Add CLI option to pass common signals to sandboxed process (v0.10.0) #652
Conversation
[bubblewrap] Propagate SIGTERM and SIGINT to child Co-authored-by: Earl Chew <[email protected]> Signed-off-by: Aaruni Kaushik <[email protected]>
Signed-off-by: Aaruni Kaushik <[email protected]>
Signed-off-by: Aaruni Kaushik <[email protected]>
Signed-off-by: Aaruni Kaushik <[email protected]>
Signed-off-by: Aaruni Kaushik <[email protected]>
Signed-off-by: Herwig Hochleitner <[email protected]>
|
@bendlas, if you are intending to take over development of this change from @aaruni96, please see the review comments that I left on #586. A summary: I think whichever version of this ends up ready to apply (#586, #652, I don't really mind which one) should be squashed into a single commit, with the primary author as the commit author, the other contributors in Please see #586 (review) and #586 (comment) for more details of what I would like to see in the commit message. And, like #586, this is missing automated test coverage, which means nobody will notice when it regresses. Adding a test for it shouldn't be particularly difficult: I think it's all doable in a few lines of shell script. If @aaruni96 and @bendlas are both interested in working on this feature, perhaps the two of you could work together on writing an automated test and an explanatory commit message, and then come back for another review round when it's ready? |
|
Well, here's a simple test (race-y, hence the #!/bin/sh
set -u
out=$(
"$1" --ro-bind /bin/sh /bin/sh \
/bin/sh -c 'trap "echo USR1; exit" USR1; sleep 1' &
sleep 0.1
kill -USR1 $!
)
[ -z "$out" ] && echo PASS || echo "FAIL; out: $out"
out=$(
"$1" --forward-signals --ro-bind /bin/sh /bin/sh \
/bin/sh -c 'trap "echo USR1; exit" USR1; sleep 1' &
sleep 0.1
kill -USR1 $!
)
[ "$out" = USR1 ] && echo PASS || echo "FAIL; out: $out"Call with the bwrap executable path as |
|
Here's a more robust version (should work on most distros, don't want to go down the rabbit hole of parsing #!/bin/sh
set -u
sh_path=/bin/sh
sleep_path=$("$sh_path" -c 'command -v sleep')
[ "$sleep_path" = sleep ] && unset sleep_path # builtin
bwrap_common()
{
"$bwrap_path" \
$(
for i in /lib /lib64 /lib32 /libx32 /libexec /usr/lib /usr/lib64 /usr/lib32 /usr/libx32 \
/usr/libexec /usr/local/lib /usr/local/lib64 /usr/local/lib32 /usr/local/libx32 \
/usr/local/libexec /etc/ld.so.preload /etc/ld.so.cache /etc/ld.so.conf /etc/ld.so.conf.d
do
[ -e "$i" ] && echo --ro-bind "$i" "$i"
done
) \
--ro-bind "$sh_path" "$sh_path" \
${sleep_path+--ro-bind "$sleep_path" "$sleep_path"} \
"$@"
}
bwrap_path=$1
out=$(
bwrap_common \
"$sh_path" -c 'trap "echo USR1; exit" USR1; sleep 1' &
sleep 0.1
kill -USR1 $!
)
[ -z "$out" ] && echo PASS || echo "FAIL; out: $out"
out=$(
bwrap_common --forward-signals \
"$sh_path" -c 'trap "echo USR1; exit" USR1; sleep 1' &
sleep 0.1
kill -USR1 $!
)
[ "$out" = USR1 ] && echo PASS || echo "FAIL; out: $out" |
#586 rebased onto v0.10.0
opening this PR for easy patch consumption
follow-up after #641