From 59e42a572750ab42165e0f5ab9893442941c8c7b Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 1 Dec 2016 14:11:15 -0500
Subject: [PATCH] Backport patch to fix runs via bodhi

---
 ...-Don-t-call-capset-unless-we-need-to.patch | 55 +++++++++++++++++++
 bubblewrap.spec                               |  6 +-
 2 files changed, 60 insertions(+), 1 deletion(-)
 create mode 100644 0001-Don-t-call-capset-unless-we-need-to.patch

diff --git a/0001-Don-t-call-capset-unless-we-need-to.patch b/0001-Don-t-call-capset-unless-we-need-to.patch
new file mode 100644
index 0000000..bf50398
--- /dev/null
+++ b/0001-Don-t-call-capset-unless-we-need-to.patch
@@ -0,0 +1,55 @@
+From 0b66e9fc314b4ce0ccf6192fb2f4c72fc1f1c843 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Thu, 1 Dec 2016 12:45:29 -0500
+Subject: [PATCH] Don't call capset() unless we need to
+
+Fedora runs rpm-ostree (which uses bwrap) in systemd-nspawn (in mock via
+`--new-chroot`).  nspawn by default installs a seccomp policy that
+denies `capset()`.
+
+This started failing with bubblewrap-0.1.4:
+https://pagure.io/releng/issue/6550
+
+The process currently runs as *real* uid 0, outside of a user namespace.
+(It's honestly a bit nonsensical for nspawn to give a process `CAP_SYS_ADMIN`
+ outside of a userns, but use seccomp to deny `capset()`, but let's leave
+ that aside for now.)
+
+Due to the way this code was structured, we set `is_privileged = TRUE`
+simply because we have uid 0, even in the Fedora case where we *aren't*
+privileged.
+
+Fix this so we only set is_privileged if `uid != euid`, hence we
+won't try to gain/drop any capabilities, which fixes compatibility
+with what nspawn is doing.
+
+In theory of course we *could* drop privileges in a userns scenario,
+but we'd only be dropping privs in our userns...eh.
+---
+ bubblewrap.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/bubblewrap.c b/bubblewrap.c
+index 9e470d3..10e520b 100644
+--- a/bubblewrap.c
++++ b/bubblewrap.c
+@@ -459,12 +459,13 @@ acquire_privs (void)
+   uid_t euid, new_fsuid;
+ 
+   euid = geteuid ();
+-  if (euid == 0)
+-    is_privileged = TRUE;
+ 
++  /* Are we setuid ? */
+   if (real_uid != euid)
+     {
+-      if (euid != 0)
++      if (euid == 0)
++        is_privileged = TRUE;
++      else
+         die ("Unexpected setuid user %d, should be 0", euid);
+ 
+       /* We want to keep running as euid=0 until at the clone()
+-- 
+2.9.3
+
diff --git a/bubblewrap.spec b/bubblewrap.spec
index 36f9740..386eb4d 100644
--- a/bubblewrap.spec
+++ b/bubblewrap.spec
@@ -1,12 +1,13 @@
 Name: bubblewrap
 Version: 0.1.4
-Release: 1%{?dist}
+Release: 3%{?dist}
 Summary: Core execution tool for unprivileged containers
 
 License: LGPLv2+
 #VCS: git:https://github.com/projectatomic/bubblewrap
 URL: https://github.com/projectatomic/bubblewrap
 Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz
+Patch0: 0001-Don-t-call-capset-unless-we-need-to.patch
 
 BuildRequires: autoconf automake libtool
 BuildRequires: gcc
@@ -45,6 +46,9 @@ find %{buildroot} -name '*.la' -delete -print
 %{_mandir}/man1/*
 
 %changelog
+* Thu Dec 01 2016 walters@redhat.com - 0.1.4-3
+- Backport patch to fix running via nspawn, which should fix rpm-ostree-in-bodhi
+
 * Tue Nov 29 2016 Kalev Lember <klember@redhat.com> - 0.1.4-1
 - Update to 0.1.4