The other three references to bash already use "bash" instead of
"/bin/bash". Similarly, "#!/bin/bash" has already been replaced with
"#!/usr/bin/env bash".
Signed-off-by: Jonathan Wright <quaggy@gmail.com>
Fixescontainers/bubblewrap#91
Add the ability to overwrite argv[0] when starting a process in a
container. Using --argv0 to be consistent with ld.so --argv0.
Overwriting argv[0] is useful as some tools change their behavior based
on the value of argv[0]. For example, when bash is symlinked to sh it
behaves as sh. Similarly, unxz is a symlink to xz and changes the
default from compressing to decompressing. An extreme example is on many
systems, date, df, cat and so on are all symlinks to the coreutils
binary.
Example usage: bwrap --bind / / --argv0 sh bash
Signed-off-by: Jonathan Wright <quaggy@gmail.com>
The test wants to mount /tmp on /mnt but /mnt comes from the host and
can be a symlink in which case the test fails. Skip the test in this
situation.
Signed-off-by: Sebastian Wick <sebastian.wick@redhat.com>
The worst-case scenario in terms of enforcing --disable-userns is that
we're retaining all capabilities, so test that too, to make sure that
the option is genuinely restricting even a privileged user.
Signed-off-by: Simon McVittie <smcv@collabora.com>
If we're running the tests as uid 0 with capabilities, then bwrap will
not create a new user namespace by default, which means the limit won't
be exceeded and the test will fail. Make sure we always try to create
the new user namespace.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Older versions of capsh would only show the capabilities, which we
expect not to change when we don't drop capabilities; but newer
versions also display whether the NO_NEW_PRIVS bit is set, and we *do*
expect to change that.
Resolves: https://github.com/containers/bubblewrap/issues/544
Signed-off-by: Simon McVittie <smcv@collabora.com>
We can't combine --disable-userns with entering an existing user
namespace via --userns if the existing user namespace was created with
--disable-userns, because its ability to create nested user namespaces
has already been disabled. However, the next best thing is to verify
that we are already in the desired state.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Some use-cases of bubblewrap want to ensure that the subprocess can't
further re-arrange the filesystem namespace, or do other more complex
namespace modification. For example, Flatpak wants to prevent sandboxed
processes from altering their /proc/$pid/root/.flatpak-info, so that
/.flatpak-info can safely be used as an indicator that a process is part
of a Flatpak app.
This approach was suggested by lukts30 on containers/bubblewrap#452.
The sysctl-controlled maximum numbers of namespaces are themselves
namespaced, so we can disable nested user namespaces by setting the
limit to 1 and then entering a new, nested user namespace. The resulting
process loses its privileges in the namespace where the limit was set
to 1, so it is unable to move the limit back up.
Co-authored-by: Alexander Larsson <alexl@redhat.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
df --output was new in coreutils 8.21 (2013), and non-GNU
implementations like busybox df don't have it.
This avoids a test failure in Steam Runtime 1 'scout', which is based
on Ubuntu 12.04 (2012). It'll also be helpful for anyone maintaining
an OS with non-GNU shell utilities.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This is useful when building a self-contained, relocatable tree
containing a build of bubblewrap and all of its non-glibc dependencies
(in practice this means libcap and maybe libselinux), as is done in
the Steam container runtime. A RPATH/RUNPATH pointing to ${ORIGIN}/../lib
allows bwrap to find an adjacent, bundled copy of libcap.
Signed-off-by: Simon McVittie <smcv@collabora.com>
The goal of this assertion was to demonstrate that a setuid bwrap does
not give us access to otherwise unreadable files, but if we want to
check that, we should probably be looking at the bind-mount destination
instead of the source file.
Leave the old assertion in too, just in case *that* fails.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Ordinarily, we would not be able to read /etc/shadow if we're not uid 0;
but when building in a sysroot owned by the current user (for example
by setting it up using bwrap, as steam-runtime-tools does), we might
actually be able to read it. Skip the assertion that we cannot read it
in this case.
Signed-off-by: Simon McVittie <smcv@collabora.com>
If we don't do this, AddressSanitizer busy-loops with this backtrace:
#0 in sched_yield
#1 in __sanitizer::StopTheWorld
#2 in __lsan::LockStuffAndStopTheWorldCallback
#3 in __GI___dl_iterate_phdr
#4 in __lsan::LockStuffAndStopTheWorld
#5 in __lsan::CheckForLeaks
#6 in __lsan::DoLeakCheck
#7 __lsan::DoLeakCheck
#8 in __cxa_finalize
#9 in __do_global_dtors_aux
#10 in ??
#11 in _dl_fini
This fixes the hang described in commit 2e3d6e7d, so remove the
workarounds from that commit.
Signed-off-by: Simon McVittie <smcv@collabora.com>
gcc's AddressSanitizer makes system calls that our filter doesn't
allow for, resulting in a fatal error when run under a restrictive
seccomp filter.
try-syscall is a helper for the test, rather than being code under test
itself, so we don't really need this instrumentation in it: all we want
it to do is make some specific syscalls.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This test is hanging when run under 'meson dist' for some reason, but
not when run under 'meson test', and not locally, only in the Github
Workflow-based CI. Disable it for now.
Signed-off-by: Simon McVittie <smcv@collabora.com>
The python build option can be used to swap to a different interpreter,
for environments like the Steam Runtime where the python3 executable in
the PATH is extremely old but there is a better interpreter available.
This is treated as non-optional, because Meson is written in Python,
so the situation where there is no Python interpreter at build-time
shouldn't arise.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This allows bwrap to be built as a subproject in larger Meson projects.
When built as a subproject, we install into the --libexecdir and
require a program prefix to be specified: for example, Flatpak would use
program_prefix=flatpak- to get /usr/libexec/flatpak-bwrap. Verified to
be backwards-compatible as far as Meson 0.49.0 (Debian 9 backports).
Loosely based on previous work by Jussi Pakkanen (see #133).
Differences between the Autotools and Meson builds:
The Meson build requires a version of libcap that has pkg-config
metadata (introduced in libcap 2.23, in 2013).
The Meson build has no equivalent of --with-priv-mode=setuid. On
distributions like Debian <= 10 and RHEL <= 7 that require a setuid bwrap
executable, the sysadmin or distribution packaging will need to set the
correct permissions on the bwrap executable; Debian already did this via
packaging rather than the upstream build system.
The Meson build supports being used as a subproject, and there is CI
for this. It automatically disables shell completions and man pages,
moves the bubblewrap executable to ${libexecdir}, and renames the
bubblewrap executable according to a program_prefix option that the
caller must specify (for example, Flatpak would use
-Dprogram_prefix=flatpak- to get /usr/libexec/flatpak-bwrap). See the
tests/use-as-subproject/ directory for an example.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This is a step towards REUSE compliance. Third-party files that we do
not otherwise edit (git.mk, m4/attributes.m4) are excluded here.
Signed-off-by: Simon McVittie <smcv@collabora.com>
These are more time-consuming than the rest of test-run.sh combined due
to their use of a wait loop, and separating them out is helpful for the
possible addition of a Meson build system. The test-case that is moved
into tests/test-specifying-pidns.sh hangs and times out under
"meson dist" on Github Actions CI, but not under "meson test" or
Autotools, and not when tested locally; putting this in its own script
might help to isolate and fix that failure.
Signed-off-by: Simon McVittie <smcv@collabora.com>
The flag file we create and the flag file we check for were not in sync.
Also similarly correct the variable name in an info message.
Signed-off-by: Simon McVittie <smcv@collabora.com>
