bubblewrap-static/bwrap.patch at main · VHSgunzo/bubblewrap-static · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
diff --git a/bubblewrap.c b/bubblewrap.c
index f8728c7..7c8753a 100644
--- a/bubblewrap.c
+++ b/bubblewrap.c
@@ -876,13 +876,13 @@ acquire_privs (void)
       /* Keep only the required capabilities for setup */
       set_required_caps ();
     }
-  else if (real_uid != 0 && has_caps ())
-    {
-      /* We have some capabilities in the non-setuid case, which should not happen.
-         Probably caused by the binary being setcap instead of setuid which we
-         don't support anymore */
-      die ("Unexpected capabilities but not setuid, old file caps config?");
-    }
+  // else if (real_uid != 0 && has_caps ())
+  //   {
+  //     /* We have some capabilities in the non-setuid case, which should not happen.
+  //        Probably caused by the binary being setcap instead of setuid which we
+  //        don't support anymore */
+  //     die ("Unexpected capabilities but not setuid, old file caps config?");
+  //   }
   else if (real_uid == 0)
     {
       /* If our uid is 0, default to inheriting all caps; the caller
@@ -1311,7 +1311,7 @@ setup_newroot (bool unshare_pid,
                 multi_src = true;
               }

-            strappend (&sb, ",userxattr");
+            strappend (&sb, ",userxattr,index=off");

             privileged_op (privileged_op_socket,
                            PRIV_SEP_OP_OVERLAY_MOUNT, 0, 0, 0, sb.str, dest);