#1063930 bwrap --dev prevents mount commands from working

Package:
bubblewrap
Source:
bubblewrap
Description:
utility for unprivileged chroot and namespace manipulation
Submitter:
Michael Gold
Date:
2024-02-15 00:27:04 UTC
Severity:
normal
#1063930#5
Date:
2024-02-15 00:23:28 UTC
From:
To:
When the --dev option is used, the 'mount' command cannot be used inside
the container, even when permissions would appear to allow it.  A script
that demonstrates this is attached:
	$ ./bwrap-test.sh
	bash-5.2$ mount -t tmpfs x /tmp
	mount: /tmp: must be superuser to use mount.
	       dmesg(1) may have more information after failed mount system call.
	bash-5.2$ exit
	exit
	$ ./bwrap-test.sh -a
	bash-5.2$ mount -t tmpfs x /tmp
	bash-5.2$ exit
	exit
	$

When "-a" is used, "--dev-bind /dev /dev" replaces "--dev /dev", and the
"mount" command works.  This is kind of the opposite of what I'd expect,
as --dev seems safer than a full --dev-bind.  Nothing is logged to dmesg
either way.

A work-around is to use something like "--dev-bind /dev /real-dev", then
bind-mount chosen devices to a new /dev tree before unmounting /real-dev
("umount --no-mtab --lazy /real-dev" seems to work).

- Michael