search

containers / bubblewrap

Low-level unprivileged sandboxing tool used by Flatpak and similar projects
Other
3.97k stars 237 forks source link

--unshare-user doesn't work when procfs mounted with hidepid=1 #198

Open smcv opened 7 years ago

smcv commented 7 years ago

I've received this bug report in Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867847. The rest of this issue report is quoting Guilhem Moulin.

I noticed that bubblewrap refuses to create a new user namespace when the procfs is mounted (outside the container) with hidepid≥1.

$ sudo mount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=0 /proc
$ bwrap --ro-bind / / --unshare-user true; echo $?
0
$ sudo mount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=1 /proc
$ bwrap --ro-bind / / --unshare-user true; echo $?
setting up uid map: Operation not permitted
1

It doesn't help to also create a new PID namespace:

$ bwrap --ro-bind / / --unshare-user --unshare-pid --proc /proc true; echo $?
setting up uid map: Operation not permitted
1

Not sure if that's the intended behavior or not. (In any case, it's not documented.) But when a new PID namespace is also created and /proc is remounted, couldn't bwrap set hidepid=0 in the container?

Moreover, although the children do terminate, the bwrap processes do not (and sending SIGTERM is not enough to terminate them):

$ sudo ps -eo pid,args | grep bwrap
13475 bwrap --ro-bind / / --unshare-user true
13489 bwrap --ro-bind / / --unshare-user --unshare-pid --proc /proc true

And the leftover container's effective and saved set UIds are still 0:

$ sudo egrep '^([UG]id|Groups):' /proc/13475/status
Uid:    1000    0   0   1000
Gid:    1000    1000    1000    1000
Groups: 20 24 25 27 29 30 44 46 108 118 119 128 1000
demfloro commented 6 years ago

With just hidepid=2 the error becomes: setting up uid map: No such file or directory

so it happens due disappeared PID directory, there is a workaround to use gid= mount option to allow members of the group to see all processes, i.e. with hidepid=2,gid=1000 mount options members of group 1000 can use bwrap --unshare-user

madaidan commented 5 years ago

Maybe it would be a good idea to make the --unshare-user-try flag check if hidepid=1 or hidepid=2 is in use as a work around for this so things that use user namespaces won't break if the user is using hidepid.

jvoisin commented 5 years ago

For the record, this issue is affecting mat2.