colin/bubblewrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
548 Commits 2 Branches 0 Tags
73911524a44e8bd13f6c5fe175337e69749f0268
Commit Graph

548 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Simon McVittie
73911524a4 Fix copy/paste error in help for --pidns 
--pidns acts on a pid namespace, not a user namespace.

Resolves: https://github.com/containers/bubblewrap/issues/531
Thanks: hadess
Signed-off-by: Simon McVittie <smcv@collabora.com>
 2022-10-27 18:15:48 +01:00
Simon McVittie
ddc431a88e Merge pull request #441 from smcv/as-if 
build: Consistently use AS_IF instead of if/then/fi
 2022-10-27 17:42:57 +01:00
Simon McVittie
d41edb969a Merge pull request #509 from tomsmeding/tmpfs-size 
Add --size option to control size of a --tmpfs
 2022-10-26 21:43:25 +01:00
Tom Smeding
7655fe2f9d --size: Update completions and documentation 
Signed-off-by: Tom Smeding <tom@tomsmeding.com>
 2022-10-26 19:47:00 +02:00
Tom Smeding
906a7a75bd Tests for --size and --perms 
Signed-off-by: Tom Smeding <tom@tomsmeding.com>
 2022-10-26 19:46:59 +02:00
Tom Smeding
494b269a69 Add --size option to control size of a --tmpfs 
Signed-off-by: Tom Smeding <tom@tomsmeding.com>
 2022-10-26 19:46:59 +02:00
Simon McVittie
020a9eef6f Merge pull request #487 from smcv/better-enospc-message 
Improve error message when clone() fails with ENOSPC
 2022-10-03 11:28:20 +01:00
Simon McVittie
efbcdba68c Merge pull request #527 from a1346054/fixes 
test-run: replace nonstandard `which`
 2022-09-13 18:41:21 +01:00
a1346054
a29f535b74 test-run: replace nonstandard which 
`command -v` is the standardized replacement for `which` and never
writes to stderr

Signed-off-by: a1346054 <36859588+a1346054@users.noreply.github.com>
 2022-09-12 22:09:11 +00:00
Simon McVittie
010bde7f37 bind-mount: Include failing path in error message 
Prompted by flatpak/flatpak#4731, in which a misconfigured SMB automount
was failing to be remounted with ENODEV. This would have been easier to
debug if we knew which path could not be remounted.

Signed-off-by: Simon McVittie <smcv@collabora.com>
 2022-08-16 11:39:58 +02:00
Simon McVittie
8af578d088 Merge pull request #510 from smcv/etc-shadow 
Adjust tests related to /etc/shadow
 2022-07-26 19:54:46 +01:00
Simon McVittie
7d54d050a2 meson: Add options to set a RPATH/RUNPATH on the bwrap executable 
This is useful when building a self-contained, relocatable tree
containing a build of bubblewrap and all of its non-glibc dependencies
(in practice this means libcap and maybe libselinux), as is done in
the Steam container runtime. A RPATH/RUNPATH pointing to ${ORIGIN}/../lib
allows bwrap to find an adjacent, bundled copy of libcap.

Signed-off-by: Simon McVittie <smcv@collabora.com>
 2022-05-16 10:19:24 +02:00
Tom Smeding
89d64eee9d Prepare for multiple different modifier options 
Signed-off-by: Tom Smeding <tom@tomsmeding.com>
 2022-05-14 13:45:41 +02:00
Simon McVittie
2b4c4a7899 test-run: Add another assertion that we cannot read /etc/shadow 
The goal of this assertion was to demonstrate that a setuid bwrap does
not give us access to otherwise unreadable files, but if we want to
check that, we should probably be looking at the bind-mount destination
instead of the source file.

Leave the old assertion in too, just in case *that* fails.

Signed-off-by: Simon McVittie <smcv@collabora.com>
 2022-05-11 16:01:11 +01:00
Simon McVittie
a996acc892 test-run: Skip a test if we can read /etc/shadow 
Ordinarily, we would not be able to read /etc/shadow if we're not uid 0;
but when building in a sysroot owned by the current user (for example
by setting it up using bwrap, as steam-runtime-tools does), we might
actually be able to read it. Skip the assertion that we cannot read it
in this case.

Signed-off-by: Simon McVittie <smcv@collabora.com>
 2022-05-11 15:55:10 +01:00
Simon McVittie
c54bbc6d7b Release v0.6.2 
Signed-off-by: Simon McVittie <smcv@collabora.com>
 2022-05-11 15:05:37 +01:00
Simon McVittie
b9d0ac36e7 Merge pull request #486 from smcv/unused 
Annotate some variables as sometimes-unused
 2022-05-11 14:54:27 +01:00
Simon McVittie
5ba8fc31ca Merge pull request #492 from smcv/mips 
try-syscall: Use compiler-predefined macros to detect mips ABI
 2022-05-10 16:31:02 +01:00
Simon McVittie
ade6bb0ff7 Merge pull request #493 from smcv/bwrapdir 
meson: Allow installation directory to be set explicitly
 2022-05-10 16:30:17 +01:00
Simon McVittie
14d6a7f0df Merge pull request #496 from smcv/missing-def 
Allow building on old glibc without PR_SET_CHILD_SUBREAPER defined
 2022-05-10 16:23:02 +01:00
Simon McVittie
3faa4c1ff2 tests: Disable leak detection when joining user-specified pid namespace 
If we don't do this, AddressSanitizer busy-loops with this backtrace:

    #0  in sched_yield
    #1  in __sanitizer::StopTheWorld
    #2  in __lsan::LockStuffAndStopTheWorldCallback
    #3  in __GI___dl_iterate_phdr
    #4  in __lsan::LockStuffAndStopTheWorld
    #5  in __lsan::CheckForLeaks
    #6  in __lsan::DoLeakCheck
    #7  __lsan::DoLeakCheck
    #8  in __cxa_finalize
    #9  in __do_global_dtors_aux
    #10 in ??
    #11 in _dl_fini

This fixes the hang described in commit 2e3d6e7d, so remove the
workarounds from that commit.

Signed-off-by: Simon McVittie <smcv@collabora.com>
 2022-05-03 14:02:03 +02:00
Simon McVittie
c991f2dd9a tests: Disable sanitizers for try-syscall 
gcc's AddressSanitizer makes system calls that our filter doesn't
allow for, resulting in a fatal error when run under a restrictive
seccomp filter.

try-syscall is a helper for the test, rather than being code under test
itself, so we don't really need this instrumentation in it: all we want
it to do is make some specific syscalls.

Signed-off-by: Simon McVittie <smcv@collabora.com>
 2022-05-03 14:02:03 +02:00
Simon McVittie
e7c9b04f59 build: Auto-detect presence of Docbook XSL stylesheets 
This follows the usual feature semantics: they're mandatory if the
feature is enabled, aren't checked if the feature is disabled, and are
optional if the feature is in the auto state (which is the default for
this particular feature).

The logic used here is similar to AX_CHECK_DOCBOOK_XSLT in
autoconf-archive.

Resolves: https://github.com/containers/bubblewrap/issues/500
Signed-off-by: Simon McVittie <smcv@collabora.com>
 2022-05-03 14:00:30 +02:00
Simon McVittie
1d6a50f762 Merge pull request #501 from rusty-snake/fix-missing-options-in-manpage 
Add --share-net & --json-status-fd to the manpage
 2022-04-21 20:34:19 +01:00
rusty-snake
feef6071a9 Add --share-net & --json-status-fd to the manpage 
Fixes #469
Fixes #499

Signed-off-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
 2022-04-21 21:21:03 +02:00
Simon McVittie
4bf2d4e9b0 Merge pull request #491 from ffontaine/main 
meson: add tests option
 2022-04-21 12:15:27 +01:00
Fabrice Fontaine
34ea0ad841 meson: add tests option 
Allow the user to disable tests, for example to avoid the following
build failure on mips32:

FAILED: tests/try-syscall.p/try-syscall.c.o
/home/autobuild/autobuild/instance-11/output-1/host/bin/mipsel-buildroot-linux-musl-gcc -Itests/try-syscall.p -Itests -I../tests -fdiagnostics-color=always -Wall -Winvalid-pch -Wextra -O3 -D_GNU_SOURCE -Werror=shadow -Werror=empty-body -Werror=strict-prototypes -Werror=missing-prototypes -Werror=implicit-function-declaration -Werror=pointer-arith -Werror=init-self -Werror=missing-declarations -Werror=return-type -Werror=overflow -Werror=int-conversion -Werror=incompatible-pointer-types -Werror=misleading-indentation -Werror=missing-include-dirs -Werror=aggregate-return -Werror=switch-default -Wswitch-enum -Wno-sign-compare -Wno-error=sign-compare -Wno-missing-field-initializers -Wno-error=missing-field-initializers -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -O1 -g0 -MD -MQ tests/try-syscall.p/try-syscall.c.o -MF tests/try-syscall.p/try-syscall.c.o.d -o tests/try-syscall.p/try-syscall.c.o -c ../tests/try-syscall.c
../tests/try-syscall.c:34:5: error: #error "Unknown MIPS ABI"
   34 | #   error "Unknown MIPS ABI"
      |     ^~~~~

Fixes:
 - http://autobuild.buildroot.org/results/cf0365354fc8c16e5871d561daae0fa5039d0bee

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 2022-04-06 18:18:43 +02:00
Simon McVittie
77d1a77ea2 Merge pull request #489 from Newbytee/patch-1 
Link to the last commit where xdg-app-helper.c existed
 2022-04-06 16:53:46 +01:00
Simon McVittie
bda58e03a1 meson: Allow installation directory to be set explicitly 
Overriding the libexecdir via default_options doesn't always work when
used as a subproject.

Signed-off-by: Simon McVittie <smcv@collabora.com>
 2022-04-05 14:57:04 +01:00
Simon McVittie
7e62e8dafe Allow building on old glibc without PR_SET_CHILD_SUBREAPER defined 
Signed-off-by: Simon McVittie <smcv@collabora.com>
 2022-04-05 14:48:23 +01:00
Simon McVittie
d4554fcf25 utils: Silence -Wunused-parameter with clang, Meson, and SELinux disabled 
These parameters are unused if SELinux happens to be disabled.

Signed-off-by: Simon McVittie <smcv@collabora.com>
 2022-04-05 14:34:47 +01:00
Simon McVittie
8f5b370696 Silence -Wunused-but-set-variable with clang 
This variable is only used for lifetime tracking (autocleanup), but
clang warns on that.

Signed-off-by: Simon McVittie <smcv@collabora.com>
 2022-04-05 14:34:47 +01:00
Simon McVittie
bab52ef198 try-syscall: Use compiler-predefined macros to detect mips ABI 
_MIPS_SIM_ABI32 etc. are defined by Linux <asm/sgidefs.h>, which is
included by glibc <sys/syscall.h> (which defers to Linux headers to
get syscall numbers), but not by musl <sys/syscall.h>.

_ABIO32 etc. are predefined by the compiler, so they are always
available, regardless of libc. References:

https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=27d54b2a6c18ef1ae50f1a5b432d590438445b90
https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=0ea339ea4d9c3e04ae17da6bf389617eb0251e57

Signed-off-by: Simon McVittie <smcv@collabora.com>
 2022-04-05 13:49:04 +01:00
Newbyte
29d1db4a18 Link to the last commit where xdg-app-helper.c existed 
Right now this link just opens a "path not found" page, so let's fix that by linking to the last commit where it existed instead.

Signed-off-by: Newbyte <newbie13xd@gmail.com>
 2022-03-23 20:35:54 +01:00
Simon McVittie
34a8c8bc87 Merge pull request #484 from rusty-snake/install-instructions 
Add install instruction to README.md
 2022-03-22 17:53:28 +00:00
Simon McVittie
8b5cba1a63 Merge pull request #483 from rusty-snake/add-seccomp-fd-completions 
Add --add-seccomp-fd to bash/zsh completion
 2022-03-22 17:52:50 +00:00
Simon McVittie
920c88e0ba Merge pull request #482 from rusty-snake/fix-add-seccomp-fd 
Fix --add-seccomp-fd argument name in usage
 2022-03-22 17:52:25 +00:00
Simon McVittie
a2b58048b9 Improve error message when clone() fails with ENOSPC 
In particular, this would have given #371 a clearer error message.

Signed-off-by: Simon McVittie <smcv@collabora.com>
 2022-03-22 17:37:07 +00:00
rusty-snake
798b87ce3a Add install instruction to README.md 
Closes #315
Closes #363

Signed-off-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
 2022-03-22 17:01:28 +01:00
rusty-snake
0affc2464b Fix --add-seccomp-fd argument name in usage 
--help shows --add-seccomp instead of --add-seccomp-fd which is the
correct argument.

Signed-off-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
 2022-03-22 17:00:13 +01:00
rusty-snake
7a67c22df8 Add --add-seccomp-fd to bash/zsh completion 
Signed-off-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
 2022-03-22 16:59:25 +01:00
Simon McVittie
90e46b5ee3 Merge pull request #481 from Keruspe/clang 
tests: fix build with clang
 2022-03-18 09:46:32 +00:00
Marc-Antoine Perennou
08dc2bb546 tests: properly tag ok as being printf-like 
Avoids breaking warning with clang

Fixes #478

Signed-off-by: Marc-Antoine Perennou <Marc-Antoine@Perennou.com>
 2022-03-18 10:41:54 +01:00
Simon McVittie
a362d3c0ee Prepare v0.6.1 
Signed-off-by: Simon McVittie <smcv@collabora.com>
 2022-02-25 17:43:52 +00:00
Simon McVittie
db3829b1a1 Add a release checklist 
Signed-off-by: Simon McVittie <smcv@collabora.com>
 2022-02-25 17:43:25 +00:00
Simon McVittie
a1496e3ac7 Merge pull request #476 from smcv/zsh-noexec 
completions: Make zsh completion non-executable
 2022-02-25 17:41:21 +00:00
Simon McVittie
ad996f845d completions: Make zsh completion non-executable 
The Autotools build system installed it with 0644 permissions because
it's listed as DATA, but the Meson build system installs executable
files as executable by default.

zsh completions don't need to be executable to work, and this one doesn't
have the `#!` marker that should start an executable script.

Signed-off-by: Simon McVittie <smcv@collabora.com>
 2022-02-24 17:04:30 +00:00
Simon McVittie
b480c5fd0d Release v0.6.0 
Signed-off-by: Simon McVittie <smcv@collabora.com>
 2022-02-24 14:34:39 +00:00
Colin Walters
5b76c602d0 Merge pull request #475 from smcv/meson 
Fix Meson build system to be able to run tests
 2022-02-24 09:24:30 -05:00
Simon McVittie
d8b4221d54 meson: Improve compatibility with Meson 0.49 
That version doesn't allow more than two arguments for define_variable.

Signed-off-by: Simon McVittie <smcv@collabora.com>
 2022-02-20 11:41:27 +00:00