Comparisson of different signedness can result in unexpected results due
to implicit conversions.
../network.c:81:34: warning: comparison of integer expressions of different signedness: ‘__u32’ {aka ‘unsigned int’} and ‘int’ [-Wsign-compare]
81 | if (rheader->nlmsg_seq != seq_nr)
| ^~
../network.c:83:34: warning: comparison of integer expressions of different signedness: ‘__u32’ {aka ‘unsigned int’} and ‘__pid_t’ {aka ‘int’} [-Wsign-compare]
83 | if (rheader->nlmsg_pid != getpid ())
| ^~
../bind-mount.c:268:17: warning: comparison of integer expressions of different signedness: ‘int’ and ‘unsigned int’ [-Wsign-compare]
268 | assert (i < n_lines);
| ^
../bind-mount.c:309:13: warning: comparison of integer expressions of different signedness: ‘int’ and ‘unsigned int’ [-Wsign-compare]
309 | assert (i == n_lines);
| ^~
../bind-mount.c:318:17: warning: comparison of integer expressions of different signedness: ‘int’ and ‘unsigned int’ [-Wsign-compare]
318 | for (i = 0; i < n_lines; i++)
| ^
../bind-mount.c:321:17: warning: comparison of integer expressions of different signedness: ‘int’ and ‘unsigned int’ [-Wsign-compare]
321 | for (i = 0; i < n_lines; i++)
| ^
../utils.c:818:19: warning: comparison of integer expressions of different signedness: ‘size_t’ {aka ‘long unsigned int’} and ‘ssize_t’ {aka ‘long int’} [-Wsign-compare]
818 | while (size - 2 < n);
| ^
../bubblewrap.c:489:13: warning: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Wsign-compare]
489 | assert (j < sizeof(dont_close)/sizeof(*dont_close));
| ^
../bubblewrap.c:994:25: warning: comparison of integer expressions of different signedness: ‘int’ and ‘uid_t’ {aka ‘unsigned int’} [-Wsign-compare]
994 | if (setfsuid (-1) != real_uid)
| ^~
../bubblewrap.c:1042:61: warning: comparison of integer expressions of different signedness: ‘ssize_t’ {aka ‘long int’} and ‘size_t’ {aka ‘long unsigned int’} [-Wsign-compare]
1042 | if (write (privileged_op_socket, buffer, buffer_size) != buffer_size)
| ^~
../bubblewrap.c:1232:25: warning: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Wsign-compare]
1232 | for (i = 0; i < N_ELEMENTS (cover_proc_dirs); i++)
| ^
../bubblewrap.c:1260:25: warning: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Wsign-compare]
1260 | for (i = 0; i < N_ELEMENTS (devnodes); i++)
| ^
../bubblewrap.c:1272:25: warning: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Wsign-compare]
1272 | for (i = 0; i < N_ELEMENTS (stdionodes); i++)
| ^
../bubblewrap.c: In function ‘read_priv_sec_op’:
../bubblewrap.c:1556:15: warning: comparison of integer expressions of different signedness: ‘ssize_t’ {aka ‘long int’} and ‘long unsigned int’ [-Wsign-compare]
1556 | if (rec_len < sizeof (PrivSepOp))
| ^
../bubblewrap.c:1626:28: warning: comparison of integer expressions of different signedness: ‘int’ and ‘uint32_t’ {aka ‘unsigned int’} [-Wsign-compare]
1626 | if (*total_parsed_argc_p > MAX_ARGS)
| ^
../bubblewrap.c:1681:40: warning: comparison of integer expressions of different signedness: ‘int’ and ‘uint32_t’ {aka ‘unsigned int’} [-Wsign-compare]
1681 | if (*total_parsed_argc_p > MAX_ARGS)
| ^
../bubblewrap.c:2265:31: warning: comparison of integer expressions of different signedness: ‘uid_t’ {aka ‘unsigned int’} and ‘int’ [-Wsign-compare]
2265 | if (opt_sandbox_uid != -1)
| ^~
../bubblewrap.c:2285:31: warning: comparison of integer expressions of different signedness: ‘gid_t’ {aka ‘unsigned int’} and ‘int’ [-Wsign-compare]
2285 | if (opt_sandbox_gid != -1)
| ^~
../bubblewrap.c:2678:23: warning: comparison of integer expressions of different signedness: ‘uid_t’ {aka ‘unsigned int’} and ‘int’ [-Wsign-compare]
2678 | if (opt_sandbox_uid == -1)
| ^~
../bubblewrap.c:2680:23: warning: comparison of integer expressions of different signedness: ‘gid_t’ {aka ‘unsigned int’} and ‘int’ [-Wsign-compare]
2680 | if (opt_sandbox_gid == -1)
| ^~
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
We need to save errno immediately, otherwise it could be overwritten
by a failing library call somewhere in the implementation of fprintf.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This is a step towards REUSE compliance. Third-party files that we do
not otherwise edit (git.mk, m4/attributes.m4) are excluded here.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This allows environment variables to be set when running bwrap itself
(perhaps a custom LD_LIBRARY_PATH), but cleared for the command that
runs in the container, without having to enumerate all the variables.
Because PWD is set later, as a side-effect of changing directory, this
actually clears everything except PWD.
A portable program would check for clearenv() (and if not found, fall
back to using environ = NULL), but bubblewrap is Linux-specific, and
Linux C libraries (at least glibc and musl) do have clearenv().
Signed-off-by: Simon McVittie <smcv@collabora.com>
security_context_t has always been a typedef for char * and used more
or less interchangeably with char *, but the use of a typedef turned
out to be bad for const-correctness. The function signatures were
changed to take const char * in libselinux 2.3, in 2014[1] and the
typedef was formally deprecated in 2020[2].
On very old OSs like Ubuntu 14.04, reinstate the casts to suppress
warnings from -Wdiscarded-qualifiers.
[1] https://github.com/SELinuxProject/selinux/commit/9eb9c9327563
[2] https://github.com/SELinuxProject/selinux/commit/7a124ca27581
Signed-off-by: Simon McVittie <smcv@collabora.com>
Previously, mounting a socket over the top of an existing socket
would fail, because create_file() opens it with creat():
$ test -e /run/systemd/resolve/io.systemd.Resolve && echo exists
exists
$ bwrap \
--bind / / \
--bind /run/systemd/resolve/io.systemd.Resolve \
/run/systemd/resolve/io.systemd.Resolve \
/bin/true
bwrap: Can't create file at /run/systemd/resolve/io.systemd.Resolve: No such device or address
Tolerate the file existing as any type that we will be able to mount
a non-directory onto.
Signed-off-by: Simon McVittie <smcv@collabora.com>
If we are using a case-insensitive filesystem the bind-mount operation
might fail when `/proc/self/mountinfo` is checked.
In a case-insensitive filesystem, if we ask to mount a certain
directory, e.g. '/CI_fs/foo', the kernel might add its entry in
`mountinfo` as '/CI_fs/FOO'. This happens because the kernel populates
`mountinfo` with whatever case combination first appeared in the dcache.
With this patch we open the requested path and look at its
`/proc/self/fd`, using readlink(), to get the path case combination that
the kernel is also expected to be using.
Signed-off-by: Ludovico de Nittis <ludovico.denittis@collabora.com>
For NFS mounts if we call mkdir() on a read-only mount (such as when
we've created a read-only bind mount) the kernel will nor return EEXIST
even when the directory exists, instead returning EROFS.
So, we add (and use) an ensure_dir() helper that stats before calling
mkdir.
Closes: #258
Approved by: giuseppe
It may not always be obvious what the source of any particular error
message is. For instance, "Can't find source path" errors could be
perceived as coming from either the shell, loader, bubblewrap, or the
wrapped application, especially when a previously-configured program
stops working due to some external circumstances.
Thus, disambiguate the source of bubblewrap's error messages by
printing them with a "bwrap: " prefix.
Closes: #234
Approved by: cgwalters
It turns out you can't readdir from an O_PATH file-descriptor, so
fdwalk didn't work. Spotted the BADFD in a strace.
Closes: #60
Approved by: cgwalters
All calls to set an SELinux label should call this function
die_unless_label_valid (opt_exec_label);
It will make sure SELinux is enabled and will make sure the user passed in a
valid label.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Closes: #53
Approved by: cgwalters
Verify you are getting a valid SELinux label before proceeding. Some
SELinux checks were broken.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Closes: #43
Approved by: cgwalters
I noticed on Travis we had a warning about this, and it's actually
right, the man page says on OOM the contents of `*strp` are undefined,
not `NULL`.
(Now possibly it doesn't touch the value, but anyways this follows
the man page and fixes a compiler warning)
Pull request: #27
Approved by: alexlarsson
If they already exist as a regular file then we don't need to create
it, which is good because doing so would break if the filesystem
is readonly. I.e. that returns EROFS instead of EEXISTS in that case.
