Update to 0.1.5
This commit is contained in:
Kalev Lember
parent
0ba92b6b26
commit
f09033f170
1
.gitignore
vendored
1
.gitignore
vendored
@ -4,3 +4,4 @@
|
||||
/bubblewrap-0.1.3.tar.xz
|
||||
/bubblewrap-0.1.3.tar.gz
|
||||
/bubblewrap-0.1.4.tar.xz
|
||||
/bubblewrap-0.1.5.tar.xz
|
||||
|
||||
@ -1,55 +0,0 @@
|
||||
From 0b66e9fc314b4ce0ccf6192fb2f4c72fc1f1c843 Mon Sep 17 00:00:00 2001
|
||||
From: Colin Walters <walters@verbum.org>
|
||||
Date: Thu, 1 Dec 2016 12:45:29 -0500
|
||||
Subject: [PATCH] Don't call capset() unless we need to
|
||||
|
||||
Fedora runs rpm-ostree (which uses bwrap) in systemd-nspawn (in mock via
|
||||
`--new-chroot`). nspawn by default installs a seccomp policy that
|
||||
denies `capset()`.
|
||||
|
||||
This started failing with bubblewrap-0.1.4:
|
||||
https://pagure.io/releng/issue/6550
|
||||
|
||||
The process currently runs as *real* uid 0, outside of a user namespace.
|
||||
(It's honestly a bit nonsensical for nspawn to give a process `CAP_SYS_ADMIN`
|
||||
outside of a userns, but use seccomp to deny `capset()`, but let's leave
|
||||
that aside for now.)
|
||||
|
||||
Due to the way this code was structured, we set `is_privileged = TRUE`
|
||||
simply because we have uid 0, even in the Fedora case where we *aren't*
|
||||
privileged.
|
||||
|
||||
Fix this so we only set is_privileged if `uid != euid`, hence we
|
||||
won't try to gain/drop any capabilities, which fixes compatibility
|
||||
with what nspawn is doing.
|
||||
|
||||
In theory of course we *could* drop privileges in a userns scenario,
|
||||
but we'd only be dropping privs in our userns...eh.
|
||||
---
|
||||
bubblewrap.c | 7 ++++---
|
||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/bubblewrap.c b/bubblewrap.c
|
||||
index 9e470d3..10e520b 100644
|
||||
--- a/bubblewrap.c
|
||||
+++ b/bubblewrap.c
|
||||
@@ -459,12 +459,13 @@ acquire_privs (void)
|
||||
uid_t euid, new_fsuid;
|
||||
|
||||
euid = geteuid ();
|
||||
- if (euid == 0)
|
||||
- is_privileged = TRUE;
|
||||
|
||||
+ /* Are we setuid ? */
|
||||
if (real_uid != euid)
|
||||
{
|
||||
- if (euid != 0)
|
||||
+ if (euid == 0)
|
||||
+ is_privileged = TRUE;
|
||||
+ else
|
||||
die ("Unexpected setuid user %d, should be 0", euid);
|
||||
|
||||
/* We want to keep running as euid=0 until at the clone()
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -1,45 +0,0 @@
|
||||
From 2a408e8cc696651b74038de2ff2f3fe136dfe46d Mon Sep 17 00:00:00 2001
|
||||
From: Colin Walters <walters@verbum.org>
|
||||
Date: Mon, 5 Dec 2016 15:38:22 -0500
|
||||
Subject: [PATCH] Only --unshare-user automatically if we're not root
|
||||
|
||||
https://github.com/projectatomic/bubblewrap/pull/122 introduced a
|
||||
regression for the case of rpm-ostree running bubblewrap on CentOS 7.
|
||||
|
||||
Previously the `is_privileged` variable captured whether or not
|
||||
our uid was 0, now it captures whether we're setuid.
|
||||
|
||||
This bit of code enabled `--unshare-user` automatically if we're not
|
||||
privileged, but we suddenly started doing that for running as real uid
|
||||
0 (CAP_SYS_ADMIN), which we don't want, since on CentOS/RHEL 7 today
|
||||
userns isn't even available to root without a module parameter and
|
||||
reboot.
|
||||
|
||||
So, let's just do this only if not setuid *and* we're not uid 0
|
||||
(really we should check "have CAP_SYS_ADMIN" but eh).
|
||||
|
||||
Closes: #123
|
||||
Approved by: alexlarsson
|
||||
---
|
||||
bubblewrap.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/bubblewrap.c b/bubblewrap.c
|
||||
index 10e520b..6e04459 100644
|
||||
--- a/bubblewrap.c
|
||||
+++ b/bubblewrap.c
|
||||
@@ -1631,8 +1631,9 @@ main (int argc,
|
||||
|
||||
parse_args (&argc, &argv);
|
||||
|
||||
- /* We have to do this if we weren't installed setuid, so let's just DWIM */
|
||||
- if (!is_privileged)
|
||||
+ /* We have to do this if we weren't installed setuid (and we're not
|
||||
+ * root), so let's just DWIM */
|
||||
+ if (!is_privileged && getuid () != 0)
|
||||
opt_unshare_user = TRUE;
|
||||
|
||||
if (opt_unshare_user_try &&
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -1,14 +1,12 @@
|
||||
Name: bubblewrap
|
||||
Version: 0.1.4
|
||||
Release: 5%{?dist}
|
||||
Version: 0.1.5
|
||||
Release: 1%{?dist}
|
||||
Summary: Core execution tool for unprivileged containers
|
||||
|
||||
License: LGPLv2+
|
||||
#VCS: git:https://github.com/projectatomic/bubblewrap
|
||||
URL: https://github.com/projectatomic/bubblewrap
|
||||
Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz
|
||||
Patch0: 0001-Don-t-call-capset-unless-we-need-to.patch
|
||||
Patch1: 0001-Only-unshare-user-automatically-if-we-re-not-root.patch
|
||||
|
||||
BuildRequires: autoconf automake libtool
|
||||
BuildRequires: gcc
|
||||
@ -47,6 +45,9 @@ find %{buildroot} -name '*.la' -delete -print
|
||||
%{_mandir}/man1/*
|
||||
|
||||
%changelog
|
||||
* Mon Dec 19 2016 Kalev Lember <klember@redhat.com> - 0.1.5-1
|
||||
- Update to 0.1.5
|
||||
|
||||
* Tue Dec 06 2016 walters@redhat.com - 0.1.4-4
|
||||
- Backport fix for regression in previous commit for rpm-ostree
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user