56 lines
1.7 KiB
Diff
56 lines
1.7 KiB
Diff
From 0b66e9fc314b4ce0ccf6192fb2f4c72fc1f1c843 Mon Sep 17 00:00:00 2001
|
|
From: Colin Walters <walters@verbum.org>
|
|
Date: Thu, 1 Dec 2016 12:45:29 -0500
|
|
Subject: [PATCH] Don't call capset() unless we need to
|
|
|
|
Fedora runs rpm-ostree (which uses bwrap) in systemd-nspawn (in mock via
|
|
`--new-chroot`). nspawn by default installs a seccomp policy that
|
|
denies `capset()`.
|
|
|
|
This started failing with bubblewrap-0.1.4:
|
|
https://pagure.io/releng/issue/6550
|
|
|
|
The process currently runs as *real* uid 0, outside of a user namespace.
|
|
(It's honestly a bit nonsensical for nspawn to give a process `CAP_SYS_ADMIN`
|
|
outside of a userns, but use seccomp to deny `capset()`, but let's leave
|
|
that aside for now.)
|
|
|
|
Due to the way this code was structured, we set `is_privileged = TRUE`
|
|
simply because we have uid 0, even in the Fedora case where we *aren't*
|
|
privileged.
|
|
|
|
Fix this so we only set is_privileged if `uid != euid`, hence we
|
|
won't try to gain/drop any capabilities, which fixes compatibility
|
|
with what nspawn is doing.
|
|
|
|
In theory of course we *could* drop privileges in a userns scenario,
|
|
but we'd only be dropping privs in our userns...eh.
|
|
---
|
|
bubblewrap.c | 7 ++++---
|
|
1 file changed, 4 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/bubblewrap.c b/bubblewrap.c
|
|
index 9e470d3..10e520b 100644
|
|
--- a/bubblewrap.c
|
|
+++ b/bubblewrap.c
|
|
@@ -459,12 +459,13 @@ acquire_privs (void)
|
|
uid_t euid, new_fsuid;
|
|
|
|
euid = geteuid ();
|
|
- if (euid == 0)
|
|
- is_privileged = TRUE;
|
|
|
|
+ /* Are we setuid ? */
|
|
if (real_uid != euid)
|
|
{
|
|
- if (euid != 0)
|
|
+ if (euid == 0)
|
|
+ is_privileged = TRUE;
|
|
+ else
|
|
die ("Unexpected setuid user %d, should be 0", euid);
|
|
|
|
/* We want to keep running as euid=0 until at the clone()
|
|
--
|
|
2.9.3
|
|
|