Drop ambient capabilities when running bwrap

Having ambient capabilties causes bwrap to error on start [1]
unless the bwrap executable also has the setuid bit set or is run as
root.

This can cause issues in openshift or podman unless ambient
capabilities are dropped [2].

[1] - https://github.com/containers/bubblewrap/blob/bae85baf7208c4acddd9cf032059d1429f179e4a/bubblewrap.c#L742
[2] - https://github.com/containers/bubblewrap/issues/380

Change-Id: I15455fb400448d7672638f911d6cf045fa683a9b

2 files changed, 6 insertions, 0 deletions

diff --git a/bindep.txt b/bindep.txt
index 8854a58a0..a16328e0f 100644
--- a/bindep.txt
+++ b/bindep.txt
@@ -61,3 +61,6 @@ coreutils [platform:apk]
 openafs-krb5 [platform:debian]
 openafs-client [platform:debian]
 krb5-user [platform:debian]
+setpriv [platform:ubuntu-bionic]
+util-linux [platform:apt platform:rpm platform:apk !platform:ubuntu-bionic]
+
diff --git a/zuul/driver/bubblewrap/__init__.py b/zuul/driver/bubblewrap/__init__.py
index 557bccb6d..71919eb7b 100644
--- a/zuul/driver/bubblewrap/__init__.py
+++ b/zuul/driver/bubblewrap/__init__.py
@@ -172,6 +172,9 @@ class BubblewrapDriver(Driver, WrapperInterface):
 
     def _bwrap_command(self):
         bwrap_command = [
+            'setpriv',
+            '--ambient-caps',
+            '-all',
             'bwrap',
             '--dir', '/tmp',
             '--tmpfs', '/tmp',