Drop ambient capabilities when running bwrap
Having ambient capabilties causes bwrap to error on start [1]
unless the bwrap executable also has the setuid bit set or is run as
root.
This can cause issues in openshift or podman unless ambient
capabilities are dropped [2].
[1] - bae85baf72/bubblewrap.c (L742)
[2] - https://github.com/containers/bubblewrap/issues/380
Change-Id: I15455fb400448d7672638f911d6cf045fa683a9b
This commit is contained in:
parent
5409b0e977
commit
39305393c0
|
@ -61,3 +61,6 @@ coreutils [platform:apk]
|
||||||
openafs-krb5 [platform:debian]
|
openafs-krb5 [platform:debian]
|
||||||
openafs-client [platform:debian]
|
openafs-client [platform:debian]
|
||||||
krb5-user [platform:debian]
|
krb5-user [platform:debian]
|
||||||
|
setpriv [platform:ubuntu-bionic]
|
||||||
|
util-linux [platform:apt platform:rpm platform:apk !platform:ubuntu-bionic]
|
||||||
|
|
||||||
|
|
|
@ -172,6 +172,9 @@ class BubblewrapDriver(Driver, WrapperInterface):
|
||||||
|
|
||||||
def _bwrap_command(self):
|
def _bwrap_command(self):
|
||||||
bwrap_command = [
|
bwrap_command = [
|
||||||
|
'setpriv',
|
||||||
|
'--ambient-caps',
|
||||||
|
'-all',
|
||||||
'bwrap',
|
'bwrap',
|
||||||
'--dir', '/tmp',
|
'--dir', '/tmp',
|
||||||
'--tmpfs', '/tmp',
|
'--tmpfs', '/tmp',
|
||||||
|
|
Loading…
Reference in New Issue