Ophestra Umiker
b99ed94386
Bubblewrap apparently requires --unshare-user even when --unshare-all is set to apply --disable-userns. This behaviour is not clearly documented. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
65 lines
1.3 KiB
Go
65 lines
1.3 KiB
Go
package bwrap
|
|
|
|
const (
|
|
UnshareAll = iota
|
|
UnshareUser
|
|
UnshareIPC
|
|
UnsharePID
|
|
UnshareNet
|
|
UnshareUTS
|
|
UnshareCGroup
|
|
ShareNet
|
|
|
|
UserNS
|
|
Clearenv
|
|
|
|
NewSession
|
|
DieWithParent
|
|
AsInit
|
|
|
|
boolC
|
|
)
|
|
|
|
var boolArgs = func() (b [boolC][]string) {
|
|
b[UnshareAll] = []string{"--unshare-all", "--unshare-user"}
|
|
b[UnshareUser] = []string{"--unshare-user"}
|
|
b[UnshareIPC] = []string{"--unshare-ipc"}
|
|
b[UnsharePID] = []string{"--unshare-pid"}
|
|
b[UnshareNet] = []string{"--unshare-net"}
|
|
b[UnshareUTS] = []string{"--unshare-uts"}
|
|
b[UnshareCGroup] = []string{"--unshare-cgroup"}
|
|
b[ShareNet] = []string{"--share-net"}
|
|
|
|
b[UserNS] = []string{"--disable-userns", "--assert-userns-disabled"}
|
|
b[Clearenv] = []string{"--clearenv"}
|
|
|
|
b[NewSession] = []string{"--new-session"}
|
|
b[DieWithParent] = []string{"--die-with-parent"}
|
|
b[AsInit] = []string{"--as-pid-1"}
|
|
|
|
return
|
|
}()
|
|
|
|
func (c *Config) boolArgs() (b [boolC]bool) {
|
|
if c.Unshare == nil {
|
|
b[UnshareAll] = true
|
|
b[ShareNet] = c.Net
|
|
} else {
|
|
b[UnshareUser] = c.Unshare.User
|
|
b[UnshareIPC] = c.Unshare.IPC
|
|
b[UnsharePID] = c.Unshare.PID
|
|
b[UnshareNet] = c.Unshare.Net
|
|
b[UnshareUTS] = c.Unshare.UTS
|
|
b[UnshareCGroup] = c.Unshare.CGroup
|
|
}
|
|
|
|
b[UserNS] = !c.UserNS
|
|
b[Clearenv] = c.Clearenv
|
|
|
|
b[NewSession] = c.NewSession
|
|
b[DieWithParent] = c.DieWithParent
|
|
b[AsInit] = c.AsInit
|
|
|
|
return
|
|
}
|