summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* README: Redirect to bubblewrapHEADmasterColin Walters2016-05-021-0/+13
| | | | It's a more modern codebase and achieves the goals here.
* README: Link to BazelColin Walters2015-09-081-0/+9
|
* Release 2015.1v2015.1Colin Walters2015-09-061-1/+1
|
* doc: Add --mount-devapi, some typo fixesColin Walters2015-09-061-4/+7
|
* core: Update comment for private/slave mode of / mountColin Walters2015-09-061-4/+5
|
* core: Update comments around PR_SET_NO_NEW_PRIVS and nosuid mountColin Walters2015-09-061-10/+7
| | | | | | We now rely on PR_SET_NO_NEW_PRIVS, so make that clearer. The old comment around uid 0 for `SECBIT_NOROOT` was actually wrong, because we always setuid back to the calling user.
* TODO: UpdateColin Walters2015-09-051-0/+20
|
* Add --mount-devapi optionmore-restriction-optionsColin Walters2015-09-055-1/+176
| | | | | | | | | By default, we had supported `--mount-bind /dev /dev` to get access to devices. But in many cases, build systems and the like will want to avoid exposing host physical devices. For example, if I'm building something locally, I don't want the makefile etc. to be able to access `/dev/dri`.
* README: UpdateColin Walters2015-09-011-11/+22
|
* docs: Update to note we do containers, but are mainly for build systemsColin Walters2015-09-012-7/+10
|
* Drop -newnet variantColin Walters2015-09-014-182/+0
| | | | | This was just a hack which worked around a RHEL6 kernel bug. I no longer care about RHEL6; linux-user-chroot is now just RHEL7 only.
* seccomp: Add ptrace to blacklistColin Walters2015-08-291-2/+5
| | | | | It's also been a CVE source, although longer in the past. Having it can make exploiting race conditions and such easier.
* Add seccomp and rules imported from xdg-app/Sandstorm.ioColin Walters2015-08-287-3/+301
| | | | | | | | | | seccomp is disabled by default for backwards compatibility. This "v0" version is a basic blacklist that turns off some of the known historical attack surface, initially imported from xdg-app. I added a note about code sharing - we should share rules among container implementations.
* Import S390/CRIS raw_clone syscall ordering fixColin Walters2015-08-251-1/+13
| | | | I took this from xdg-app.
* Drop use of SECBIT_NOROOT, hard require PR_SET_NO_NEW_PRIVSColin Walters2015-08-252-18/+7
| | | | | | | | | | So sadly, I screwed up the invocation of `prctl(PR_SET_NO_NEW_PRIVS` - we need to provide 0 for the remaining arguments, otherwise the kernel will *always* give us `-EINVAL`. I didn't notice this at the time because I wanted to support the RHEL6 kernel. Anyways, I no longer care about RHEL6 myself, and I'm going to declare no one else should either =)
* TODO: Want seccompColin Walters2015-08-181-0/+1
|
* README: Various updatesColin Walters2015-06-051-13/+35
| | | | | | | | - Note to use ostree-list for submissions - Link to Codethink's sandbox lib https://mail.gnome.org/archives/ostree-list/2015-June/msg00002.html - Talk more about how other build systems root setups work and why l-u-c is unique, etc.
* Bump up bind mount limit to 1024baserock/larswirzenius/update-to-masterColin Walters2013-09-241-1/+11
| | | | | | | | The Baserock people were hitting up against the limit of 50, which as the newly added comment says isn't really effective against DoS anyways, so let's just bump it up significantly. Tested-by: Lars Wirzenius <lars.wirzenius@codethink.co.uk>
* Release 2013.1v2013.1Colin Walters2013-02-241-1/+1
|
* [SECURITY] Use fsuid to lookup bind mount paths and chroot targetColin Walters2013-02-241-3/+28
| | | | | | | | | | | | | | | | Otherise, the user can access otherwise inaccessible directories like this: $ linux-user-chroot --mount-bind /root/.virsh ~/mnt / /bin/sh Also, we should check the accessibility of the chroot target; this is much harder to exploit because you'd need an executable inside the chroot that can be run. Reported-by: Marc Deslauriers <marc.deslauriers@canonical.com> Reported-by: Ryan Lortie <desrt@desrt.ca> Reviewed-by: Marc Deslauriers <marc.deslauriers@canonical.com> Signed-off-by: Colin Walters <walters@verbum.org>
* [SECURITY] Invoke chdir() after we've switched uid, not beforeColin Walters2013-02-241-3/+3
| | | | | | | | | Otherwise, the user can access otherwise inaccessible directories like: $ linux-user-chroot --chdir /root/.virsh / /bin/sh Reported-by: Ryan Lortie <desrt@desrt.ca> Reported-by: Marc Deslauriers <marc.deslauriers@canonical.com>
* build: use AC_SYS_LARGEFILEColin Walters2013-02-241-0/+2
| | | | So we will do the right thing on 32 bit.
* Only MS_MOVE the root to / if the root isn't already /Colin Walters2013-01-101-4/+8
| | | | Otherwise the MS_MOVE call aborts.
* Use MS_MOVE of / rather than chroot()Colin Walters2012-12-301-3/+12
| | | | | | | | chroot() breaks some tools that expect / to be an actual mount point. Doing namespace manipulation is cleaner than chroot(). See http://lists.freedesktop.org/archives/systemd-devel/2012-September/006703.html "[systemd-devel] OSTree mount integration"
* Release 2012.2v2012.2Colin Walters2012-08-101-1/+1
|
* Exit immediately if clone() failsColin Walters2012-08-101-1/+1
| | | | This happens when run recursively.
* Make use of PR_SET_NO_NEW_PRIVS if availableColin Walters2012-08-101-10/+20
| | | | | | | | | This flag is exactly what we want for this tool (it's what I thought SECBIT_NOROOT did). See the linked discussion from here: http://lwn.net/Articles/504879/
* Release 2012.1v2012.1Colin Walters2012-04-243-1/+10
|
* Add --help and --version argumentsColin Walters2012-04-241-1/+13
|
* README: ImproveColin Walters2012-04-241-10/+33
|
* Add manual pageLars Wirzenius2012-04-246-38/+113
| | | | | | | Commit message and build rules written by Colin Walters <walters@verbum.org>. Reviewed-by: Colin Walters <walters@verbum.org>
* autogen: remove dependency on whichRichard Maw2012-04-181-3/+2
| | | | Signed-off-by: Colin Walters <walters@verbum.org>
* Release v3v3Colin Walters2012-03-131-1/+1
|
* newnet: Improve docs some moreColin Walters2012-03-132-1/+14
| | | | Suggested by Owen Taylor <otaylor@redhat.com>
* newnet: Use correct argv for childColin Walters2012-03-131-1/+1
|
* docs: Add README.newnet, tweak README a bitColin Walters2012-03-133-1/+39
|
* linux-user-chroot-newnet: New optional helper programColin Walters2012-03-133-0/+142
| | | | | | | Some versions of the Linux kernel require large (order 4) contiguous allocations per network namespace. This optional helper program is a workaround for that; one can create the empty network namespace just once.
* Release 2v2Colin Walters2012-02-201-1/+1
|
* build: Allow being built if linux/securebits.h isn't availableColin Walters2012-02-202-1/+10
| | | | | | | | | For some reason the RHEL6 kernel-headers package doesn't have it. Let's just follow for now the cargo culting of "define defines ourself if not available" that various kernel-tied utilities have because various buildsystems are too shitty to make it easy to install newer kernel headers even if you're running an old kernel.
* Version 1v1Colin Walters2012-02-201-1/+1
|
* README: New fileColin Walters2012-02-201-0/+69
|
* Allow being run as rootColin Walters2012-01-221-2/+0
| | | | | | It was just an extra check to be sure we would be switching back to the right uid, but there's no reason not to allow executing this program as root.
* Search $PATH when executingColin Walters2012-01-181-1/+1
| | | | Just more convenient, and there's no reason not to.
* Add a --chdir argumentColin Walters2012-01-181-2/+11
| | | | This is convenient for when we just want e.g. --unshare-net.
* Remove duplicate docbook rulesColin Walters2012-01-161-40/+2
|
* Split this binary out from ostreeColin Walters2012-01-0610-0/+949
View Lorry Controller Status