| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| | |
Fix various compiler warnings
|
| |
| |
| |
| |
| |
| |
| | |
The parameter mode only usage is it being passed to ensure_dir(), which
takes it as mode_t.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Comparisson of different signedness can result in unexpected results due
to implicit conversions.
../network.c:81:34: warning: comparison of integer expressions of different signedness: ‘__u32’ {aka ‘unsigned int’} and ‘int’ [-Wsign-compare]
81 | if (rheader->nlmsg_seq != seq_nr)
| ^~
../network.c:83:34: warning: comparison of integer expressions of different signedness: ‘__u32’ {aka ‘unsigned int’} and ‘__pid_t’ {aka ‘int’} [-Wsign-compare]
83 | if (rheader->nlmsg_pid != getpid ())
| ^~
../bind-mount.c:268:17: warning: comparison of integer expressions of different signedness: ‘int’ and ‘unsigned int’ [-Wsign-compare]
268 | assert (i < n_lines);
| ^
../bind-mount.c:309:13: warning: comparison of integer expressions of different signedness: ‘int’ and ‘unsigned int’ [-Wsign-compare]
309 | assert (i == n_lines);
| ^~
../bind-mount.c:318:17: warning: comparison of integer expressions of different signedness: ‘int’ and ‘unsigned int’ [-Wsign-compare]
318 | for (i = 0; i < n_lines; i++)
| ^
../bind-mount.c:321:17: warning: comparison of integer expressions of different signedness: ‘int’ and ‘unsigned int’ [-Wsign-compare]
321 | for (i = 0; i < n_lines; i++)
| ^
../utils.c:818:19: warning: comparison of integer expressions of different signedness: ‘size_t’ {aka ‘long unsigned int’} and ‘ssize_t’ {aka ‘long int’} [-Wsign-compare]
818 | while (size - 2 < n);
| ^
../bubblewrap.c:489:13: warning: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Wsign-compare]
489 | assert (j < sizeof(dont_close)/sizeof(*dont_close));
| ^
../bubblewrap.c:994:25: warning: comparison of integer expressions of different signedness: ‘int’ and ‘uid_t’ {aka ‘unsigned int’} [-Wsign-compare]
994 | if (setfsuid (-1) != real_uid)
| ^~
../bubblewrap.c:1042:61: warning: comparison of integer expressions of different signedness: ‘ssize_t’ {aka ‘long int’} and ‘size_t’ {aka ‘long unsigned int’} [-Wsign-compare]
1042 | if (write (privileged_op_socket, buffer, buffer_size) != buffer_size)
| ^~
../bubblewrap.c:1232:25: warning: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Wsign-compare]
1232 | for (i = 0; i < N_ELEMENTS (cover_proc_dirs); i++)
| ^
../bubblewrap.c:1260:25: warning: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Wsign-compare]
1260 | for (i = 0; i < N_ELEMENTS (devnodes); i++)
| ^
../bubblewrap.c:1272:25: warning: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Wsign-compare]
1272 | for (i = 0; i < N_ELEMENTS (stdionodes); i++)
| ^
../bubblewrap.c: In function ‘read_priv_sec_op’:
../bubblewrap.c:1556:15: warning: comparison of integer expressions of different signedness: ‘ssize_t’ {aka ‘long int’} and ‘long unsigned int’ [-Wsign-compare]
1556 | if (rec_len < sizeof (PrivSepOp))
| ^
../bubblewrap.c:1626:28: warning: comparison of integer expressions of different signedness: ‘int’ and ‘uint32_t’ {aka ‘unsigned int’} [-Wsign-compare]
1626 | if (*total_parsed_argc_p > MAX_ARGS)
| ^
../bubblewrap.c:1681:40: warning: comparison of integer expressions of different signedness: ‘int’ and ‘uint32_t’ {aka ‘unsigned int’} [-Wsign-compare]
1681 | if (*total_parsed_argc_p > MAX_ARGS)
| ^
../bubblewrap.c:2265:31: warning: comparison of integer expressions of different signedness: ‘uid_t’ {aka ‘unsigned int’} and ‘int’ [-Wsign-compare]
2265 | if (opt_sandbox_uid != -1)
| ^~
../bubblewrap.c:2285:31: warning: comparison of integer expressions of different signedness: ‘gid_t’ {aka ‘unsigned int’} and ‘int’ [-Wsign-compare]
2285 | if (opt_sandbox_gid != -1)
| ^~
../bubblewrap.c:2678:23: warning: comparison of integer expressions of different signedness: ‘uid_t’ {aka ‘unsigned int’} and ‘int’ [-Wsign-compare]
2678 | if (opt_sandbox_uid == -1)
| ^~
../bubblewrap.c:2680:23: warning: comparison of integer expressions of different signedness: ‘gid_t’ {aka ‘unsigned int’} and ‘int’ [-Wsign-compare]
2680 | if (opt_sandbox_gid == -1)
| ^~
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
load_file_data() closes the passed file descriptor in case of an read(2)
failure. The file descriptor is however owned by the caller and should
not be closed to avoid a double-close.
Since in this error branch NULL is always returned the only affected
caller is load_file_data(), as all other callers immediately abort via
die_with_error(). As bubblewrap is single-threaded the second close(2)
in load_file_data() will be well-defined and fail with EBADF, leading to
no unrelated file descriptor to be closed
Found by GCC analyzer:
./utils.c: In function ‘load_file_at’:
./utils.c:630:3: warning: double ‘close’ of file descriptor ‘fd’ [CWE-1341] [-Wanalyzer-fd-double-close]
630 | close (fd);
| ^~~~~~~~~~
...
| 596 | close (fd);
| | ~~~~~~~~~~
| | |
| | (15) first ‘close’ here
...
| 630 | close (fd);
| | ~~~~~~~~~~
| | |
| | (20) second ‘close’ here; first ‘close’ was at (15)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
|
|
|
|
|
| |
These parameters are unused if SELinux happens to be disabled.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
| |
Signed-off-by: a1346054 <36859588+a1346054@users.noreply.github.com>
|
|
|
|
|
|
|
| |
We need to save errno immediately, otherwise it could be overwritten
by a failing library call somewhere in the implementation of fprintf.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
| |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
|
|
|
| |
This is a step towards REUSE compliance. Third-party files that we do
not otherwise edit (git.mk, m4/attributes.m4) are excluded here.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|\
| |
| | |
utils: Remove security_context_t casts for libselinux >= 2.3
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
security_context_t has always been a typedef for char * and used more
or less interchangeably with char *, but the use of a typedef turned
out to be bad for const-correctness. The function signatures were
changed to take const char * in libselinux 2.3, in 2014[1] and the
typedef was formally deprecated in 2020[2].
On very old OSs like Ubuntu 14.04, reinstate the casts to suppress
warnings from -Wdiscarded-qualifiers.
[1] https://github.com/SELinuxProject/selinux/commit/9eb9c9327563
[2] https://github.com/SELinuxProject/selinux/commit/7a124ca27581
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|\ \
| | |
| | | |
Add --clearenv option
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This allows environment variables to be set when running bwrap itself
(perhaps a custom LD_LIBRARY_PATH), but cleared for the command that
runs in the container, without having to enumerate all the variables.
Because PWD is set later, as a side-effect of changing directory, this
actually clears everything except PWD.
A portable program would check for clearenv() (and if not found, fall
back to using environ = NULL), but bubblewrap is Linux-specific, and
Linux C libraries (at least glibc and musl) do have clearenv().
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|\ \
| |/
|/| |
Add support for bind-mount on case-insensitive filesystems
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If we are using a case-insensitive filesystem the bind-mount operation
might fail when `/proc/self/mountinfo` is checked.
In a case-insensitive filesystem, if we ask to mount a certain
directory, e.g. '/CI_fs/foo', the kernel might add its entry in
`mountinfo` as '/CI_fs/FOO'. This happens because the kernel populates
`mountinfo` with whatever case combination first appeared in the dcache.
With this patch we open the requested path and look at its
`/proc/self/fd`, using readlink(), to get the path case combination that
the kernel is also expected to be using.
Signed-off-by: Ludovico de Nittis <ludovico.denittis@collabora.com>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, mounting a socket over the top of an existing socket
would fail, because create_file() opens it with creat():
$ test -e /run/systemd/resolve/io.systemd.Resolve && echo exists
exists
$ bwrap \
--bind / / \
--bind /run/systemd/resolve/io.systemd.Resolve \
/run/systemd/resolve/io.systemd.Resolve \
/bin/true
bwrap: Can't create file at /run/systemd/resolve/io.systemd.Resolve: No such device or address
Tolerate the file existing as any type that we will be able to mount
a non-directory onto.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
| |
This just forks and exits in the parent, continuing in the child.
|
|
|
|
|
| |
This uses SCM_CREDENTIALS as a way to translate pids between the
sender and the destination namespaces.
|
|
|
|
|
| |
Closes: #303
Approved by: smcv
|
|
|
|
|
|
|
|
|
|
|
|
| |
For NFS mounts if we call mkdir() on a read-only mount (such as when
we've created a read-only bind mount) the kernel will nor return EEXIST
even when the directory exists, instead returning EROFS.
So, we add (and use) an ensure_dir() helper that stats before calling
mkdir.
Closes: #258
Approved by: giuseppe
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It may not always be obvious what the source of any particular error
message is. For instance, "Can't find source path" errors could be
perceived as coming from either the shell, loader, bubblewrap, or the
wrapped application, especially when a previously-configured program
stops working due to some external circumstances.
Thus, disambiguate the source of bubblewrap's error messages by
printing them with a "bwrap: " prefix.
Closes: #234
Approved by: cgwalters
|
|
|
|
|
| |
Closes: #118
Approved by: alexlarsson
|
|
|
|
|
| |
Closes: #67
Approved by: cgwalters
|
|
|
|
|
|
|
| |
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
Closes: #65
Approved by: cgwalters
|
|
|
|
|
| |
Closes: #63
Approved by: cgwalters
|
|
|
|
|
|
|
|
| |
It turns out you can't readdir from an O_PATH file-descriptor, so
fdwalk didn't work. Spotted the BADFD in a strace.
Closes: #60
Approved by: cgwalters
|
|
|
|
|
|
|
| |
I find this clearer since I know about `asprintf`, and the `x` prefix.
Closes: #55
Approved by: alexlarsson
|
|
|
|
|
|
|
| |
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
Closes: #57
Approved by: cgwalters
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All calls to set an SELinux label should call this function
die_unless_label_valid (opt_exec_label);
It will make sure SELinux is enabled and will make sure the user passed in a
valid label.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Closes: #53
Approved by: cgwalters
|
|
|
|
|
|
|
|
|
|
| |
Verify you are getting a valid SELinux label before proceeding. Some
SELinux checks were broken.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Closes: #43
Approved by: cgwalters
|
|
|
|
|
|
|
| |
It's surprising that `security_context_t` isn't const.
Pull request: #27
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
|
|
|
| |
I noticed on Travis we had a warning about this, and it's actually
right, the man page says on OOM the contents of `*strp` are undefined,
not `NULL`.
(Now possibly it doesn't touch the value, but anyways this follows
the man page and fixes a compiler warning)
Pull request: #27
Approved by: alexlarsson
|
|
|
|
|
|
|
| |
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Pull request: #25
Approved by: alexlarsson
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
If they already exist as a regular file then we don't need to create
it, which is good because doing so would break if the filesystem
is readonly. I.e. that returns EROFS instead of EEXISTS in that case.
|
| |
|
| |
|
| |
|
| |
|
|
|