Add --exec-filename PATH to set the file to execute separate from arg…

…v[0] Fixes containers#91 Some tools change their behavior based on the value of argv[0], for example bash behaves as sh when argv[0] is "sh", xz behaves as unxz, and coreutils behaves as date, df, cat and so on.
quag · Sep 27, 2023 · 417997c · 417997c
1 parent ad76c2d
commit 417997c
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 2 deletions.
diff --git a/bubblewrap.c b/bubblewrap.c
@@ -72,6 +72,7 @@ static const char *opt_exec_label = NULL;
 static const char *opt_file_label = NULL;
 static bool opt_as_pid_1;
 
+static const char *opt_exec_path = NULL;
 static const char *opt_chdir_path = NULL;
 static bool opt_assert_userns_disabled = FALSE;
 static bool opt_disable_userns = FALSE;
@@ -308,6 +309,7 @@ usage (int ecode, FILE *out)
   fprintf (out,
            "    --help                       Print this help\n"
            "    --version                    Print version\n"
+           "    --exec-filename PATH         Execute PATH instead of COMMAND\n"
            "    --args FD                    Parse NUL-separated args from FD\n"
            "    --unshare-all                Unshare every namespace we support by default\n"
            "    --share-net                  Retain the network namespace (can only combine with --unshare-all)\n"
@@ -1664,6 +1666,18 @@ parse_args_recurse (int          *argcp,
         {
           print_version_and_exit ();
         }
+      else if (strcmp (arg, "--exec-filename") == 0)
+        {
+          if (argc < 2)
+            die ("--exec-filename takes one argument");
+
+          if (opt_exec_path != NULL)
+            die ("--exec-filename used multiple times");
+
+          opt_exec_path = argv[1];
+          argv++;
+          argc--;
+        }
       else if (strcmp (arg, "--args") == 0)
         {
           int the_fd;
@@ -2641,6 +2655,7 @@ main (int    argc,
   int res UNUSED;
   cleanup_free char *args_data UNUSED = NULL;
   int intermediate_pids_sockets[2] = {-1, -1};
+  const char *exec_path = NULL;
 
   /* Handle --version early on before we try to acquire/drop
    * any capabilities so it works in a build environment;
@@ -3351,7 +3366,8 @@ main (int    argc,
          we don't want to error out here */
     }
 
-  if (execvp (argv[0], argv) == -1)
+  exec_path = opt_exec_path ? opt_exec_path : argv[0];
+  if (execvp (exec_path, argv) == -1)
     {
       if (setup_finished_pipe[1] != -1)
         {
@@ -3362,7 +3378,7 @@ main (int    argc,
           /* Ignore res, if e.g. the parent died and closed setup_finished_pipe[0]
              we don't want to error out here */
         }
-      die_with_error ("execvp %s", argv[0]);
+      die_with_error ("execvp %s", exec_path);
     }
 
   return 0;

diff --git a/bwrap.xml b/bwrap.xml
@@ -84,6 +84,10 @@
       <term><option>--version</option></term>
       <listitem><para>Print version</para></listitem>
     </varlistentry>
+    <varlistentry>
+      <term><option>--exec-filename <arg choice="plain">PATH</arg></option></term>
+      <listitem><para>Execute <arg choice="plain">PATH</arg> instead of COMMAND.</para></listitem>
+    </varlistentry>
     <varlistentry>
       <term><option>--args <arg choice="plain">FD</arg></option></term>
       <listitem><para>

diff --git a/completions/bash/bwrap b/completions/bash/bwrap
@@ -43,6 +43,7 @@ _bwrap() {
 		--dev-bind
 		--die-with-parent
 		--dir
+		--exec-filename
 		--exec-label
 		--file
 		--file-label

diff --git a/completions/zsh/_bwrap b/completions/zsh/_bwrap
@@ -43,6 +43,7 @@ _bwrap_args=(
     '--dev[Mount new dev on DEST]:mount point for /dev:_files -/'
     "--die-with-parent[Kills with SIGKILL child process (COMMAND) when bwrap or bwrap's parent dies.]"
     '--disable-userns[Disable further use of user namespaces inside sandbox]'
+    '--exec-filename[Execute PATH instead of COMMAND]'
     '--exec-label[Exec label for the sandbox]:SELinux label:_selinux_contexts'
     '--file-label[File label for temporary sandbox content]:SELinux label:_selinux_contexts'
     '--gid[Custom gid in the sandbox (requires --unshare-user or --userns)]: :_guard "[0-9]#" "numeric group ID"'

diff --git a/tests/test-run.sh b/tests/test-run.sh
@@ -532,4 +532,14 @@ echo "PWD=$(pwd -P)" > reference
 assert_files_equal stdout reference
 echo "ok - environment manipulation"
 
+
+$RUN sh -c 'echo $0' > stdout
+assert_file_has_content stdout sh
+$RUN --exec-filename sh sh -c 'echo $0' > stdout
+assert_file_has_content stdout sh
+$RUN --exec-filename sh right -c 'echo $0' > stdout
+assert_file_has_content stdout right
+echo "ok - exec file and argv0 manipulation"
+
+
 echo "ok - End of test"