Package: src:bubblewrap
Version: 0.3.1-1
Severity: minor
Tags: patch
Hey,
Filing as minor because this doesn't affect the package as built in
Debian.
When the package is built non-suid, not all GIDs are mapped into the
new (implicitly created) user namespace. The "basic" test is testing
that this does happen, so it fails:
autopkgtest [11:52:43]: test basic: [-----------------------
ok 1 - "bwrap --ro-bind / / /usr/bin/id" should succeed
# Failed test at /tmp/autopkgtest.TprZKQ/build.wEi/src/debian/tests/basic
line 17.
# got: 'uid=1000(ubuntu) gid=1001(ubuntu)
groups=1001(ubuntu),65534(nogroup)
# '
# expected: 'uid=1000(ubuntu) gid=1001(ubuntu)
groups=1001(ubuntu),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),115(netdev),1000(lxd)
# '
not ok 2
1..2
# Looks like you failed 1 test of 2.
autopkgtest [11:52:44]: test basic: -----------------------]
basic FAIL non-zero exit status 1
autopkgtest [11:52:44]: test basic: - - - - - - - - - - results - - - - - -
- - - -
I think this test is just trying to show that bwrap "basic"ally works. To get
the test passing again in Ubuntu I applied the attached commit, checking
that the euid and egid survive. Maybe it's an idea to add "-n" to both
calls, which would amount to a test of the {uid,gid}_map code.
Cheers,
--
Iain Lane [ i...@orangesquash.org.uk ]
Debian Developer [ la...@debian.org ]
Ubuntu Developer [ la...@ubuntu.com ]
>From 0ae7028bf4c6a3b87dd9ad0e571a026e4c57c92c Mon Sep 17 00:00:00 2001
From: Iain Lane <la...@debian.org>
Date: Mon, 1 Oct 2018 09:21:01 +0100
Subject: [PATCH] basic: Don't assume `id` will be the same inside the sandbox
When bwrap is installed non-suid, unsharing the user namespace happens
implicitly. Not all GIDs are mapped into the sandbox, which results in
any supplementary groups returning as "nogroup".
As a basic test of bubblewrap's functionality, instead let's test if `id
-u` and `id -g` are the same inside and outside a sandbox.
---
debian/tests/basic | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/debian/tests/basic b/debian/tests/basic
index fbf1b61..c8e3449 100755
--- a/debian/tests/basic
+++ b/debian/tests/basic
@@ -13,7 +13,9 @@ sub run_ok {
}
my $out;
-run_ok([qw(bwrap --ro-bind / / /usr/bin/id)], '<', \undef, '>', \$out);
-is($out, `id`);
+run_ok([qw(bwrap --ro-bind / / /usr/bin/id -u)], '<', \undef, '>', \$out);
+is($out, `id -u`);
+run_ok([qw(bwrap --ro-bind / / /usr/bin/id -g)], '<', \undef, '>', \$out);
+is($out, `id -g`);
done_testing;
--
2.17.0
