--1BbkLEGc7hz1nM1D
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: bubblewrap
Version: 0.8.0-2
When the --dev option is used, the 'mount' command cannot be used inside
the container, even when permissions would appear to allow it. A script
that demonstrates this is attached:
$ ./bwrap-test.sh
bash-5.2$ mount -t tmpfs x /tmp
mount: /tmp: must be superuser to use mount.
dmesg(1) may have more information after failed mount system call.
bash-5.2$ exit
exit
$ ./bwrap-test.sh -a
bash-5.2$ mount -t tmpfs x /tmp
bash-5.2$ exit
exit
$
When "-a" is used, "--dev-bind /dev /dev" replaces "--dev /dev", and the "mount" command works. This is kind of the opposite of what I'd expect,
as --dev seems safer than a full --dev-bind. Nothing is logged to dmesg
either way.
A work-around is to use something like "--dev-bind /dev /real-dev", then bind-mount chosen devices to a new /dev tree before unmounting /real-dev ("umount --no-mtab --lazy /real-dev" seems to work).
- Michael
-- Package-specific info:
Permissions of /usr/bin/bwrap:
-rwxr-xr-x 1 root root 72080 Feb 28 2023 /usr/bin/bwrap /etc/sysctl.d/*-bubblewrap.conf:
cat: '/etc/sysctl.d/*-bubblewrap.conf': No such file or directory /usr/lib/sysctl.d/50-bubblewrap.conf:
# Enable unprivileged creation of new user namespaces in older Debian
# kernels.
#
# If this is not desired, copy this file to
# /etc/sysctl.d/50-bubblewrap.conf and change the value of this parameter
# to 0, then use dpkg-statoverride to make /usr/bin/bwrap setuid root.
#
# For more details see
https://deb.li/bubblewrap or
# /usr/share/doc/bubblewrap/README.Debian
kernel.unprivileged_userns_clone=1
/proc/sys/kernel/unprivileged_userns_clone:
1
/proc/sys/user/max_cgroup_namespaces:
256640
/proc/sys/user/max_ipc_namespaces:
256640
/proc/sys/user/max_mnt_namespaces:
256640
/proc/sys/user/max_net_namespaces:
256640
/proc/sys/user/max_pid_namespaces:
256640
/proc/sys/user/max_time_namespaces:
256640
/proc/sys/user/max_user_namespaces:
256640
/proc/sys/user/max_uts_namespaces:
256640
-- System Information:
Debian Release: trixie/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64)
Kernel: Linux 6.6.15-amd64 (SMP w/32 CPU threads; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages bubblewrap depends on:
ii libc6 2.37-15
ii libcap2 1:2.66-5
ii libselinux1 3.5-2
Versions of packages bubblewrap recommends:
ii procps 2:4.0.4-4
bubblewrap suggests no packages.
-- no debconf information
--1BbkLEGc7hz1nM1D
Content-Type: text/plain; charset=utf-8
Content-Disposition: attachment; filename="bwrap-test.sh"
#!/bin/sh
set -e #errexit
set -u #nounset
alt_dev=0
while getopts 'a' opt
do
case "$opt" in
a) alt_dev=1;;
\? | *) exit 2;;
esac
done
shift "$((OPTIND - 1))"
if test "$#" -ne 0
then
printf 'Usage: %s [-a]\n' "${0##*/}" >&2
exit 2
fi
set -- bwrap
set -- "$@" --unshare-pid
set -- "$@" --cap-add CAP_DAC_OVERRIDE
set -- "$@" --cap-add CAP_SETPCAP
set -- "$@" --cap-add CAP_SYS_ADMIN
set -- "$@" --ro-bind /usr/ /usr
set -- "$@" --setenv PATH /usr/bin
set -- "$@" --symlink /usr/lib/ /lib
set -- "$@" --symlink /usr/lib64/ /lib64
set -- "$@" --proc /proc
set -- "$@" --dir /tmp
if test "$alt_dev" -eq 0
then
# this prevents future 'mount' calls...
set -- "$@" --dev /dev
else
# ...but this does not
set -- "$@" --dev-bind /dev/ /dev
fi
#printf '%s\n' "$*"
"$@" -- /usr/bin/bash
--1BbkLEGc7hz1nM1D--
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE2MFD8/83JVBGqeG6uoI5070d5IwFAmXNWXgACgkQuoI5070d 5IyIYw/8D+KIoV0wGDYJJE+3I0FT44LCfUCjODlQfDiVk15hgNiFuO7g0w5xOJyU wRmlNWseukf4fbE733RvYA64TXxNFALvDR7fyNWghcN/j8aCL4WNWtAvuayPCdWD gg6XomduCEzy08ktcES+RsKsy3DVInCW6yxPE8VSaWNSA2D+Xv41vFm3tM7QW9u3 f3Hzh7GlyknW3WxSSLksnREru8qtedBQt1a7/+v+tC1egaz9n7h8ZaqyTZUASUzJ qjvDCbvrUEPTXYi9utnrTfGzR+6uDCXp3RmlFZswxllsBVEDkyJreKl5lUB76WMo zCD7DCRGWtpq00JrWr2MOuGAtIgAgoC7nHIQDksgm+/QaSNDHSSjAG7dPyV5bcof LoqhP3owAIJmAo1AfAy6JxYtlASHreHaXYht/jsSka8Z+iC1akK3JzR2q8L0Ou9q 1y0a32Zf+Avn81/vyLHeMYdhLdtCfDKcYmITyaSFGAhk+OwIRTLIrC19KYJCp4hk vh9eg0YE0lz1N78gmL2v1G19wV0mCucXQPEkrYDnSm1Dr/6KJWSVb8S0r76SpTJT Ega/k630F0Kn+Sw3chKc01CGnI3H/0L37thWYnO6N3CuzQ/E+okndUexLObvC4Ak d6s4cS/DvCovlD5TxnvVQfqC+BE2z5HCTdNtxfNdwZw92KhIL3U=
=5GGi
-----END PGP SIGNATURE-----
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)