "closed
by default, request open". But the `--unshare` options are inverse.
Now, I suspect in practice there's only one namespace that most users
will care about, which is the network namespace. There are very useful
programs to build on both cases.
I think everything else (pid, ipc, uts) people will want as a group.
Any cases that are unusual enough to want to turn one of them off
can still fall back to the previous bwrap behavior of explicitly
unsharing. They're likely to be security sensitive enough
that if a new namespace were added, it would make sense to evaluate
the tool.
But again I think most users will want all namespaces, with the network one as a
primary "enable it" option.
Closes: #153
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
|
| |
This means the filter need not know anything about what
syscalls bwrap does.
Fixes: https://github.com/projectatomic/bubblewrap/issues/155
Closes: #156
Approved by: cgwalters
|
|
|
|
|
|
|
| |
This means such options get inherited by pid 1 too.
Closes: #156
Approved by: cgwalters
|
|
|
|
|
|
|
| |
Lets demo things as sandboxed as possible.
Closes: #154
Approved by: cgwalters
|
|
|
|
|
|
|
|
|
|
|
|
| |
This means we stay compatible with apps using the old bwrap, yet
still makes it easy to avoid CVE-2017-5226 in apps using bwrap.
Also, recommend that applications not using --new-session should
use a seccomp filter for the TIOCSTI ioctl to avoid the input
injection issue.
Closes: #154
Approved by: cgwalters
|
|
|
|
|
|
|
| |
I learned with ostree this works, might as well.
Closes: #152
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The capability bounding set is a limit on what capabilities can
be regained at execve(). Due to PR_NO_NEW_PRIVS we should be safe
from any such issues, but we may as well clear it anyway.
Note, we also have to clear it in the new namespace if user namespaces
are enabled, because the kernel gives us a new set of full bounds in
the user namespace.
See https://github.com/projectatomic/bubblewrap/issues/136 for some
discussion about this.
Closes: #149
Approved by: cgwalters
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Its quite possible for bwrap to have children to it exit and deliver
SIGCHLD signals and the like. For instance, the bubblewrap-shell
demo does (simplified):
(exec bwrap --file 11 /a/file /bin/sh) 11< <(cmd)
This actually starts a subshell process, and has it spawn a child
running "cmd", and then exec replaces the subshell with the bwrap
process that now has an unexpected child.
This can lead to problem in two ways:
1) We get a SIGCHLD before we process children dying via
the signalfd. This means we never wait() for the child
and it becomes a zombie.
2) If the child dies after the pid1 process has started
we will see the sigchld and think that pid1 has died
and exit the monitor process.
The fix for 1 is to reap all outstanding zombies after we
blocked sigchld, but before we fork the child.
The fix for 2 is to only exit when the expected pid dies.
Closes: #146
Approved by: cgwalters
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
I was working on rpm-ostree's use of bwrap and realized we weren't setting up
/var/tmp. I think this should be a best practice for app compatibility.
I also took the opportunity to expand the docs a bit, and overriding PS1 helps
users know they're in the container shell.
Closes: #137
Approved by: alexlarsson
|
|
|
|
|
|
|
| |
Closes: #141
Closes: #144
Approved by: valoq
|
|
|
|
|
|
|
|
|
|
|
| |
This prevents the sandboxed code from getting a controlling tty,
which in turn prevents it from accessing the TIOCSTI ioctl and hence
faking terminal input.
Fixes: #142
Closes: #143
Approved by: cgwalters
|