Backport regression fix
This commit is contained in:
Colin Walters
parent
59e42a5727
commit
0ba92b6b26
45
0001-Only-unshare-user-automatically-if-we-re-not-root.patch
Normal file
45
0001-Only-unshare-user-automatically-if-we-re-not-root.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From 2a408e8cc696651b74038de2ff2f3fe136dfe46d Mon Sep 17 00:00:00 2001
|
||||
From: Colin Walters <walters@verbum.org>
|
||||
Date: Mon, 5 Dec 2016 15:38:22 -0500
|
||||
Subject: [PATCH] Only --unshare-user automatically if we're not root
|
||||
|
||||
https://github.com/projectatomic/bubblewrap/pull/122 introduced a
|
||||
regression for the case of rpm-ostree running bubblewrap on CentOS 7.
|
||||
|
||||
Previously the `is_privileged` variable captured whether or not
|
||||
our uid was 0, now it captures whether we're setuid.
|
||||
|
||||
This bit of code enabled `--unshare-user` automatically if we're not
|
||||
privileged, but we suddenly started doing that for running as real uid
|
||||
0 (CAP_SYS_ADMIN), which we don't want, since on CentOS/RHEL 7 today
|
||||
userns isn't even available to root without a module parameter and
|
||||
reboot.
|
||||
|
||||
So, let's just do this only if not setuid *and* we're not uid 0
|
||||
(really we should check "have CAP_SYS_ADMIN" but eh).
|
||||
|
||||
Closes: #123
|
||||
Approved by: alexlarsson
|
||||
---
|
||||
bubblewrap.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/bubblewrap.c b/bubblewrap.c
|
||||
index 10e520b..6e04459 100644
|
||||
--- a/bubblewrap.c
|
||||
+++ b/bubblewrap.c
|
||||
@@ -1631,8 +1631,9 @@ main (int argc,
|
||||
|
||||
parse_args (&argc, &argv);
|
||||
|
||||
- /* We have to do this if we weren't installed setuid, so let's just DWIM */
|
||||
- if (!is_privileged)
|
||||
+ /* We have to do this if we weren't installed setuid (and we're not
|
||||
+ * root), so let's just DWIM */
|
||||
+ if (!is_privileged && getuid () != 0)
|
||||
opt_unshare_user = TRUE;
|
||||
|
||||
if (opt_unshare_user_try &&
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
Name: bubblewrap
|
||||
Version: 0.1.4
|
||||
Release: 3%{?dist}
|
||||
Release: 5%{?dist}
|
||||
Summary: Core execution tool for unprivileged containers
|
||||
|
||||
License: LGPLv2+
|
||||
@ -8,6 +8,7 @@ License: LGPLv2+
|
||||
URL: https://github.com/projectatomic/bubblewrap
|
||||
Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz
|
||||
Patch0: 0001-Don-t-call-capset-unless-we-need-to.patch
|
||||
Patch1: 0001-Only-unshare-user-automatically-if-we-re-not-root.patch
|
||||
|
||||
BuildRequires: autoconf automake libtool
|
||||
BuildRequires: gcc
|
||||
@ -46,6 +47,9 @@ find %{buildroot} -name '*.la' -delete -print
|
||||
%{_mandir}/man1/*
|
||||
|
||||
%changelog
|
||||
* Tue Dec 06 2016 walters@redhat.com - 0.1.4-4
|
||||
- Backport fix for regression in previous commit for rpm-ostree
|
||||
|
||||
* Thu Dec 01 2016 walters@redhat.com - 0.1.4-3
|
||||
- Backport patch to fix running via nspawn, which should fix rpm-ostree-in-bodhi
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user