Backport patch to fix runs via bodhi

This commit is contained in:
Colin Walters 2016-12-01 14:11:15 -05:00
parent ba3c391435
commit 59e42a5727
2 changed files with 60 additions and 1 deletions

View File

@ -0,0 +1,55 @@
From 0b66e9fc314b4ce0ccf6192fb2f4c72fc1f1c843 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 1 Dec 2016 12:45:29 -0500
Subject: [PATCH] Don't call capset() unless we need to
Fedora runs rpm-ostree (which uses bwrap) in systemd-nspawn (in mock via
`--new-chroot`). nspawn by default installs a seccomp policy that
denies `capset()`.
This started failing with bubblewrap-0.1.4:
https://pagure.io/releng/issue/6550
The process currently runs as *real* uid 0, outside of a user namespace.
(It's honestly a bit nonsensical for nspawn to give a process `CAP_SYS_ADMIN`
outside of a userns, but use seccomp to deny `capset()`, but let's leave
that aside for now.)
Due to the way this code was structured, we set `is_privileged = TRUE`
simply because we have uid 0, even in the Fedora case where we *aren't*
privileged.
Fix this so we only set is_privileged if `uid != euid`, hence we
won't try to gain/drop any capabilities, which fixes compatibility
with what nspawn is doing.
In theory of course we *could* drop privileges in a userns scenario,
but we'd only be dropping privs in our userns...eh.
---
bubblewrap.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/bubblewrap.c b/bubblewrap.c
index 9e470d3..10e520b 100644
--- a/bubblewrap.c
+++ b/bubblewrap.c
@@ -459,12 +459,13 @@ acquire_privs (void)
uid_t euid, new_fsuid;
euid = geteuid ();
- if (euid == 0)
- is_privileged = TRUE;
+ /* Are we setuid ? */
if (real_uid != euid)
{
- if (euid != 0)
+ if (euid == 0)
+ is_privileged = TRUE;
+ else
die ("Unexpected setuid user %d, should be 0", euid);
/* We want to keep running as euid=0 until at the clone()
--
2.9.3

View File

@ -1,12 +1,13 @@
Name: bubblewrap Name: bubblewrap
Version: 0.1.4 Version: 0.1.4
Release: 1%{?dist} Release: 3%{?dist}
Summary: Core execution tool for unprivileged containers Summary: Core execution tool for unprivileged containers
License: LGPLv2+ License: LGPLv2+
#VCS: git:https://github.com/projectatomic/bubblewrap #VCS: git:https://github.com/projectatomic/bubblewrap
URL: https://github.com/projectatomic/bubblewrap URL: https://github.com/projectatomic/bubblewrap
Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz
Patch0: 0001-Don-t-call-capset-unless-we-need-to.patch
BuildRequires: autoconf automake libtool BuildRequires: autoconf automake libtool
BuildRequires: gcc BuildRequires: gcc
@ -45,6 +46,9 @@ find %{buildroot} -name '*.la' -delete -print
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Thu Dec 01 2016 walters@redhat.com - 0.1.4-3
- Backport patch to fix running via nspawn, which should fix rpm-ostree-in-bodhi
* Tue Nov 29 2016 Kalev Lember <klember@redhat.com> - 0.1.4-1 * Tue Nov 29 2016 Kalev Lember <klember@redhat.com> - 0.1.4-1
- Update to 0.1.4 - Update to 0.1.4