[Pkg-utopia-maintainers] Bug#910006: "basic" autopkgtest fails when bwrap is non-suid

Mon Oct 1 09:36:14 BST 2018

Package: src:bubblewrap
Version: 0.3.1-1
Severity: minor
Tags: patch

Hey,

Filing as minor because this doesn't affect the package as built in
Debian.

When the package is built non-suid, not all GIDs are mapped into the
new (implicitly created) user namespace. The "basic" test is testing
that this does happen, so it fails:

  autopkgtest [11:52:43]: test basic: [-----------------------
  ok 1 - "bwrap --ro-bind / / /usr/bin/id" should succeed
  #   Failed test at /tmp/autopkgtest.TprZKQ/build.wEi/src/debian/tests/basic line 17.
  #          got: 'uid=1000(ubuntu) gid=1001(ubuntu) groups=1001(ubuntu),65534(nogroup)
  # '
  #     expected: 'uid=1000(ubuntu) gid=1001(ubuntu) groups=1001(ubuntu),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),115(netdev),1000(lxd)
  # '
  not ok 2
  1..2
  # Looks like you failed 1 test of 2.
  autopkgtest [11:52:44]: test basic: -----------------------]
  basic                FAIL non-zero exit status 1
  autopkgtest [11:52:44]: test basic:  - - - - - - - - - - results - - - - - - - - - -

I think this test is just trying to show that bwrap "basic"ally works. To get
the test passing again in Ubuntu I applied the attached commit, checking
that the euid and egid survive. Maybe it's an idea to add "-n" to both
calls, which would amount to a test of the {uid,gid}_map code.

Cheers,

-- 
Iain Lane                                  [ iain at orangesquash.org.uk ]
Debian Developer                                   [ laney at debian.org ]
Ubuntu Developer                                   [ laney at ubuntu.com ]
-------------- next part --------------
>From 0ae7028bf4c6a3b87dd9ad0e571a026e4c57c92c Mon Sep 17 00:00:00 2001
From: Iain Lane <laney at debian.org>
Date: Mon, 1 Oct 2018 09:21:01 +0100
Subject: [PATCH] basic: Don't assume `id` will be the same inside the sandbox

When bwrap is installed non-suid, unsharing the user namespace happens
implicitly. Not all GIDs are mapped into the sandbox, which results in
any supplementary groups returning as "nogroup".

As a basic test of bubblewrap's functionality, instead let's test if `id
-u` and `id -g` are the same inside and outside a sandbox.
---
 debian/tests/basic | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/debian/tests/basic b/debian/tests/basic
index fbf1b61..c8e3449 100755
--- a/debian/tests/basic
+++ b/debian/tests/basic
@@ -13,7 +13,9 @@ sub run_ok {
 }
 
 my $out;
-run_ok([qw(bwrap --ro-bind / / /usr/bin/id)], '<', \undef, '>', \$out);
-is($out, `id`);
+run_ok([qw(bwrap --ro-bind / / /usr/bin/id -u)], '<', \undef, '>', \$out);
+is($out, `id -u`);
+run_ok([qw(bwrap --ro-bind / / /usr/bin/id -g)], '<', \undef, '>', \$out);
+is($out, `id -g`);
 
 done_testing;
-- 
2.17.0

