From 470beecc0761b10e7ccf6b7ae116ecb9acb1f1e2 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 9 Jul 2026 22:04:29 -0400 Subject: [PATCH] FIX: don't let set -e abort on old bwrap/kernel version checks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Commit c83d29a replaced the manual major/minor/patch comparisons in detect_bwrap_capabilities and detect_kernel_capabilities with a _version_ge helper, called as: _version_ge "${_bwrap_ver}" "0.6.3" && HAS_BIND_OVER_RO=1 Each such line is the last statement in its function. When _version_ge returns false — as it does on RHEL8's bubblewrap 0.4.0 (< 0.5.0 and < 0.6.3) and 4.18 kernel (< 5.14) — the function inherits that non-zero exit status. Under the wrappers' `set -euo pipefail`, the bare call to the detection function then aborts the whole script immediately, before any bwrap arguments are built. The result on RHEL8 is that bw* wrappers exit 1 with no output. On newer hosts every _version_ge returns true, so the last command exits 0 and the bug stays hidden. Convert the three capability lines to `if _version_ge ...; then VAR=1; fi`. The if form is set -e-safe and leaves the detection functions returning 0 regardless of the comparison result. --- lib/bwrap_sandbox_lib.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/bwrap_sandbox_lib.sh b/lib/bwrap_sandbox_lib.sh index 77ceb6e..024c510 100644 --- a/lib/bwrap_sandbox_lib.sh +++ b/lib/bwrap_sandbox_lib.sh @@ -124,14 +124,14 @@ detect_bwrap_capabilities() { # --clearenv: Start with an empty environment (added in 0.5.0) # Fallback: manually unset all host env vars with --unsetenv HAS_CLEARENV=0 - _version_ge "${_bwrap_ver}" "0.5.0" && HAS_CLEARENV=1 + if _version_ge "${_bwrap_ver}" "0.5.0"; then HAS_CLEARENV=1; fi # Bind over ro-bind: ability to bind-mount on top of a read-only bind # mount (e.g., masking /usr/bin/ssh after --ro-bind /usr /usr). # This works in 0.6.3+; earlier versions fail with "Permission denied". # Fallback: skip binary masking (security reduction — tools remain accessible) HAS_BIND_OVER_RO=0 - _version_ge "${_bwrap_ver}" "0.6.3" && HAS_BIND_OVER_RO=1 + if _version_ge "${_bwrap_ver}" "0.6.3"; then HAS_BIND_OVER_RO=1; fi } # Detect kernel-level security features that affect bwrap argument choice. @@ -154,7 +154,7 @@ detect_kernel_capabilities() { _kver="${_kver%%-*}" # strip suffix e.g. "5.14.0-427.el9" -> "5.14.0" KERNEL_HAS_TIOCSTI_CAP_GUARD=0 - _version_ge "${_kver}" "5.14" && KERNEL_HAS_TIOCSTI_CAP_GUARD=1 + if _version_ge "${_kver}" "5.14"; then KERNEL_HAS_TIOCSTI_CAP_GUARD=1; fi } detect_shell() {