[Pkg-utopia-maintainers] Bug#1063930: bwrap --dev prevents mount commands from working

Michael Gold michael at bitplane.org
Thu Feb 15 00:23:28 GMT 2024


Package: bubblewrap
Version: 0.8.0-2

When the --dev option is used, the 'mount' command cannot be used inside
the container, even when permissions would appear to allow it.  A script
that demonstrates this is attached:
	$ ./bwrap-test.sh
	bash-5.2$ mount -t tmpfs x /tmp
	mount: /tmp: must be superuser to use mount.
	       dmesg(1) may have more information after failed mount system call.
	bash-5.2$ exit
	exit
	$ ./bwrap-test.sh -a
	bash-5.2$ mount -t tmpfs x /tmp
	bash-5.2$ exit
	exit
	$ 

When "-a" is used, "--dev-bind /dev /dev" replaces "--dev /dev", and the
"mount" command works.  This is kind of the opposite of what I'd expect,
as --dev seems safer than a full --dev-bind.  Nothing is logged to dmesg
either way.

A work-around is to use something like "--dev-bind /dev /real-dev", then
bind-mount chosen devices to a new /dev tree before unmounting /real-dev
("umount --no-mtab --lazy /real-dev" seems to work).

- Michael


-- Package-specific info:
Permissions of /usr/bin/bwrap:
-rwxr-xr-x 1 root root 72080 Feb 28  2023 /usr/bin/bwrap
/etc/sysctl.d/*-bubblewrap.conf:
cat: '/etc/sysctl.d/*-bubblewrap.conf': No such file or directory
/usr/lib/sysctl.d/50-bubblewrap.conf:
# Enable unprivileged creation of new user namespaces in older Debian
# kernels.
#
# If this is not desired, copy this file to
# /etc/sysctl.d/50-bubblewrap.conf and change the value of this parameter
# to 0, then use dpkg-statoverride to make /usr/bin/bwrap setuid root.
#
# For more details see https://deb.li/bubblewrap or
# /usr/share/doc/bubblewrap/README.Debian
kernel.unprivileged_userns_clone=1
/proc/sys/kernel/unprivileged_userns_clone:
1
/proc/sys/user/max_cgroup_namespaces:
256640
/proc/sys/user/max_ipc_namespaces:
256640
/proc/sys/user/max_mnt_namespaces:
256640
/proc/sys/user/max_net_namespaces:
256640
/proc/sys/user/max_pid_namespaces:
256640
/proc/sys/user/max_time_namespaces:
256640
/proc/sys/user/max_user_namespaces:
256640
/proc/sys/user/max_uts_namespaces:
256640

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.6.15-amd64 (SMP w/32 CPU threads; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages bubblewrap depends on:
ii  libc6        2.37-15
ii  libcap2      1:2.66-5
ii  libselinux1  3.5-2

Versions of packages bubblewrap recommends:
ii  procps  2:4.0.4-4

bubblewrap suggests no packages.

-- no debconf information
-------------- next part --------------
#!/bin/sh
set -e  #errexit
set -u  #nounset

alt_dev=0
while getopts 'a' opt
do
	case "$opt" in
	a) alt_dev=1;;
	\? | *) exit 2;;
	esac
done
shift "$((OPTIND - 1))"

if test "$#" -ne 0
then
	printf 'Usage: %s [-a]\n' "${0##*/}" >&2
	exit 2
fi

set -- bwrap
set -- "$@" --unshare-pid
set -- "$@" --cap-add CAP_DAC_OVERRIDE
set -- "$@" --cap-add CAP_SETPCAP
set -- "$@" --cap-add CAP_SYS_ADMIN
set -- "$@" --ro-bind /usr/ /usr
set -- "$@" --setenv PATH /usr/bin
set -- "$@" --symlink /usr/lib/ /lib
set -- "$@" --symlink /usr/lib64/ /lib64
set -- "$@" --proc /proc
set -- "$@" --dir /tmp

if test "$alt_dev" -eq 0
then
	# this prevents future 'mount' calls...
	set -- "$@" --dev /dev
else
	# ...but this does not
	set -- "$@" --dev-bind /dev/ /dev
fi

#printf '%s\n' "$*"
"$@" -- /usr/bin/bash
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20240215/f5aff07c/attachment.sig>


More information about the Pkg-utopia-maintainers mailing list