From 0ba92b6b2611e69a39aa8d0dec710d782ec22821 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Tue, 6 Dec 2016 13:13:19 -0500 Subject: [PATCH] Backport regression fix --- ...user-automatically-if-we-re-not-root.patch | 45 +++++++++++++++++++ bubblewrap.spec | 6 ++- 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 0001-Only-unshare-user-automatically-if-we-re-not-root.patch diff --git a/0001-Only-unshare-user-automatically-if-we-re-not-root.patch b/0001-Only-unshare-user-automatically-if-we-re-not-root.patch new file mode 100644 index 0000000..60f7f1d --- /dev/null +++ b/0001-Only-unshare-user-automatically-if-we-re-not-root.patch @@ -0,0 +1,45 @@ +From 2a408e8cc696651b74038de2ff2f3fe136dfe46d Mon Sep 17 00:00:00 2001 +From: Colin Walters +Date: Mon, 5 Dec 2016 15:38:22 -0500 +Subject: [PATCH] Only --unshare-user automatically if we're not root + +https://github.com/projectatomic/bubblewrap/pull/122 introduced a +regression for the case of rpm-ostree running bubblewrap on CentOS 7. + +Previously the `is_privileged` variable captured whether or not +our uid was 0, now it captures whether we're setuid. + +This bit of code enabled `--unshare-user` automatically if we're not +privileged, but we suddenly started doing that for running as real uid +0 (CAP_SYS_ADMIN), which we don't want, since on CentOS/RHEL 7 today +userns isn't even available to root without a module parameter and +reboot. + +So, let's just do this only if not setuid *and* we're not uid 0 +(really we should check "have CAP_SYS_ADMIN" but eh). + +Closes: #123 +Approved by: alexlarsson +--- + bubblewrap.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/bubblewrap.c b/bubblewrap.c +index 10e520b..6e04459 100644 +--- a/bubblewrap.c ++++ b/bubblewrap.c +@@ -1631,8 +1631,9 @@ main (int argc, + + parse_args (&argc, &argv); + +- /* We have to do this if we weren't installed setuid, so let's just DWIM */ +- if (!is_privileged) ++ /* We have to do this if we weren't installed setuid (and we're not ++ * root), so let's just DWIM */ ++ if (!is_privileged && getuid () != 0) + opt_unshare_user = TRUE; + + if (opt_unshare_user_try && +-- +2.9.3 + diff --git a/bubblewrap.spec b/bubblewrap.spec index 386eb4d..5026a7a 100644 --- a/bubblewrap.spec +++ b/bubblewrap.spec @@ -1,6 +1,6 @@ Name: bubblewrap Version: 0.1.4 -Release: 3%{?dist} +Release: 5%{?dist} Summary: Core execution tool for unprivileged containers License: LGPLv2+ @@ -8,6 +8,7 @@ License: LGPLv2+ URL: https://github.com/projectatomic/bubblewrap Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz Patch0: 0001-Don-t-call-capset-unless-we-need-to.patch +Patch1: 0001-Only-unshare-user-automatically-if-we-re-not-root.patch BuildRequires: autoconf automake libtool BuildRequires: gcc @@ -46,6 +47,9 @@ find %{buildroot} -name '*.la' -delete -print %{_mandir}/man1/* %changelog +* Tue Dec 06 2016 walters@redhat.com - 0.1.4-4 +- Backport fix for regression in previous commit for rpm-ostree + * Thu Dec 01 2016 walters@redhat.com - 0.1.4-3 - Backport patch to fix running via nspawn, which should fix rpm-ostree-in-bodhi