tests/test-run.sh | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 tests: explicitly unshare userns when testing --disable-userns

If we're running the tests as uid 0 with capabilities, then bwrap will
not create a new user namespace by default, which means the limit won't
be exceeded and the test will fail. Make sure we always try to create
the new user namespace.

Signed-off-by: Simon McVittie <smcv@collabora.com>

tests/test-run.sh | 9 9 + 0 - 0 !
1 file changed, 9 insertions(+)

 tests: try harder to evade --disable-userns

The worst-case scenario in terms of enforcing --disable-userns is that
we're retaining all capabilities, so test that too, to make sure that
the option is genuinely restricting even a privileged user.

Signed-off-by: Simon McVittie <smcv@collabora.com>

bubblewrap.c | 50 50 + 0 - 0 !
tests/test-run.sh | 7 6 + 1 - 0 !
2 files changed, 56 insertions(+), 1 deletion(-)

 add --bind-fd and --ro-bind-fd to let you bind a o_path fd.

This is useful for example if you for some reason don't have the real
path. It is also a way to make bind-mounts race-free (i.e. to have the
mount actually be the thing you wanted to be mounted, avoiding issues
where some other process replaces the target in parallel with the bwrap
launch.

Unfortunately due to some technical details we can't actually directly

bubblewrap.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 change eperm error message to show debian-specific information