Patch for bubblewrap backendleeming/bwrap-dev-patch

Since Bubblewrap is able to run without root permissions, the alert
that YBD shows when running non-root has been modified to pass if
sandboxlib backend is bubblewrap.

/dev is also explicitly listed as a mount in bootstrap mode due to
the way bubblewrap arguments need to be listed (dev is special)

2 files changed, 6 insertions, 2 deletions

diff --git a/ybd/app.py b/ybd/app.py
index 51dc2d9..a460a42 100644
--- a/ybd/app.py
+++ b/ybd/app.py
@@ -34,6 +34,8 @@ try:
 except ImportError:
     riemann_available = False
 
+import sandbox
+import sandboxlib
 
 config = {}
 defs = {}
@@ -160,7 +162,9 @@ def setup(args, original_cwd=""):
         os.path.join(os.path.dirname(__file__), '..', 'ybd.conf'),
         os.path.join(os.path.dirname(__file__), 'config', 'ybd.conf')])
 
-    if not os.geteuid() == 0 and config.get('mode') == 'normal':
+    # chroot and linux_user_chroot both need to be run as root
+    if sandbox.executor in [sandboxlib.chroot, sandboxlib.linux_user_chroot] \
+            and not os.geteuid() == 0 and config.get('mode') == 'normal':
         log('SETUP', '%s needs root permissions' % sys.argv[0], exit=True)
 
     if config.get('kbas-url', 'http://foo.bar/') == 'http://foo.bar/':
diff --git a/ybd/sandbox.py b/ybd/sandbox.py
index cfaed2d..fa700f7 100644
--- a/ybd/sandbox.py
+++ b/ybd/sandbox.py
@@ -123,7 +123,7 @@ def run_sandboxed(dn, command, env=None, allow_parallel=False):
             filesystem_root='/',
             filesystem_writable_paths=writable_paths,
             mounts='isolated',
-            extra_mounts=[],
+            extra_mounts=[('/dev', '/dev', None)],
             network='isolated',
         )
     else: