1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1063930: bwrap --dev prevents mount commands from working

    From Michael Gold@21:1/5 to All on Thu Feb 15 01:30:01 2024
    --1BbkLEGc7hz1nM1D
    Content-Type: text/plain; charset=utf-8
    Content-Disposition: inline
    Content-Transfer-Encoding: quoted-printable

    Package: bubblewrap
    Version: 0.8.0-2

    When the --dev option is used, the 'mount' command cannot be used inside
    the container, even when permissions would appear to allow it. A script
    that demonstrates this is attached:
    $ ./bwrap-test.sh
    bash-5.2$ mount -t tmpfs x /tmp
    mount: /tmp: must be superuser to use mount.
    dmesg(1) may have more information after failed mount system call.
    bash-5.2$ exit
    exit
    $ ./bwrap-test.sh -a
    bash-5.2$ mount -t tmpfs x /tmp
    bash-5.2$ exit
    exit
    $

    When "-a" is used, "--dev-bind /dev /dev" replaces "--dev /dev", and the "mount" command works. This is kind of the opposite of what I'd expect,
    as --dev seems safer than a full --dev-bind. Nothing is logged to dmesg
    either way.

    A work-around is to use something like "--dev-bind /dev /real-dev", then bind-mount chosen devices to a new /dev tree before unmounting /real-dev ("umount --no-mtab --lazy /real-dev" seems to work).

    - Michael


    -- Package-specific info:
    Permissions of /usr/bin/bwrap:
    -rwxr-xr-x 1 root root 72080 Feb 28 2023 /usr/bin/bwrap /etc/sysctl.d/*-bubblewrap.conf:
    cat: '/etc/sysctl.d/*-bubblewrap.conf': No such file or directory /usr/lib/sysctl.d/50-bubblewrap.conf:
    # Enable unprivileged creation of new user namespaces in older Debian
    # kernels.
    #
    # If this is not desired, copy this file to
    # /etc/sysctl.d/50-bubblewrap.conf and change the value of this parameter
    # to 0, then use dpkg-statoverride to make /usr/bin/bwrap setuid root.
    #
    # For more details see https://deb.li/bubblewrap or
    # /usr/share/doc/bubblewrap/README.Debian
    kernel.unprivileged_userns_clone=1
    /proc/sys/kernel/unprivileged_userns_clone:
    1
    /proc/sys/user/max_cgroup_namespaces:
    256640
    /proc/sys/user/max_ipc_namespaces:
    256640
    /proc/sys/user/max_mnt_namespaces:
    256640
    /proc/sys/user/max_net_namespaces:
    256640
    /proc/sys/user/max_pid_namespaces:
    256640
    /proc/sys/user/max_time_namespaces:
    256640
    /proc/sys/user/max_user_namespaces:
    256640
    /proc/sys/user/max_uts_namespaces:
    256640

    -- System Information:
    Debian Release: trixie/sid
    APT prefers unstable-debug
    APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64)

    Kernel: Linux 6.6.15-amd64 (SMP w/32 CPU threads; PREEMPT)
    Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en
    Shell: /bin/sh linked to /usr/bin/dash
    Init: systemd (via /run/systemd/system)
    LSM: AppArmor: enabled

    Versions of packages bubblewrap depends on:
    ii libc6 2.37-15
    ii libcap2 1:2.66-5
    ii libselinux1 3.5-2

    Versions of packages bubblewrap recommends:
    ii procps 2:4.0.4-4

    bubblewrap suggests no packages.

    -- no debconf information

    --1BbkLEGc7hz1nM1D
    Content-Type: text/plain; charset=utf-8
    Content-Disposition: attachment; filename="bwrap-test.sh"

    #!/bin/sh
    set -e #errexit
    set -u #nounset

    alt_dev=0
    while getopts 'a' opt
    do
    case "$opt" in
    a) alt_dev=1;;
    \? | *) exit 2;;
    esac
    done
    shift "$((OPTIND - 1))"

    if test "$#" -ne 0
    then
    printf 'Usage: %s [-a]\n' "${0##*/}" >&2
    exit 2
    fi

    set -- bwrap
    set -- "$@" --unshare-pid
    set -- "$@" --cap-add CAP_DAC_OVERRIDE
    set -- "$@" --cap-add CAP_SETPCAP
    set -- "$@" --cap-add CAP_SYS_ADMIN
    set -- "$@" --ro-bind /usr/ /usr
    set -- "$@" --setenv PATH /usr/bin
    set -- "$@" --symlink /usr/lib/ /lib
    set -- "$@" --symlink /usr/lib64/ /lib64
    set -- "$@" --proc /proc
    set -- "$@" --dir /tmp

    if test "$alt_dev" -eq 0
    then
    # this prevents future 'mount' calls...
    set -- "$@" --dev /dev
    else
    # ...but this does not
    set -- "$@" --dev-bind /dev/ /dev
    fi

    #printf '%s\n' "$*"
    "$@" -- /usr/bin/bash

    --1BbkLEGc7hz1nM1D--

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCAAdFiEE2MFD8/83JVBGqeG6uoI5070d5IwFAmXNWXgACgkQuoI5070d 5IyIYw/8D+KIoV0wGDYJJE+3I0FT44LCfUCjODlQfDiVk15hgNiFuO7g0w5xOJyU wRmlNWseukf4fbE733RvYA64TXxNFALvDR7fyNWghcN/j8aCL4WNWtAvuayPCdWD gg6XomduCEzy08ktcES+RsKsy3DVInCW6yxPE8VSaWNSA2D+Xv41vFm3tM7QW9u3 f3Hzh7GlyknW3WxSSLksnREru8qtedBQt1a7/+v+tC1egaz9n7h8ZaqyTZUASUzJ qjvDCbvrUEPTXYi9utnrTfGzR+6uDCXp3RmlFZswxllsBVEDkyJreKl5lUB76WMo zCD7DCRGWtpq00JrWr2MOuGAtIgAgoC7nHIQDksgm+/QaSNDHSSjAG7dPyV5bcof LoqhP3owAIJmAo1AfAy6JxYtlASHreHaXYht/jsSka8Z+iC1akK3JzR2q8L0Ou9q 1y0a32Zf+Avn81/vyLHeMYdhLdtCfDKcYmITyaSFGAhk+OwIRTLIrC19KYJCp4hk vh9eg0YE0lz1N78gmL2v1G19wV0mCucXQPEkrYDnSm1Dr/6KJWSVb8S0r76SpTJT Ega/k630F0Kn+Sw3chKc01CGnI3H/0L37thWYnO6N3CuzQ/E+okndUexLObvC4Ak d6s4cS/DvCovlD5TxnvVQfqC+BE2z5HCTdNtxfNdwZw92KhIL3U=
    =5GGi
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)