Package: bubblewrap
Version: 0.1.8-2
Severity: normal

Dear Maintainer,

I noticed that bubblewrap refuses to create a new user namespace when
the procfs is mounted (outside the container) with hidepidā‰„1.

    $ sudo mount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=0 /proc
    $ bwrap --ro-bind / / --unshare-user true; echo $?
    0
    $ sudo mount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=1 /proc
    $ bwrap --ro-bind / / --unshare-user true; echo $?
    setting up uid map: Operation not permitted
    1

It doesn't help to also create a new PID namespace:

    $ bwrap --ro-bind / / --unshare-user --unshare-pid --proc /proc true; echo 
$?
    setting up uid map: Operation not permitted
    1

Not sure if that's the intended behavior or not.  (In any case, it's not
documented.)  But when a new PID namespace is also created and /proc is
remounted, couldn't bwrap set hidepid=0 in the container?

Moreover, although the children do terminate, the bwrap processes do not
(and sending SIGTERM is not enough to terminate them):

    $ sudo ps -eo pid,args | grep bwrap
    13475 bwrap --ro-bind / / --unshare-user true
    13489 bwrap --ro-bind / / --unshare-user --unshare-pid --proc /proc true

And the leftover container's effective and saved set UIds are still 0:

    $ sudo egrep '^([UG]id|Groups):' /proc/13475/status
    Uid:        1000    0       0       1000
    Gid:        1000    1000    1000    1000
    Groups:     20 24 25 27 29 30 44 46 108 118 119 128 1000 

Thanks for maintaining bubblewrap in Debian!
-- 
Guilhem.

Attachment: signature.asc
Description: PGP signature

Reply via email to