sending --help output to stderr causing sadness and confusion when
someone tries something obvious like `bwrap --help | less`. This
commit modifies bubblewrap.c such that `--help` output will go to
stdout, while other invocations of `usage(...)` will continue to go
to stderr.
Closes: #66
Approved by: cgwalters
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
This flag will unshare cgroups only if supported else will skip it.
Closes: #62
Approved by: alexlarsson
This requires linux kernel version 4.6 or higher.
We check for the presence of /proc/self/ns/cgroup
to determine if it is supported or not.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
Closes: #62
Approved by: alexlarsson
It turns out you can't readdir from an O_PATH file-descriptor, so
fdwalk didn't work. Spotted the BADFD in a strace.
Closes: #60
Approved by: cgwalters
This is a variation on the previous commit to avoid recursive
parsing of `--args`. Here we limit the total number of options
to something reasonable.
This is inspired by
http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html
which required 15 million arguments. We come in a bit below that.
Closes: #50
Approved by: rhatdan
If we're not doing a PID namespace, we don't create a monitor
process, which means that the code in `monitor_child()` needs
to properly propagate the exit status from the signalfd.
It might be better to change `monitor_child()` to be a `waitpid()`
loop in this case, but I decided to go for the one liner fix that's an
improvement in both cases anyways.
I noticed this with:
```
bwrap --ro-bind / / --dev /dev true
```
exiting with code 1.
Closes: #49
Approved by: rhatdan
All calls to set an SELinux label should call this function
die_unless_label_valid (opt_exec_label);
It will make sure SELinux is enabled and will make sure the user passed in a
valid label.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Closes: #53
Approved by: cgwalters
This should hopefully get things more automatic for more
editors.
I didn't find in a quick search how to teach vim to DTRT by default.
Closes: #56
Approved by: rhatdan
It's likely possible for callers to use `ulimit()` to cause us to
fail `eventfd()` with `EMFILE` - we should handle that.
If a caller requests seccomp but for some reason we fail to install
it, we shouldn't silently continue.
Closes: #52
Approved by: rhatdan
In particular `format` is important for validating strings. Luckily
we don't have any new warnings.
`noreturn` is mostly just helps avoid other warnings from unreachable
code.
Closes: #51
Approved by: rhatdan
If using --dev we need a special workaround to make it possible to
mount devpts. Unfortunately the workaround was erronously enabled
if you added --proc, not --dev. This moves this check to the right
place.
To test, try:
./bwrap --ro-bind / / --dev /dev true
Closes: #48
Approved by: cgwalters
This is very useful if you want to cover some area of the filesystem,
or if you want to make some part of a read-only tree writable.
Closes: #42
Approved by: cgwalters
Verify you are getting a valid SELinux label before proceeding. Some
SELinux checks were broken.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Closes: #43
Approved by: cgwalters
It turns out we need CAP_NET_ADMIN in the privileged case in order
to make --unshare-net work because otherwise we're not allowed to
set up the loopback device.
Closes: #38
Approved by: cgwalters
This just makes it easier to build an RPM before it gets packaged
elsewhere. rpmdistro-gitoverlay e.g. can consume spec files internal
to git repos.
Closes: #35
Approved by: alexlarsson
We have to support two different ways to run:
- As setuid root, for systems without unprivileged userns support
- Non-setuid, but require unprivileged userns
The fact that we exposed `--share-user` is awkward, because it forced
tools that want to work in both case to basically reimplement the
logic for detecting userns support, if they didn't care whether
or not userns was enabled.
For example in the case of `demos/bubblewrap-shell.sh` where we
share the invoking UID.
This commit changes things so we now default to `--unshare-user` if
we're *not* installed privileged, since it's a requirement.
The end result here is that we just work out of the box in more
scenarios; callers that require the uid mapping portion of userns will
still be passing `--uid`, and this will still properly fail if the
kernel doesn't have userns.
Closes: #36Closes: #37
Approved by: alexlarsson
Not having this is a rather embarassing amateur mistake...one of us
should have caught it. We do have LGPLv2+ bits in the headers, but
this should make it unmistakable.
This code inherited from xdg-app and linux-user-chroot, both of which
are LGPLv2+.
Closes: #34
Approved by: alexlarsson
This is just the beginning of a framework for bash completions.
Current completions just give you the list of options available.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Closes: #30
Approved by: alexlarsson
GCC was failing this because write is marked warn_unused_result.
Assigning it to a attribute unused variable is apparently "better"
than casting it to void...
Also, we avoid taking this path at all if event_fd is -1.
Closes: #32
Approved by: alexlarsson
The rawhide kernel has started to warn about applications using 32bit
capabilities calls. We don't actually need more than 32 bits, but
lets use the 64bit APIs anyway to stay safe.
Closes: #29
Approved by: cgwalters
I noticed on Travis we had a warning about this, and it's actually
right, the man page says on OOM the contents of `*strp` are undefined,
not `NULL`.
(Now possibly it doesn't touch the value, but anyways this follows
the man page and fixes a compiler warning)
Pull request: #27
Approved by: alexlarsson
Greater visibility for these is useful. (Alternatively, autoconf
could be less verbose but I'm assuming that's not going to happen
before the sun explodes).
Pull request: #28
Approved by: alexlarsson
With this you can e.g. :
./configure --enable-sudo --with-priv-mode=setcaps
make
make install
and it will ask you for sudo password and then make the final binary
have the right capabilities set.
This is not needed when setting such persmissions in e.g. a spec file, but
it is useful for developers building bubblewrap.
Pull request: #26
Approved by: cgwalters
Imported a little bit of code from OSTree's shell `libtest.sh`. I'm
mostly doing this to test Travis and Homu, but hey, we get a little
bit of coverage.
Pull request: #21
Approved by: alexlarsson
I was actually trying to do a simple test of `--help` and was
surprised that we `exit (1)` by default there. Only do that if we
actually fail to parse options.
Pull request: #21
Approved by: alexlarsson
