Rebasing bubblewrap branch with master.

[leeming]

Adds in support for the bubblewrap sandbox. Comes with a logger that logs both to stdout (WARN or higher) and to a log file (everything)

[tacgomes]

Also the linux-user-chroot backend probably should be removed, but that could come in another commit.

[devcurmudgeon]

Has this been tested with ybd?

[tacgomes]

I can't no longer import the module with Python 2:

[tiagogomes@tiagogomes-thinkpad artifacts]$ python -c 'import sandboxlib' Traceback (most recent call last): File "", line 1, in File "/usr/lib/python2.7/site-packages/sandboxlib/init.py", line 33, in logging.config.fileConfig(os.path.join(os.path.dirname(file), 'logger.conf')) File "/usr/lib64/python2.7/logging/config.py", line 77, in fileConfig formatters = _create_formatters(cp) File "/usr/lib64/python2.7/logging/config.py", line 113, in _create_formatters flist = cp.get("formatters", "keys") File "/usr/lib64/python2.7/ConfigParser.py", line 607, in get raise NoSectionError(section) ConfigParser.NoSectionError: No section: 'formatters'

[tacgomes]

Another thing, please update to docs to mention the new backend.

[leeming]

I haven't tried this yet, but I would like that executor_for_platform() was updated to use bubblewrap if the binary is found.

Done

Also the linux-user-chroot backend probably should be removed, but that could come in another commit.

I disagree. linux-user-chroot is still a viable option to use, especially when bwrap is not available on the system

Has this been tested with ybd?

Yes. Currently it builds using root. However, non-root has issues that I have not resolved yet, see http://paste.baserock.org/ohacekujej.

Please a space before and after the equal sign to make the code pep8 friendly

Done

Another thing, please update to docs to mention the new backend.

Done

---

I can't no longer import the module with Python 2 [...]

I am unsure about this. I am investigating, WIP

[leeming]

@tacgomes : Do you still have issues when running the following with the latest commit? -

python -c 'import sandboxlib'

I know python versions can be a pain, but "works for me" with 3.4.2 + 2.7.9. Tested outside of the code directory, in case of unstaged files tampering with results

[17:33] ~ $ python3 -c 'import sandboxlib'
[17:33] ~ $ python2 -c 'import sandboxlib'
[17:33] ~ $ python -c 'import sandboxlib'
[17:34] ~ $ python3 --version
Python 3.4.2
[17:34] ~ $ python2 --version
Python 2.7.9
[17:34] ~ $ python --version
Python 2.7.9

[tacgomes]

"I disagree. linux-user-chroot is still a viable option to use, especially when bwrap is not available on the system"

And I doubly disagree :) bubblewrap is not an alternative to linux-user-chroot. bubblewrap is a replacement to linux-user-chroot [1].

Once bubblewrap is packaged in a stable version of Debian, there is no reason continue to support it in sandboxlib.

[1] https://git.gnome.org/browse/linux-user-chroot/commit/?id=836ed2249f6ef8a6d0adadf389d3f7951c370363

[richardmaw-codethink]

On Mon, Oct 17, 2016 at 09:03:00AM -0700, Andrew Leeming wrote:

Has this been tested with ybd?

Yes. Currently it builds using root. However, non-root has issues that I have not resolved yet, see http://paste.baserock.org/ohacekujej.

That's peculiar.

Since we're already pseudo-root we should be able to do a no-op chown.

I wonder if it's adding a syscall filter to block chown unnecessarily.

[tacgomes]

On Mon, Oct 17, 2016 at 09:03:00AM -0700, Andrew Leeming wrote:

Has this been tested with ybd?

Yes. Currently it builds using root. However, non-root has issues that I have not resolved yet, see http://paste.baserock.org/ohacekujej. That's peculiar.

Since we're already pseudo-root we should be able to do a no-op chown.

I wonder if it's adding a syscall filter to block chown unnecessarily.

I believe @leeming is missing adding --unshare-user --gid 0 --uid 0 to the bwrap command line.

[leeming]

--unshare-user --gid 0 --uid 0 was added, as well as some small tweaks and typo correction. Awaiting final say now