-
Notifications
You must be signed in to change notification settings - Fork 230
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Errors when --bind used with a symlinked path #195
Comments
version: 0.1.7, EL7, setuid. |
This works if the symlink is relative, presumably because the mount is happening outside of the same namespace. |
Yeah, we are resolving the path in the new namespace where / is the in-between root. |
We've adjusted how we call bubblewrap to realpath() all paths we pass to it beforehand, in case this is deemed intractable to fix. |
I believe that I've run into this while troubleshooting a WebKitGTK bug on GNU Guix. In this case the application is generating an That said, I'm not sure what the right solution is. Should this be solved in the calling application or in Bubblewrap? If the former, what fix do you recommend? |
I think the solution is probably for the calling application to canonicalize the paths. Unlike bubblewrap, the calling application is (presumably) not setuid and does not need to be careful to avoid accidentally revealing information that should not have been available to the caller. |
Flatpak also canonicalizes all paths it passes to bwrap |
Certainly seems like the path of least-resistance. But if so, then we should close this issue, because open issue indicates intent to fix in bubblewrap IMO. ;) |
Thanks, canonicalizing paths before passwing them to Bubblewrap sounds like a good path forward. In general, I agree that it seems like this issue can be closed if there is not a fix to be made in Bubblewrap. However, I wonder if improvements could be made. For example, the documentation could be updated indicating that paths should be canonicalized or the error reporting could be improved to warn against the use of symbolic links. The latter would definitely help those troubleshooting this type of problem. |
When the target of --bind is a symlink, bubblewrap fails.
[root@localhost ~]# mkdir /usr/local/foo
[root@localhost ~]# ln -sf /usr/local/foo /usr/local/cow
[root@localhost ~]# mkdir /tmp/bar
[root@localhost ~]# bwrap --dev-bind / / --bind /tmp/bar /usr/local/cow bash
Can't bind mount /oldroot/tmp/bar on /newroot/usr/local/cow: No such file or directory
The text was updated successfully, but these errors were encountered: