What do you think the best way to solve it? For compatibility reasons I can prepare PR with extra info about EOF. But I think child process should die if no data arrived to fd.
From man: Block the sandbox on reading from FD until some data is available.
user@pc $ strace -f -e trace=read,execve bwrap --block-fd 3 --bind / / env 3</dev/null
execve("/usr/bin/bwrap", ["bwrap", "--block-fd", "3", "--bind", "/", "/", "env"], 0x7ffeaa1a3878 /* 60 vars */) = 0
strace: Process 399130 attached
[pid 399130] read(5, "\1\0\0\0\0\0\0\0", 8) = 8
[pid 399130] read(6, "327 1221 0:36 /@ /oldroot rw,noa"..., 4079) = 4074
[pid 399130] read(6, "1219 ", 5) = 5
[pid 399130] read(6, "327 259:1 / /oldroot/boot rw,noa"..., 4080) = 4080
[pid 399130] read(6, ",nosuid,nodev master:155 - tmpfs"..., 8160) = 949
[pid 399130] read(6, "", 7211) = 0
========== HERE IS EOF HAPPENS =====
[pid 399130] read(3, "", 1) = 0
========== HERE CHILD WILL EXECUTE COMMAND ========
[pid 399130] execve("/usr/bin/env", ["env"], 0x7ffff0974608 /* 60 vars */) = 0
Is it intentional that
--block-fdtreats EOF as "green flag" to execute process?A normal workflow:
bwrap --block-fd <fd> <cmd>If step 2 failed I want to stop
bwrapWITHOUT executing command. But closing pipe or SIGTERM/SIGKILLbwrapwill allow child process to execute command. Unfortunately, only way is killingbwrapchild process by pid directly.What do you think the best way to solve it? For compatibility reasons I can prepare PR with extra info about EOF. But I think child process should die if no data arrived to fd.
From man:
Block the sandbox on reading from FD until some data is available.Strace log
Code
Looks like result of
read(...)is never checked against 0 (EOF).bubblewrap/bubblewrap.c
Lines 48 to 54 in 8e51677
bubblewrap/bubblewrap.c
Lines 3261 to 3266 in 8e51677