I'm having issues getting --block-fd to work. It's not actually blocking the sandbox in any way I've tried.
Minimal example:
bwrap --ro-bind / / --block-fd 9999 /usr/bin/sh # fd 9999 does not exist
The expectation is that the sandbox blocks, but it does not.
I do not really know C but I think the issue is in the TEMP_FAILURE_RETRY macro.
It seems to only loop when the given expression (read in this case) exits with EINTR, which seems inappropiate here.
M83tUt3
commented
5 months ago
I'm having issues getting
--block-fdto work. It's not actually blocking the sandbox in any way I've tried. Minimal example:The expectation is that the sandbox blocks, but it does not.
I do not really know C but I think the issue is in the
TEMP_FAILURE_RETRYmacro. It seems to only loop when the given expression (readin this case) exits withEINTR, which seems inappropiate here.https://github.com/containers/bubblewrap/blob/8e51677abd7e3338e4952370bf7d902e37d8cbb6/bubblewrap.c#L47-L54
https://github.com/containers/bubblewrap/blob/8e51677abd7e3338e4952370bf7d902e37d8cbb6/bubblewrap.c#L3261-L3266