forked from containers/bubblewrap
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add --overlay and --ro-overlay command line options
These enable bubblewrap to create overlay mounts. This will be useful for an ostree-based build system we use where overlayfs ensures that none of the ostree hard-linked files I checkout get modified. Currently we use a maze of bash/unshare/mount/sudo/chroot where bubblewrap will be much nicer. This commit contains a bit of string manipulation, which isn't particularly fun to write in C. Hopefully I got it right. I've had to add some additional capabilities because otherwise overlayfs has some difficulty writing to directories that exist in the lower filesystem but are not yet in the upper. It's got something to do with the `work` directory that overlayfs uses. overlayfs will create a `work` directory with 0 permissions. Ordinarily root would be able to write to this directory because permissions checks don't apply to it, but that requires these additional capabilities: * `CAP_DAC_OVERRIDE` * Bypass file read, write, and execute permission checks. ... * `CAP_DAC_READ_SEARCH` * Bypass file read permission checks and directory read and execute permission checks; * `CAP_FOWNER` * Bypass permission checks on operations that normally require the filesystem UID of the process to match the UID of the file ... (see `man 7 capabilities`) No tests are written to exercise this new feature.
- Loading branch information
Showing
3 changed files
with
198 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -25,6 +25,8 @@ _bwrap() { | |
--args | ||
--bind | ||
--bind-data | ||
--overlay | ||
--ro-overlay | ||
--block-fd | ||
--chdir | ||
--dev | ||
|