[Pkg-utopia-maintainers] Bug#1063930: bwrap --dev prevents mount commands from working
Michael Gold
michael at bitplane.org
Thu Feb 15 00:23:28 GMT 2024
Package: bubblewrap
Version: 0.8.0-2
When the --dev option is used, the 'mount' command cannot be used inside
the container, even when permissions would appear to allow it. A script
that demonstrates this is attached:
$ ./bwrap-test.sh
bash-5.2$ mount -t tmpfs x /tmp
mount: /tmp: must be superuser to use mount.
dmesg(1) may have more information after failed mount system call.
bash-5.2$ exit
exit
$ ./bwrap-test.sh -a
bash-5.2$ mount -t tmpfs x /tmp
bash-5.2$ exit
exit
$
When "-a" is used, "--dev-bind /dev /dev" replaces "--dev /dev", and the
"mount" command works. This is kind of the opposite of what I'd expect,
as --dev seems safer than a full --dev-bind. Nothing is logged to dmesg
either way.
A work-around is to use something like "--dev-bind /dev /real-dev", then
bind-mount chosen devices to a new /dev tree before unmounting /real-dev
("umount --no-mtab --lazy /real-dev" seems to work).
- Michael
-- Package-specific info:
Permissions of /usr/bin/bwrap:
-rwxr-xr-x 1 root root 72080 Feb 28 2023 /usr/bin/bwrap
/etc/sysctl.d/*-bubblewrap.conf:
cat: '/etc/sysctl.d/*-bubblewrap.conf': No such file or directory
/usr/lib/sysctl.d/50-bubblewrap.conf:
# Enable unprivileged creation of new user namespaces in older Debian
# kernels.
#
# If this is not desired, copy this file to
# /etc/sysctl.d/50-bubblewrap.conf and change the value of this parameter
# to 0, then use dpkg-statoverride to make /usr/bin/bwrap setuid root.
#
# For more details see https://deb.li/bubblewrap or
# /usr/share/doc/bubblewrap/README.Debian
kernel.unprivileged_userns_clone=1
/proc/sys/kernel/unprivileged_userns_clone:
1
/proc/sys/user/max_cgroup_namespaces:
256640
/proc/sys/user/max_ipc_namespaces:
256640
/proc/sys/user/max_mnt_namespaces:
256640
/proc/sys/user/max_net_namespaces:
256640
/proc/sys/user/max_pid_namespaces:
256640
/proc/sys/user/max_time_namespaces:
256640
/proc/sys/user/max_user_namespaces:
256640
/proc/sys/user/max_uts_namespaces:
256640
-- System Information:
Debian Release: trixie/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.6.15-amd64 (SMP w/32 CPU threads; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages bubblewrap depends on:
ii libc6 2.37-15
ii libcap2 1:2.66-5
ii libselinux1 3.5-2
Versions of packages bubblewrap recommends:
ii procps 2:4.0.4-4
bubblewrap suggests no packages.
-- no debconf information
-------------- next part --------------
#!/bin/sh
set -e #errexit
set -u #nounset
alt_dev=0
while getopts 'a' opt
do
case "$opt" in
a) alt_dev=1;;
\? | *) exit 2;;
esac
done
shift "$((OPTIND - 1))"
if test "$#" -ne 0
then
printf 'Usage: %s [-a]\n' "${0##*/}" >&2
exit 2
fi
set -- bwrap
set -- "$@" --unshare-pid
set -- "$@" --cap-add CAP_DAC_OVERRIDE
set -- "$@" --cap-add CAP_SETPCAP
set -- "$@" --cap-add CAP_SYS_ADMIN
set -- "$@" --ro-bind /usr/ /usr
set -- "$@" --setenv PATH /usr/bin
set -- "$@" --symlink /usr/lib/ /lib
set -- "$@" --symlink /usr/lib64/ /lib64
set -- "$@" --proc /proc
set -- "$@" --dir /tmp
if test "$alt_dev" -eq 0
then
# this prevents future 'mount' calls...
set -- "$@" --dev /dev
else
# ...but this does not
set -- "$@" --dev-bind /dev/ /dev
fi
#printf '%s\n' "$*"
"$@" -- /usr/bin/bash
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20240215/f5aff07c/attachment.sig>
More information about the Pkg-utopia-maintainers
mailing list