From b5f672355b916e6e59dad5ec9ca55aa90afe8a90 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Fri, 16 Dec 2022 18:46:23 +0000
Subject: Add --assert-userns-disabled option

We can't combine --disable-userns with entering an existing user
namespace via --userns if the existing user namespace was created with
--disable-userns, because its ability to create nested user namespaces
has already been disabled. However, the next best thing is to verify
that we are already in the desired state.

Signed-off-by: Simon McVittie <smcv@collabora.com>
---
 bwrap.xml | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'bwrap.xml')

diff --git a/bwrap.xml b/bwrap.xml
index 8690d64..4fe571e 100644
--- a/bwrap.xml
+++ b/bwrap.xml
@@ -158,6 +158,17 @@
         in the setuid version of bubblewrap.
       </para></listitem>
     </varlistentry>
+    <varlistentry>
+      <term><option>--assert-userns-disabled</option></term>
+      <listitem><para>
+        Confirm that the process in the sandbox has been prevented from
+        creating further user namespaces, but without taking any particular
+        action to prevent that. For example, this can be combined with
+        <option>--userns</option> to check that the given user namespace
+        has already been set up to prevent the creation of further user
+        namespaces.
+      </para></listitem>
+    </varlistentry>
     <varlistentry>
       <term><option>--pidns <arg choice="plain">FD</arg></option></term>
       <listitem><para>Use an existing pid namespace instead of creating one. This is often used with --userns, because the pid namespace must be owned by the same user namespace that bwrap uses. </para>
-- 
cgit v1.2.1