From 8758b0faa27420e915e7e9ba815258207e02a82a Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Tue, 20 Apr 2021 08:09:57 -0400 Subject: [PATCH] bwrap: Fix selftest to be truly immutable We should never have any effect on the host system, so let's use the more direct APIs which allow us to use the immutable flag, don't mount `/var` etc. Crucially this also avoids us running through the tempetc guard which would try to rename `usr/etc` which can trigger on an ostree based host. Closes: https://github.com/coreos/rpm-ostree/issues/2771 --- rust/src/bwrap.rs | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rust/src/bwrap.rs b/rust/src/bwrap.rs index 939f0525..282b4f1b 100644 --- a/rust/src/bwrap.rs +++ b/rust/src/bwrap.rs @@ -475,7 +475,11 @@ pub(crate) fn bubblewrap_run_sync( /// Validate that bubblewrap works at all. This will flush out any incorrect /// setups such being inside an outer container that disallows `CLONE_NEWUSER` etc. pub(crate) fn bubblewrap_selftest() -> CxxResult<()> { - let fd = openat::Dir::open("/")?; - let _ = bubblewrap_run_sync(fd.as_raw_fd(), &vec!["true".to_string()], false, true)?; + let fd = &openat::Dir::open("/")?; + let mut bwrap = Bubblewrap::new_with_mutability(fd, BubblewrapMutability::Immutable)?; + bwrap.append_child_argv(&["true"]); + let cancellable = &gio::Cancellable::new(); + let cancellable = Some(cancellable); + bwrap.run_inner(cancellable)?; Ok(()) } -- 2.30.2