diff options
author | Alexander Larsson <alexl@redhat.com> | 2019-11-21 15:30:03 +0100 |
---|---|---|
committer | Alexander Larsson <alexl@redhat.com> | 2019-11-22 11:11:32 +0100 |
commit | 75c2d94de8a6a3f13619aecf3d5a2a5276942a88 (patch) | |
tree | 3d264bcc207bd96da752db87a16cd3ac4dcb6911 /bwrap.xml | |
parent | 23d3b639242efa1f4626eb07aa04698ba2e0354e (diff) | |
download | bubblewrap-75c2d94de8a6a3f13619aecf3d5a2a5276942a88.tar.gz |
Add support for --userns and --userns2
This allows you to reuse an existing user namespace to set up all the
other namespaces, entering that instead of creating a new one. The
reason you want to do this is that you can then also reuse other
namespaces that are owned by the user namespace. Typically you use
this to partially re-enter a previoulsy created bubblewrap sandbox.
This also adds --userns2 which is similar to --userns, but this is
switched into at the end instead of the start. Bubblewrap sometimes
creates nested such user namespaces[1], and to be able to reuse such a
setup we need to similarly reuse both namespaces via --userns2.
Technically using setns() is probably safe even in the privileged
case, because we got passed in a file descriptor to the namespace, and
that can only be gotten if you have ptrace permissions against the
target, and then you could do whatever to the namespace
anyway. However, for practical reasons this isn't useable for bwrap,
because (as described in a comment in acquire_privs()) setuid mode
causes root to own the namespaces that it creates. So as you will not
be able to access these namespaces for reuse anyway, its best to
disable it (in case of unexpected security issues).
[1] This is to work around an issue with mounting devpts without uid 0
mapped in the user namespace, where the outer namespace owns all the
other namespaces but the inner one has the right mappings.
Diffstat (limited to 'bwrap.xml')
-rw-r--r-- | bwrap.xml | 10 |
1 files changed, 10 insertions, 0 deletions
@@ -131,6 +131,16 @@ <listitem><para>Unshare all possible namespaces. Currently equivalent with: <option>--unshare-user-try</option> <option>--unshare-ipc</option> <option>--unshare-pid</option> <option>--unshare-net</option> <option>--unshare-uts</option> <option>--unshare-cgroup-try</option></para></listitem> </varlistentry> <varlistentry> + <term><option>--userns <arg choice="plain">FD</arg></option></term> + <listitem><para>Use an existing user namespace instead of creating a new one. The namespace must fulfil the permission requirements for setns(), which generally means that it must be a decendant of the currently active user namespace, owned by the same user. </para> + <para>This is incompatible with --unshare-user, and doesn't work in the setuid version of bubblewrap.</para></listitem> + </varlistentry> + <varlistentry> + <term><option>--userns2 <arg choice="plain">FD</arg></option></term> + <listitem><para>After setting up the new namespace, switch into the specified namespace. For this to work the specified namespace must be a decendant of the user namespace used for the setup, so this is only useful in combination with --userns.</para> + <para>This is useful because sometimes bubblewrap itself creates nested user namespaces (to work around some kernel issues) and --userns2 can be used to enter these.</para></listitem> + </varlistentry> + <varlistentry> <term><option>--uid <arg choice="plain">UID</arg></option></term> <listitem><para>Use a custom user id in the sandbox (requires <option>--unshare-user</option>)</para></listitem> </varlistentry> |