Prompted by flatpak/flatpak#4731, in which a misconfigured SMB automount
was failing to be remounted with ENODEV. This would have been easier to
debug if we knew which path could not be remounted.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This is useful when building a self-contained, relocatable tree
containing a build of bubblewrap and all of its non-glibc dependencies
(in practice this means libcap and maybe libselinux), as is done in
the Steam container runtime. A RPATH/RUNPATH pointing to ${ORIGIN}/../lib
allows bwrap to find an adjacent, bundled copy of libcap.
Signed-off-by: Simon McVittie <smcv@collabora.com>
The goal of this assertion was to demonstrate that a setuid bwrap does
not give us access to otherwise unreadable files, but if we want to
check that, we should probably be looking at the bind-mount destination
instead of the source file.
Leave the old assertion in too, just in case *that* fails.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Ordinarily, we would not be able to read /etc/shadow if we're not uid 0;
but when building in a sysroot owned by the current user (for example
by setting it up using bwrap, as steam-runtime-tools does), we might
actually be able to read it. Skip the assertion that we cannot read it
in this case.
Signed-off-by: Simon McVittie <smcv@collabora.com>
If we don't do this, AddressSanitizer busy-loops with this backtrace:
#0 in sched_yield
#1 in __sanitizer::StopTheWorld
#2 in __lsan::LockStuffAndStopTheWorldCallback
#3 in __GI___dl_iterate_phdr
#4 in __lsan::LockStuffAndStopTheWorld
#5 in __lsan::CheckForLeaks
#6 in __lsan::DoLeakCheck
#7 __lsan::DoLeakCheck
#8 in __cxa_finalize
#9 in __do_global_dtors_aux
#10 in ??
#11 in _dl_fini
This fixes the hang described in commit 2e3d6e7d, so remove the
workarounds from that commit.
Signed-off-by: Simon McVittie <smcv@collabora.com>
gcc's AddressSanitizer makes system calls that our filter doesn't
allow for, resulting in a fatal error when run under a restrictive
seccomp filter.
try-syscall is a helper for the test, rather than being code under test
itself, so we don't really need this instrumentation in it: all we want
it to do is make some specific syscalls.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This follows the usual feature semantics: they're mandatory if the
feature is enabled, aren't checked if the feature is disabled, and are
optional if the feature is in the auto state (which is the default for
this particular feature).
The logic used here is similar to AX_CHECK_DOCBOOK_XSLT in
autoconf-archive.
Resolves: https://github.com/containers/bubblewrap/issues/500
Signed-off-by: Simon McVittie <smcv@collabora.com>
Right now this link just opens a "path not found" page, so let's fix that by linking to the last commit where it existed instead.
Signed-off-by: Newbyte <newbie13xd@gmail.com>
The Autotools build system installed it with 0644 permissions because
it's listed as DATA, but the Meson build system installs executable
files as executable by default.
zsh completions don't need to be executable to work, and this one doesn't
have the `#!` marker that should start an executable script.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This test is hanging when run under 'meson dist' for some reason, but
not when run under 'meson test', and not locally, only in the Github
Workflow-based CI. Disable it for now.
Signed-off-by: Simon McVittie <smcv@collabora.com>
