[Pkg-utopia-maintainers] Bug#867847: bubblewrap: Can't use --unshare-user when the procfs is mounted with hidepid=1
Guilhem Moulin
guilhem at debian.org
Sun Jul 9 20:16:06 UTC 2017
Package: bubblewrap
Version: 0.1.8-2
Severity: normal
Dear Maintainer,
I noticed that bubblewrap refuses to create a new user namespace when
the procfs is mounted (outside the container) with hidepid≥1.
$ sudo mount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=0 /proc
$ bwrap --ro-bind / / --unshare-user true; echo $?
0
$ sudo mount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=1 /proc
$ bwrap --ro-bind / / --unshare-user true; echo $?
setting up uid map: Operation not permitted
1
It doesn't help to also create a new PID namespace:
$ bwrap --ro-bind / / --unshare-user --unshare-pid --proc /proc true; echo $?
setting up uid map: Operation not permitted
1
Not sure if that's the intended behavior or not. (In any case, it's not
documented.) But when a new PID namespace is also created and /proc is
remounted, couldn't bwrap set hidepid=0 in the container?
Moreover, although the children do terminate, the bwrap processes do not
(and sending SIGTERM is not enough to terminate them):
$ sudo ps -eo pid,args | grep bwrap
13475 bwrap --ro-bind / / --unshare-user true
13489 bwrap --ro-bind / / --unshare-user --unshare-pid --proc /proc true
And the leftover container's effective and saved set UIds are still 0:
$ sudo egrep '^([UG]id|Groups):' /proc/13475/status
Uid: 1000 0 0 1000
Gid: 1000 1000 1000 1000
Groups: 20 24 25 27 29 30 44 46 108 118 119 128 1000
Thanks for maintaining bubblewrap in Debian!
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20170709/93f958d9/attachment.sig>
More information about the Pkg-utopia-maintainers
mailing list