summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
* main: Fix typo, tweak command line argument descriptionsColin Walters2017-08-241-6/+6
| | | | | | | | I saw a typo `Custon`, and while here did a quick pass and cleaned a few other things up a bit. Closes: #211 Approved by: jlebon
* bubblewrap: Add various assertions on SetupOp handlingPhilip Withnall2017-08-151-0/+4
| | | | | | | | | | | These make explicit various implicit assumptions about how the SetupOps are constructed. This fixes various Coverity issues about potential NULL pointer dereferences. Signed-off-by: Philip Withnall <withnall@endlessm.com> Closes: #209 Approved by: cgwalters
* bubblewrap: Close FDs on exiting PID 1Philip Withnall2017-08-151-0/+12
| | | | | | | | | | | This is pretty unnecessary, since they will automatically be closed by the kernel when bubblewrap’s PID 1 exits, but cleaning them up shuts up Coverity. Signed-off-by: Philip Withnall <withnall@endlessm.com> Closes: #209 Approved by: cgwalters
* bubblewrap: Fix a minor memory leak in --args handlingPhilip Withnall2017-08-151-4/+4
| | | | | | | | | Fixes Coverity issue 1376583. Signed-off-by: Philip Withnall <withnall@endlessm.com> Closes: #209 Approved by: cgwalters
* bubblewrap: Improve const-correctness of argv handlingPhilip Withnall2017-08-151-12/+12
| | | | | | | Signed-off-by: Philip Withnall <withnall@endlessm.com> Closes: #209 Approved by: cgwalters
* Retain all caps when invoked by uid 0, work around systemd seccomp filterColin Walters2017-08-143-9/+79
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In <https://github.com/projectatomic/bubblewrap/pull/101>, specifically commit cde7fab7ec4aafd9386a41e2e10a6af07fda3eb8 we started dropping all capabilities, even if the caller was privileged. This broke rpm-ostree, which runs RPM scripts using bwrap, and some of those scripts depend on capabilities (mostly `CAP_DAC_OVERRIDE`). Fix this by retaining capabilities by default if the caller's uid is zero. I considered having the logic be to simply retain any capabilities the invoking process has (imagine filecaps binaries like `ping` or `/usr/bin/gnome-keyring-daemon` using bwrap) but we currently explicitly abort in that scenario to catch broken packages which used file capabilites for bwrap itself (we switched to suid). For now this works, and if down the line there's a real-world use case for capability-bearing non-zero-uid processes to invoke bwrap *and* retain those privileges, we can revisit. Another twist here is that we need to do some gymnastics to first avoid calling `capset()` if we don't need to, as that can fail due to systemd installing a seccomp filter that denies it (for dubious reasons). Then we also need to ignore `EPERM` when dropping caps in the init process. (I considered unilaterally handling `EPERM`, but it seems nicer to avoid calling `capset()` unless we need to) Closes: https://github.com/projectatomic/bubblewrap/issues/197 Closes: #205 Approved by: alexlarsson
* README.md: Delete cat logo picture (not DFSG compliant)Colin Walters2017-08-142-4/+0
| | | | | | | | | | | The cat is cute, but let's not hinder adoption anywhere based on this. If someone cares, we could probably project the Internet emergency logo into the sky, requesting a cat picture with bubblewrap that is *also* DFSG compliant. Closes: https://github.com/projectatomic/bubblewrap/issues/204 Closes: #206 Approved by: alexlarsson
* tests: Import libtest-core.sh from ostreeColin Walters2017-08-022-14/+145
| | | | | | | This was factored out to be sharable with other projects, let's do so. Closes: #203 Approved by: jlebon
* ci: rename files to new name and bump to f26Jonathan Lebon2017-08-022-7/+8
| | | | | | | | Rename the YAML file and its auxiliary files to the newly supported name and bump tests to use F26. Closes: #202 Approved by: cgwalters
* README.md: add bwrap-oci to the list of usersGiuseppe Scrivano2017-07-121-0/+1
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #199 Approved by: cgwalters
* tests: add tests for --cap-addGiuseppe Scrivano2017-06-291-1/+15
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #101 Approved by: alexlarsson
* bubblewrap: do not always leave caps in the unprivileged caseGiuseppe Scrivano2017-06-291-10/+19
| | | | | | | | | | | When --unshare-user is used in the unprivileged case, all caps are left to the sandboxed application. Change it to leave only the specified ones. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #101 Approved by: alexlarsson
* bubblewrap.c: fix typoGiuseppe Scrivano2017-06-291-1/+1
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #101 Approved by: alexlarsson
* demos: add demo userns-block-fd.pyGiuseppe Scrivano2017-06-291-0/+36
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #101 Approved by: alexlarsson
* bubblewrap: add option --userns-block-fdGiuseppe Scrivano2017-06-293-9/+51
| | | | | | | | | It allows to configure the user namespace from outside. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #101 Approved by: alexlarsson
* bubblewrap: add --cap-add and --cap-dropGiuseppe Scrivano2017-06-294-9/+146
| | | | | | | | | | When using namespaces, permit to leave some capabilities in the sandbox. This can be helpful to run a system instance of systemd. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #101 Approved by: alexlarsson
* Merge pull request #196 from giuseppe/no-reaperAlexander Larsson2017-06-134-4/+32
|\ | | | | bubblewrap: add --as-pid-1
| * bubblewrap: add --as-pid-1Giuseppe Scrivano2017-06-134-4/+32
|/ | | | | | It allows to run a process with PID=1 in the new pid namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* main: Squash a -Wunused-result error, enable FORTIFY_SOURCE in CIColin Walters2017-03-292-3/+3
| | | | | | | | | | | | This apparently only is emitted with `CFLAGS='-O2 -Wp,-D_FORTIFY_SOURCE=2'`, which is used by RPM builds in Fedora at least. Enable that by default. Note that I fixed it by using `TEMP_FAILURE_RETRY`, which should also ensure that we don't spuriously continue if the `read` was interrupted by `EINTR` for some reason. Closes: #190 Approved by: alexlarsson
* demos/shell: Use --die-with-parentColin Walters2017-03-291-0/+1
| | | | | | | | As I said in the release notes, I think the majority of use cases want this, which includes this interactive shell. Closes: #189 Approved by: alexlarsson
* Release 0.1.8v0.1.8Colin Walters2017-03-281-1/+1
| | | | | | | Closes: https://github.com/projectatomic/bubblewrap/issues/186 Closes: #188 Approved by: alexlarsson
* main: Parse --version early before acquiring capabilitiesColin Walters2017-03-281-2/+16
| | | | | | | | | This should fix querying the bwrap version in flatpak's `configure.ac`. Closes: https://github.com/projectatomic/bubblewrap/issues/185 Closes: #187 Approved by: alexlarsson
* test-run.sh: fix the path for the usage stringGiuseppe Scrivano2017-03-011-1/+1
| | | | | | | | | Otherwise the test fails when setting BWRAP Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #183 Approved by: cgwalters
* Add --die-with-parentMarek Jarycki2017-02-274-0/+82
| | | | | | | | | | | | | | | In scenarios such as running bwrap in test frameworks (`bwrap make check`), one wants all of the processes to go away if the parent process dies, or if the bwrap process is directly killed. This ensures that in all cases (both with `--unshare-pid` and without), we use `prctl(PR_SET_PDEATHSIG)` on both our outer and inner init procesesses if `--die-with-parent` is specified. Tests-by: Colin Walters <walters@verbum.org> Closes: #165 Approved by: emdej
* Ignore missing sysrq-trigger fileTristan Cacqueray2017-02-201-0/+3
| | | | | | | | Bwrap fails to start on host missing the magic sysrq-trigger file, this change skips the read only bind mount when the file is absent. Closes: #179 Approved by: cgwalters
* README: update references to runCAleksa Sarai2017-02-171-9/+12
| | | | | | | | | | | | | | Currently we are working on implementing rootless containers, where no privileges are required during any part of the process of installing runC or the management of containers. We are solving a different problem to bubblewrap with this feature, in the hopes that users on machines where they have no ability to create a setuid binary will be able to still use containers. Signed-off-by: Aleksa Sarai <asarai@suse.de> Closes: #84 Approved by: cgwalters
* Correctly validate remount-ro argumentAidan Hobson Sayers2017-02-081-0/+3
| | | | | Closes: #177 Approved by: cgwalters
* Remove privileged_op flags that are never usedAidan Hobson Sayers2017-02-081-3/+2
| | | | | Closes: #176 Approved by: cgwalters
* Ignore EPERM when dropping caps from bounding setMario Sanchez Prada2017-02-071-1/+8
| | | | | | | | | | | Some older kernels are buggy with respect to this; see https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/commoncap.c?id=160da84dbb39443fdade7151bc63a88f8e953077 Fixes: https://github.com/projectatomic/bubblewrap/issues/174 Closes: #175 Approved by: mariospr
* ci: Disable ASAN leak checkingColin Walters2017-01-271-1/+1
| | | | | | | | | | | If you read the logs, ASAN gets confused by us using PID namespaces. Perhaps we could figure out an API to change this later, but in the meantime, let's disable leak checks. We still get use-after-free detection. Closes: #170 Approved by: alexlarsson
* tests: Fold test-basic.sh into test-run.shColin Walters2017-01-263-37/+8
| | | | | | | | It was never that useful, just a quick stub to get Travis going, which we don't use right now. Let's just move it into the `test-run.sh`. Closes: #163 Approved by: alexlarsson
* Be more informative if loopback setup failsColin Walters2017-01-263-11/+9
| | | | | | | | | | | | | | | | We're seeing loopback setup fail in Fedora infrastructure for rpm-ostree composes: https://pagure.io/releng/issue/6602 This should help debug. Tested with strace fault injection: ``` $ strace -o strace.log -f -e fault=bind:error=EPERM bwrap --unshare-net --bind / / true loopback: Failed to bind NETLINK_ROUTE socket: Operation not permitted $ ``` Closes: #166 Approved by: alexlarsson
* ci: Revamp to actually run the testsColin Walters2017-01-232-54/+57
| | | | | | | | | | | | Previously we were just building in a container, now we actually run the test script. This explicitly does builds in a container still, and only installs the bwrap binaries into the host's `/usr`. Down the line I think we can enable better support for this model in redhat-ci. Closes: #160 Approved by: jlebon
* tests: Use --unshare-user-tryColin Walters2017-01-231-1/+1
| | | | | | | Otherwise we fail on CentOS 7. Closes: #160 Approved by: jlebon
* Added --unshare-all to manpagevaloq2017-01-211-0/+4
| | | | | | Updated the manpage to include the new --unshare-all option Closes: #161 Approved by: cgwalters
* Add --require-userns build option for setuid modevaloq2017-01-202-0/+17
| | | | | | | | | | | Some distributions may want to enforce this in the privileged case; it enforces stronger isolation rather than allowing users to cherry-pick namespaces. Closes: #141 Closes: #159 Approved by: valoq
* build: Remove unbalanced ) in help messageColin Walters2017-01-201-1/+1
| | | | | | | This caused Emacs syntax highlighting to get confused. Closes: #159 Approved by: valoq
* Bump version to 0.1.7v0.1.7Alexander Larsson2017-01-181-1/+1
|
* Add --unshare-all and --share-netColin Walters2017-01-172-9/+27
| | | | | | | | | | | | | | | | | | | | | | | In discussion in https://github.com/projectatomic/bubblewrap/pull/150 it was noted that most of the bwrap command line tends towards "closed by default, request open". But the `--unshare` options are inverse. Now, I suspect in practice there's only one namespace that most users will care about, which is the network namespace. There are very useful programs to build on both cases. I think everything else (pid, ipc, uts) people will want as a group. Any cases that are unusual enough to want to turn one of them off can still fall back to the previous bwrap behavior of explicitly unsharing. They're likely to be security sensitive enough that if a new namespace were added, it would make sense to evaluate the tool. But again I think most users will want all namespaces, with the network one as a primary "enable it" option. Closes: #153 Approved by: alexlarsson
* Install seccomp filter at the very endAlexander Larsson2017-01-171-11/+15
| | | | | | | | | | This means the filter need not know anything about what syscalls bwrap does. Fixes: https://github.com/projectatomic/bubblewrap/issues/155 Closes: #156 Approved by: cgwalters
* Call setsid() and setexeccon() befor forking the init monitorAlexander Larsson2017-01-171-7/+7
| | | | | | | This means such options get inherited by pid 1 too. Closes: #156 Approved by: cgwalters
* demos/bubblewrap-shell.sh: Unshare all namespacesAlexander Larsson2017-01-171-0/+5
| | | | | | | Lets demo things as sandboxed as possible. Closes: #154 Approved by: cgwalters
* Make the call to setsid() optional, with --new-sessionAlexander Larsson2017-01-172-1/+20
| | | | | | | | | | | | This means we stay compatible with apps using the old bwrap, yet still makes it easy to avoid CVE-2017-5226 in apps using bwrap. Also, recommend that applications not using --new-session should use a seccomp filter for the TIOCSTI ioctl to avoid the input injection issue. Closes: #154 Approved by: cgwalters
* ci: Combine ASAN and UBSANColin Walters2017-01-171-2/+3
| | | | | | | I learned with ostree this works, might as well. Closes: #152 Approved by: alexlarsson
* Clear capability bounding setAlexander Larsson2017-01-131-0/+20
| | | | | | | | | | | | | | | | The capability bounding set is a limit on what capabilities can be regained at execve(). Due to PR_NO_NEW_PRIVS we should be safe from any such issues, but we may as well clear it anyway. Note, we also have to clear it in the new namespace if user namespaces are enabled, because the kernel gives us a new set of full bounds in the user namespace. See https://github.com/projectatomic/bubblewrap/issues/136 for some discussion about this. Closes: #149 Approved by: cgwalters
* Handle inherited children dyingAlexander Larsson2017-01-131-11/+41
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Its quite possible for bwrap to have children to it exit and deliver SIGCHLD signals and the like. For instance, the bubblewrap-shell demo does (simplified): (exec bwrap --file 11 /a/file /bin/sh) 11< <(cmd) This actually starts a subshell process, and has it spawn a child running "cmd", and then exec replaces the subshell with the bwrap process that now has an unexpected child. This can lead to problem in two ways: 1) We get a SIGCHLD before we process children dying via the signalfd. This means we never wait() for the child and it becomes a zombie. 2) If the child dies after the pid1 process has started we will see the sigchld and think that pid1 has died and exit the monitor process. The fix for 1 is to reap all outstanding zombies after we blocked sigchld, but before we fork the child. The fix for 2 is to only exit when the expected pid dies. Closes: #146 Approved by: cgwalters
* Release 0.1.6Colin Walters2017-01-111-1/+1
|
* demo/shell: Add /var/tmp compat symlink, tweak PS1, add more docsColin Walters2017-01-111-1/+9
| | | | | | | | | | | I was working on rpm-ostree's use of bwrap and realized we weren't setting up /var/tmp. I think this should be a best practice for app compatibility. I also took the opportunity to expand the docs a bit, and overriding PS1 helps users know they're in the container shell. Closes: #137 Approved by: alexlarsson
* man: Correct namespace user -> mountColin Walters2017-01-101-3/+4
| | | | | | | Closes: #141 Closes: #144 Approved by: valoq
* Call setsid() before executing sandboxed code (CVE-2017-5226)Simon McVittie2017-01-091-0/+3
| | | | | | | | | | | This prevents the sandboxed code from getting a controlling tty, which in turn prevents it from accessing the TIOCSTI ioctl and hence faking terminal input. Fixes: #142 Closes: #143 Approved by: cgwalters
View Lorry Controller Status