bubblewrap/0001-Don-t-call-capset-unless-we-need-to.patch

56 lines
1.7 KiB
Diff
Raw Normal View History

2016-12-01 19:11:15 +00:00
From 0b66e9fc314b4ce0ccf6192fb2f4c72fc1f1c843 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 1 Dec 2016 12:45:29 -0500
Subject: [PATCH] Don't call capset() unless we need to
Fedora runs rpm-ostree (which uses bwrap) in systemd-nspawn (in mock via
`--new-chroot`). nspawn by default installs a seccomp policy that
denies `capset()`.
This started failing with bubblewrap-0.1.4:
https://pagure.io/releng/issue/6550
The process currently runs as *real* uid 0, outside of a user namespace.
(It's honestly a bit nonsensical for nspawn to give a process `CAP_SYS_ADMIN`
outside of a userns, but use seccomp to deny `capset()`, but let's leave
that aside for now.)
Due to the way this code was structured, we set `is_privileged = TRUE`
simply because we have uid 0, even in the Fedora case where we *aren't*
privileged.
Fix this so we only set is_privileged if `uid != euid`, hence we
won't try to gain/drop any capabilities, which fixes compatibility
with what nspawn is doing.
In theory of course we *could* drop privileges in a userns scenario,
but we'd only be dropping privs in our userns...eh.
---
bubblewrap.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/bubblewrap.c b/bubblewrap.c
index 9e470d3..10e520b 100644
--- a/bubblewrap.c
+++ b/bubblewrap.c
@@ -459,12 +459,13 @@ acquire_privs (void)
uid_t euid, new_fsuid;
euid = geteuid ();
- if (euid == 0)
- is_privileged = TRUE;
+ /* Are we setuid ? */
if (real_uid != euid)
{
- if (euid != 0)
+ if (euid == 0)
+ is_privileged = TRUE;
+ else
die ("Unexpected setuid user %d, should be 0", euid);
/* We want to keep running as euid=0 until at the clone()
--
2.9.3