Child PID from --info-fd and --json-status-fd is not concurency safe
#634
Comments
igo95862
added a commit
to igo95862/bubblejail
that referenced
this issue
Jun 8, 2024
The PID from `--info-fd` is red as soon as bwrap forks. This can result in user namespace acquired from it be either direct child namespace or have an intermediate parent user namespace. See containers/bubblewrap#634 Check the current process user namespace id to avoid calling `setns()` on a namespace process already is in. Also cleanup file descriptors after the `setns()`.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The bwrap main process will write the the JSON in to those options as soon as it forks:
bubblewrap/bubblewrap.c
Line 2922 in 8e51677
However, the child process still has a lot of initialization steps left.
This can result in a difficult to diagnose concurrency bugs. I experienced this then trying to write to the
/proc/sys/user/max_*files. When you acquire a user namespace file descriptor from a child PID it can either be the direct child user namespace or a child user namespace with a intermediate parent depending on how far in to initialization the child is. (when using--devoption)At least this concurrency should be documented in man page.
The text was updated successfully, but these errors were encountered: