[Pkg-utopia-maintainers] Bug#867847: bubblewrap: Can't use --unshare-user when the procfs is mounted with hidepid=1

Guilhem Moulin guilhem at debian.org
Sun Jul 9 20:16:06 UTC 2017


Package: bubblewrap
Version: 0.1.8-2
Severity: normal

Dear Maintainer,

I noticed that bubblewrap refuses to create a new user namespace when
the procfs is mounted (outside the container) with hidepid≥1.

    $ sudo mount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=0 /proc
    $ bwrap --ro-bind / / --unshare-user true; echo $?
    0
    $ sudo mount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=1 /proc
    $ bwrap --ro-bind / / --unshare-user true; echo $?
    setting up uid map: Operation not permitted
    1

It doesn't help to also create a new PID namespace:

    $ bwrap --ro-bind / / --unshare-user --unshare-pid --proc /proc true; echo $?
    setting up uid map: Operation not permitted
    1

Not sure if that's the intended behavior or not.  (In any case, it's not
documented.)  But when a new PID namespace is also created and /proc is
remounted, couldn't bwrap set hidepid=0 in the container?

Moreover, although the children do terminate, the bwrap processes do not
(and sending SIGTERM is not enough to terminate them):

    $ sudo ps -eo pid,args | grep bwrap
    13475 bwrap --ro-bind / / --unshare-user true
    13489 bwrap --ro-bind / / --unshare-user --unshare-pid --proc /proc true

And the leftover container's effective and saved set UIds are still 0:

    $ sudo egrep '^([UG]id|Groups):' /proc/13475/status
    Uid:	1000	0	0	1000
    Gid:	1000	1000	1000	1000
    Groups:	20 24 25 27 29 30 44 46 108 118 119 128 1000 

Thanks for maintaining bubblewrap in Debian!
-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20170709/93f958d9/attachment.sig>


More information about the Pkg-utopia-maintainers mailing list