Bubblewrap upstream-as-root test fails on libcap2 1:2.31-1 and later
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| bubblewrap (Debian) |
Fix Released
|
Unknown
|
|||
| bubblewrap (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| libcap2 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
The bubblewrap upstream-as-root test started failing after libcap2 1:2.31-1 got synced from Debian. The same failure can be seen with 1:2.32-1. I have reproduced the issue locally on focal - when using the focal-proposed version, the aforementioned test fails, where with the release version (1:2.27-1) it passes.
It seems to fail here already:
bwrap --bind / / --tmpfs /tmp --as-pid-1 --cap-drop CAP_KILL --cap-drop CAP_FOWNER --unshare-pid capsh --print
assert_
It looks like the requested caps did not get dropped, as the logs show that both cap_kill and cap_fowner are still there. This is only for the upstream-as-root test, i.e. executing tests/test-run.sh as root.
This might be an issue with bubblewrap, but seeing that it all works fine with the release version, it all feels weird.
Related branches
- Sebastien Bacher (community): Approve
- Andreas Hasenack: Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 73 lines (+53/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/lp-1863733-tests-Update-output-patterns-for-libcap-2.29.patch (+45/-0)
debian/patches/series (+1/-0)
| Łukasz Zemczak (sil2100) wrote | #1 |
| Sebastien Bacher (seb128) wrote | #2 |
| Sebastien Bacher (seb128) wrote | #3 |
| Christian Ehrhardt (paelzer) wrote | #4 |
| Christian Ehrhardt (paelzer) wrote | #5 |
| Christian Ehrhardt (paelzer) wrote | #6 |
| Changed in bubblewrap (Debian): | |
| status: | Unknown → Fix Released |
| Sebastien Bacher (seb128) wrote | #7 |
| Changed in libcap2 (Ubuntu): | |
| status: | New → Invalid |
| Changed in bubblewrap (Ubuntu): | |
| status: | New → Fix Released |
Example test output log: https:/