118 Commits

Author SHA1 Message Date
Simon McVittie
e54e798b2b tests: Don't write to predictable filenames in /tmp
Most Linux distributions should have deployed
/proc/sys/fs/protected_symlinks by now, preventing the usual
symlink-traversal vulnerability; but avoiding predictable filenames in
/tmp is a good habit to get into.

Signed-off-by: Simon McVittie <smcv@collabora.com>

Closes: #229
Approved by: cgwalters
2017-10-06 16:31:19 +00:00
Colin Walters
e98443065f With --dev, add /dev/fd and /dev/core symlinks
`systemd-nspawn` and `docker` at least both have these by default;
the only difference AFAICS now is that nspawn also adds `/dev/mqueue`
by default, but we require a separate arg for that.

This should increase compatibility with apps using the `/dev/fd`.

Closes: https://github.com/projectatomic/bubblewrap/issues/191

Closes: #207
Approved by: alexlarsson
2017-09-18 13:33:37 +00:00
Colin Walters
abc5664456 Retain all caps when invoked by uid 0, work around systemd seccomp filter
In <https://github.com/projectatomic/bubblewrap/pull/101>, specifically
commit cde7fab7ec we started dropping
all capabilities, even if the caller was privileged.

This broke rpm-ostree, which runs RPM scripts using bwrap, and some
of those scripts depend on capabilities (mostly `CAP_DAC_OVERRIDE`).

Fix this by retaining capabilities by default if the caller's uid is zero.

I considered having the logic be to simply retain any capabilities the invoking
process has (imagine filecaps binaries like `ping` or
`/usr/bin/gnome-keyring-daemon` using bwrap) but we currently explicitly abort
in that scenario to catch broken packages which used file capabilites for bwrap
itself (we switched to suid). For now this works, and if down the line there's a
real-world use case for capability-bearing non-zero-uid processes to invoke
bwrap *and* retain those privileges, we can revisit.

Another twist here is that we need to do some gymnastics to first avoid calling
`capset()` if we don't need to, as that can fail due to systemd installing a
seccomp filter that denies it (for dubious reasons).  Then we also need to ignore
`EPERM` when dropping caps in the init process.  (I considered unilaterally
handling `EPERM`, but it seems nicer to avoid calling `capset()` unless we need to)

Closes: https://github.com/projectatomic/bubblewrap/issues/197

Closes: #205
Approved by: alexlarsson
2017-08-14 13:46:34 +00:00
Colin Walters
e745b94997 tests: Import libtest-core.sh from ostree
This was factored out to be sharable with other projects, let's do so.

Closes: #203
Approved by: jlebon
2017-08-02 20:00:08 +00:00
Giuseppe Scrivano
215aa3eec9 tests: add tests for --cap-add
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #101
Approved by: alexlarsson
2017-06-29 23:02:32 +00:00
Giuseppe Scrivano
6e778109aa bubblewrap: add --as-pid-1
It allows to run a process with PID=1 in the new pid namespace.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2017-06-13 22:13:51 +02:00
Giuseppe Scrivano
76f9460298 test-run.sh: fix the path for the usage string
Otherwise the test fails when setting BWRAP

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #183
Approved by: cgwalters
2017-03-01 13:36:04 +00:00
Marek Jarycki
b6370de0fc Add --die-with-parent
In scenarios such as running bwrap in test frameworks (`bwrap make check`),
one wants all of the processes to go away if the parent process
dies, or if the bwrap process is directly killed.

This ensures that in all cases (both with `--unshare-pid` and without), we use
`prctl(PR_SET_PDEATHSIG)` on both our outer and inner init procesesses if
`--die-with-parent` is specified.

Tests-by: Colin Walters <walters@verbum.org>

Closes: #165
Approved by: emdej
2017-02-27 21:15:11 +00:00
Colin Walters
e3a3f1567a tests: Fold test-basic.sh into test-run.sh
It was never that useful, just a quick stub to get Travis going, which we don't
use right now.  Let's just move it into the `test-run.sh`.

Closes: #163
Approved by: alexlarsson
2017-01-26 08:58:33 +00:00
Colin Walters
35f2f8e916 tests: Use --unshare-user-try
Otherwise we fail on CentOS 7.

Closes: #160
Approved by: jlebon
2017-01-23 18:07:49 +00:00
Simon McVittie
9dfc638503 Fix incorrect nesting of backticks when finding a FUSE mount
Signed-off-by: Simon McVittie <smcv@debian.org>

Closes: #121
Approved by: alexlarsson
2016-11-29 11:51:52 +00:00
Simon McVittie
3e659884a2 Adapt tests so they can be run against installed binaries
Look for bwrap on PATH by default, but allow it to be overridden with
BWRAP, and set that variable in TESTS_ENVIRONMENT so we are testing
the just-built version in "make check".

Signed-off-by: Simon McVittie <smcv@debian.org>

Closes: #120
Approved by: alexlarsson
2016-11-29 11:13:33 +00:00
Simon McVittie
21c67366b4 test-run: don't assume we are uid 1000
Signed-off-by: Simon McVittie <smcv@debian.org>

Closes: #120
Approved by: alexlarsson
2016-11-29 11:13:33 +00:00
Simon McVittie
7c8d421d09 test-run: be a bash script
set -o pipefail is a bashism, and doesn't work in an ordinary POSIX sh;
in particular, /bin/sh in Debian and Ubuntu is usually dash, which
doesn't have set -o.

Signed-off-by: Simon McVittie <smcv@debian.org>

Closes: #120
Approved by: alexlarsson
2016-11-29 11:13:33 +00:00
Alexander Larsson
4a1418d336 bind-mount: Fix issue when destination of mount is in a symlink
The mount operation always fully resolves any symlinks before mounting
so we need to do the same when we're looking for the new mount
in the mount tables.

Without this something like
 --symlink /dst /link --bind-mount /src /link
 would fail because it would look for mount flags in /link, but the
 mount would be on /dst.

Closes: #119
Approved by: alexlarsson
2016-11-22 11:32:09 +00:00
Alexander Larsson
24e6337e04 tests/test-run.sh: Add some more tests that now work
Tests like

  flatpak --unshare-pid --bind / /  --proc /proc true

Failed before, because it tried to bind-mount over /proc/sys which
typically had other mountpoints under it (like
/proc/sys/fs/binfmt_misc), which caused issue with our bind-mount
implementation.

This works fine with the new implementation though, so add these
tests.

Closes: #118
Approved by: alexlarsson
2016-11-15 13:57:43 +00:00
Alexander Larsson
d43752a2ef Add test with basic running operations
This runs a set of very basic operations that use the host root fs as
the sandbox root. Ensuring that we're at least able to start a sandbox
with various options, and that a setuid bwrap can't read files that
should otherwise not be readable.

Note, this SKIPs the test instead of FAILing if the most basic
operation doesn't work, because our test suite doesn't support
running the setuid test.

Closes: #116
Approved by: cgwalters
2016-11-09 22:15:28 +00:00
Colin Walters
e06ff186ce tests: Add a stub test framework
Imported a little bit of code from OSTree's shell `libtest.sh`.  I'm
mostly doing this to test Travis and Homu, but hey, we get a little
bit of coverage.

Pull request: #21
Approved by: alexlarsson
2016-03-15 15:34:28 +00:00