[Feature] option --ignore-chown

[akvadrako]

What do you think about adding a new option to bwrap which will ignore errors when programs attempt to run chown?

I think it's common in user namespaces to pretend to be root, so programs may expect the ability to chown. However if there UID 0 is just mapped to a regular user's UID this will fail. It would be convenient if I could ignore these calls.

This could be done fairly easily with libseccomp if bwrap would respond to seccomp notifications. See the python example: https://github.com/seccomp/libseccomp/blob/master/tests/58-live-tsync_notify.py

Related: https://github.com/containers/bubblewrap/issues/210

[pwFoo]

At the moment packet manager (dnf, apk) "fails" because of missing chown permission? Also with --cap-add ALL?

[...]
ERROR: Failed to set ownership on usr/share/ca-certificates/mozilla/.apk.98f02a02524d1283cdee634deae5dab2496d85edf5ccf349: Invalid argument
ERROR: Failed to set ownership on usr/share/ca-certificates/mozilla/.apk.39a36b9bbc471d920b05b364edf1d45019b718a6a940589a: Invalid argument
ERROR: Failed to set ownership on usr/share/ca-certificates/mozilla/.apk.255a086e5662f330f8bed26f4c05b265051a74d111210b63: Invalid argument
[...]

Any change to get around that?

[rofl0r]

in case those errors are from gnu tar (looks like it), you can patch the tar binary to default to --no-same-owner using the instructions here https://github.com/sabotage-linux/sabotage/wiki/Running-a-minimal-ubuntu-rootfs-as-regular-user#addendum-making-gnu-tar-less-annoying

[Dekedro]

Problem can be partially solved by running bwrap with --setenv FAKEROOTDONTTRYCHOWN 1 and running commands in container through fakeroot program. Limitations:

1. Program inside container thinks it runs as a root user. While it should perfectly work for package managers, there might be use cases where you want to appear as a non-root user and still ignore chown calls
2. You might not have ability/desire to install fakeroot inside container.