40 lines
1.5 KiB
Diff
40 lines
1.5 KiB
Diff
|
From 8758b0faa27420e915e7e9ba815258207e02a82a Mon Sep 17 00:00:00 2001
|
||
|
From: Colin Walters <walters@verbum.org>
|
||
|
Date: Tue, 20 Apr 2021 08:09:57 -0400
|
||
|
Subject: [PATCH] bwrap: Fix selftest to be truly immutable
|
||
|
|
||
|
We should never have any effect on the host system, so let's
|
||
|
use the more direct APIs which allow us to use the immutable
|
||
|
flag, don't mount `/var` etc.
|
||
|
|
||
|
Crucially this also avoids us running through the tempetc
|
||
|
guard which would try to rename `usr/etc` which can trigger
|
||
|
on an ostree based host.
|
||
|
|
||
|
Closes: https://github.com/coreos/rpm-ostree/issues/2771
|
||
|
---
|
||
|
rust/src/bwrap.rs | 8 ++++++--
|
||
|
1 file changed, 6 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/rust/src/bwrap.rs b/rust/src/bwrap.rs
|
||
|
index 939f0525..282b4f1b 100644
|
||
|
--- a/rust/src/bwrap.rs
|
||
|
+++ b/rust/src/bwrap.rs
|
||
|
@@ -475,7 +475,11 @@ pub(crate) fn bubblewrap_run_sync(
|
||
|
/// Validate that bubblewrap works at all. This will flush out any incorrect
|
||
|
/// setups such being inside an outer container that disallows `CLONE_NEWUSER` etc.
|
||
|
pub(crate) fn bubblewrap_selftest() -> CxxResult<()> {
|
||
|
- let fd = openat::Dir::open("/")?;
|
||
|
- let _ = bubblewrap_run_sync(fd.as_raw_fd(), &vec!["true".to_string()], false, true)?;
|
||
|
+ let fd = &openat::Dir::open("/")?;
|
||
|
+ let mut bwrap = Bubblewrap::new_with_mutability(fd, BubblewrapMutability::Immutable)?;
|
||
|
+ bwrap.append_child_argv(&["true"]);
|
||
|
+ let cancellable = &gio::Cancellable::new();
|
||
|
+ let cancellable = Some(cancellable);
|
||
|
+ bwrap.run_inner(cancellable)?;
|
||
|
Ok(())
|
||
|
}
|
||
|
--
|
||
|
2.30.2
|
||
|
|