Can't run build-time tests in a chroot or unprivileged container #1497
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Operating System
Debian unstable
XDG Desktop Portal version
Other
XDG Desktop Portal version (Other)
1.19.0
Desktop Environment
Other
Desktop Environment (Other)
None (non-interactive automated build)
Expected Behavior
Tests either pass, or are skipped
Current Behavior
test-portals-notificationfails and times outSteps to Reproduce
-Dsandboxed-image-validation=enabledbwrapis present, but cannot be used in this environment, either because as we know it doesn't work in a chroot (Failures in chroot containers/bubblewrap#135) or becauseCAP_SYS_ADMINis not in the bounding set (bubblewrap inside unprivileged docker containers/bubblewrap#505)meson test)Anything else we should know?
Debian has historically done all builds as an unprivileged user in a
chrootenvironment, although the official autobuilders are moving towards doing builds in a container as a way to protect the host system better.Unprivileged containers like Podman generally exclude
CAP_SYS_ADMINfrom the capability bounding set inside the container, because it is believed thatCAP_SYS_ADMINinside the container is likely to be enough to let the container payload elevate privileges, gaining arbitrary code execution outside the container as the same unprivileged user who started it.The text was updated successfully, but these errors were encountered: