bubblewrap icon indicating copy to clipboard operation
bubblewrap copied to clipboard

Published 20 hours ago verified publisher icon containers

Problems re-entering all bwrap namespaces

Open Sacred-Salamander opened this issue 2 years ago • 2 comments
trafficstars

I want to use a FUSE mount inside bubblewrap namespace and that to be seen for any other process I launch in that namespace

Launching a shell as an example

bwrap --unshare-user --unshare-pid --dev-bind / / --proc /proc --tmpfs /run --tmpfs /tmp --cap-add CAP_SYS_ADMIN /bin/bash

--cap-add CAP_SYS_ADMIN in the example allows me to use mount to mount a FUSE fs

Trying a simple bind using bindfs

mkdir a b
bindfs --no-allow-other a b

mount shows:

/home/user/a on /home/user/b type fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000,default_permissions)

Is it possible to re-enter the same user,pid and mount namespace? Effectively launching a second shell exactly as the first one that was launched by the example

Now here it seems that bubblewrap itself has no way to getting into the same mount namespace, which is of importance here, I want the both shells to always have the same view of the filesystem It can enter the userns and the pidns with --userns FD and --pidns FD Would it be possible to have an --mountns FD option also?

So I've tried to bind it like this instead

bwrap --userns 11 --pidns 12 --dev-bind /proc/67855/root/ / --cap-add CAP_SYS_ADMIN /bin/bash 11</proc/67855/ns/user 12</proc/67855/ns/pid

but this does not work as I intended as it seems like it only binded / at /

Sacred-Salamander avatar Dec 11 '22 19:12 Sacred-Salamander 

nsenter -m -U --preserve-credentials -t <PID OF BWRAP> /bin/bash

rusty-snake avatar Dec 11 '22 19:12 rusty-snake

Thanks the only problem with this is that I can not create any FUSE mounts from within the second terminal

I didn't want to mention nsenter as I already now this problem and I will file another issue at util-linux/util-linux asking for this, I think it is that I have no way of specifying CAP_SYS_ADMIN for the other process when using nsenter

Is it possible to make bubblewrap do this by itself? What would be needed to make such functionality?

Sacred-Salamander avatar Dec 11 '22 20:12 Sacred-Salamander

With nsenter >= 2.40 it is now possible to enter namespaces with inherited capabilities using the option --keep-caps

I'm closing this issue, but it could be something bubblewrap could add in the future together with joining mount namespaces

Sacred-Salamander avatar Apr 10 '24 22:04 Sacred-Salamander