Package: bubblewrap Version: 0.1.8-2 Severity: normal Dear Maintainer,
I noticed that bubblewrap refuses to create a new user namespace when
the procfs is mounted (outside the container) with hidepidā„1.
$ sudo mount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=0 /proc
$ bwrap --ro-bind / / --unshare-user true; echo $?
0
$ sudo mount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=1 /proc
$ bwrap --ro-bind / / --unshare-user true; echo $?
setting up uid map: Operation not permitted
1
It doesn't help to also create a new PID namespace:
$ bwrap --ro-bind / / --unshare-user --unshare-pid --proc /proc true; echo
$?
setting up uid map: Operation not permitted
1
Not sure if that's the intended behavior or not. (In any case, it's not
documented.) But when a new PID namespace is also created and /proc is
remounted, couldn't bwrap set hidepid=0 in the container?
Moreover, although the children do terminate, the bwrap processes do not
(and sending SIGTERM is not enough to terminate them):
$ sudo ps -eo pid,args | grep bwrap
13475 bwrap --ro-bind / / --unshare-user true
13489 bwrap --ro-bind / / --unshare-user --unshare-pid --proc /proc true
And the leftover container's effective and saved set UIds are still 0:
$ sudo egrep '^([UG]id|Groups):' /proc/13475/status
Uid: 1000 0 0 1000
Gid: 1000 1000 1000 1000
Groups: 20 24 25 27 29 30 44 46 108 118 119 128 1000
Thanks for maintaining bubblewrap in Debian!
--
Guilhem.
signature.asc
Description: PGP signature
