fix: Workaround AppArmor profile for passt (#1108 )

fix: Spelling mistake (#1105 )
feat: Detect if container is running in privileged mode (#1104 )
2025-11-13 05:23:41 +08:00 · 2025-11-12 07:03:22 +01:00 · 2025-11-06 03:46:35 +01:00 · 2025-11-06 03:39:46 +01:00 · 2025-11-06 03:22:47 +01:00
4 changed files with 54 additions and 35 deletions
--- a/src/disk.sh
+++ b/src/disk.sh
@@ -346,7 +346,7 @@ checkFS () {
  DIR=$(dirname "$DISK_FILE")
  [ ! -d "$DIR" ] && return 0

-  if [[ "${FS,,}" == "overlay"* && "$PODMAN" != [Yy1]* ]]; then
+  if [[ "${FS,,}" == "overlay"* && "${ENGINE,,}" == "docker" ]]; then
    warn "the filesystem of $DIR is OverlayFS, this usually means it was binded to an invalid path!"
  fi

--- a/src/install.sh
+++ b/src/install.sh
@@ -80,7 +80,7 @@ rm -f "$STORAGE/$BASE.system.img"
 # Check filesystem
 FS=$(stat -f -c %T "$STORAGE")

-if [[ "${FS,,}" == "overlay"* && "$PODMAN" != [Yy1]* ]]; then
+if [[ "${FS,,}" == "overlay"* && "${ENGINE,,}" == "docker" ]]; then
  warn "the filesystem of $STORAGE is OverlayFS, this usually means it was binded to an invalid path!"
 fi

--- a/src/network.sh
+++ b/src/network.sh
@@ -19,14 +19,16 @@ set -Eeuo pipefail
 : "${VM_NET_HOST:="VirtualDSM"}"
 : "${VM_NET_MASK:="255.255.255.0"}"

-: "${PASST:="passt"}"
+: "${PASST:="/run/passt"}"
 : "${PASST_MTU:=""}"
 : "${PASST_OPTS:=""}"
 : "${PASST_DEBUG:=""}"
+: "${PASST_PID:="/var/run/passt.pid"}"

 : "${DNSMASQ_OPTS:=""}"
 : "${DNSMASQ_DEBUG:=""}"
 : "${DNSMASQ:="/usr/sbin/dnsmasq"}"
+: "${DNSMASQ_PID:="/var/run/dnsmasq.pid"}"
 : "${DNSMASQ_CONF_DIR:="/etc/dnsmasq.d"}"

 ADD_ERR="Please add the following setting to your container:"
@@ -127,8 +129,8 @@ configureDNS() {
  [[ "${DNSMASQ_DISABLE:-}" == [Yy1]* ]] && return 0
  [[ "$DEBUG" == [Yy1]* ]] && echo "Starting dnsmasq daemon..."

-  local log="/var/log/dnsmasq.log"
-  rm -f "$log"
+  [ -s "$DNSMASQ_PID" ] && pKill "$(<"$DNSMASQ_PID")"
+  rm -f "$DNSMASQ_PID"

  case "${NETWORK,,}" in
    "tap" | "tun" | "tuntap" | "y" )
@@ -162,6 +164,8 @@ configureDNS() {
  [ -f /etc/resolv.dnsmasq ] && DNSMASQ_OPTS+=" --resolv-file=/etc/resolv.dnsmasq"

  # Enable logging to file
+  local log="/var/log/dnsmasq.log"
+  rm -f "$log"
  DNSMASQ_OPTS+=" --log-facility=$log"

  DNSMASQ_OPTS=$(echo "$DNSMASQ_OPTS" | sed 's/\t/ /g' | tr -s ' ' | sed 's/^ *//')
@@ -309,12 +313,9 @@ configurePasst() {
  NETWORK="passt"
  [[ "$DEBUG" == [Yy1]* ]] && echo "Configuring user-mode networking..."

-  local log="/var/log/passt.log"
+  local log="/tmp/passt.log"
  rm -f "$log"

-  local pid="/var/run/dnsmasq.pid"
-  [ -s "$pid" ] && pKill "$(<"$pid")"
-
  local ip="$IP"
  [ -n "$VM_NET_IP" ] && ip="$VM_NET_IP"

@@ -346,13 +347,7 @@ configurePasst() {

  PASST_OPTS+=" -H $VM_NET_HOST"
  PASST_OPTS+=" -M $GATEWAY_MAC"
-
-  local uid gid
-  uid=$(id -u)
-  gid=$(id -g)
-  PASST_OPTS+=" --runas $uid:$gid"
-
-  PASST_OPTS+=" -P /var/run/passt.pid"
+  PASST_OPTS+=" -P  $PASST_PID"
  PASST_OPTS+=" -l $log"
  PASST_OPTS+=" -q"

@@ -364,6 +359,8 @@ configurePasst() {
  PASST_OPTS=$(echo "$PASST_OPTS" | sed 's/\t/ /g' | tr -s ' ' | sed 's/^ *//')
  [[ "$DEBUG" == [Yy1]* ]] && printf "Passt arguments:\n\n%s\n\n" "${PASST_OPTS// -/$'\n-'}"

+  [ ! -f "$PASST" ] && cp /usr/bin/passt* /run
+
  if ! $PASST ${PASST_OPTS:+ $PASST_OPTS} >/dev/null 2>&1; then

    rm -f "$log"
@@ -410,7 +407,7 @@ configureNAT() {
  fi

  if [ ! -c /dev/net/tun ]; then
-    [[ "$PODMAN" == [Yy1]* ]] && return 1
+    [[ "$ROOTLESS" == [Yy1]* && "$DEBUG" != [Yy1]* ]] && return 1
    warn "$tuntap" && return 1
  fi

@@ -418,7 +415,7 @@ configureNAT() {
  if [[ $(< /proc/sys/net/ipv4/ip_forward) -eq 0 ]]; then
    { sysctl -w net.ipv4.ip_forward=1 > /dev/null 2>&1; rc=$?; } || :
    if (( rc != 0 )) || [[ $(< /proc/sys/net/ipv4/ip_forward) -eq 0 ]]; then
-      [[ "$PODMAN" == [Yy1]* ]] && return 1
+      [[ "$ROOTLESS" == [Yy1]* && "$DEBUG" != [Yy1]* ]] && return 1
      warn "IP forwarding is disabled. $ADD_ERR --sysctl net.ipv4.ip_forward=1"
      return 1
    fi
@@ -445,7 +442,7 @@ configureNAT() {
  { ip link add dev "$VM_NET_BRIDGE" type bridge ; rc=$?; } || :

  if (( rc != 0 )); then
-    [[ "$PODMAN" == [Yy1]* ]] && return 1
+    [[ "$ROOTLESS" == [Yy1]* && "$DEBUG" != [Yy1]* ]] && return 1
    warn "failed to create bridge. $ADD_ERR --cap-add NET_ADMIN" && return 1
  fi

@@ -460,7 +457,7 @@ configureNAT() {

  # QEMU Works with taps, set tap to the bridge created
  if ! ip tuntap add dev "$VM_NET_TAP" mode tap; then
-    [[ "$PODMAN" == [Yy1]* ]] && return 1
+    [[ "$ROOTLESS" == [Yy1]* && "$DEBUG" != [Yy1]* ]] && return 1
    warn "$tuntap" && return 1
  fi

@@ -501,8 +498,11 @@ configureNAT() {
    fi
  fi

-  if ! iptables -t nat -A POSTROUTING -o "$VM_NET_DEV" -j MASQUERADE; then
-    warn "$tables" && return 1
+  if ! iptables -t nat -A POSTROUTING -o "$VM_NET_DEV" -j MASQUERADE > /dev/null 2>&1; then
+    [[ "$ROOTLESS" == [Yy1]* && "$DEBUG" != [Yy1]* ]] && return 1
+    if ! iptables -t nat -A POSTROUTING -o "$VM_NET_DEV" -j MASQUERADE; then
+      warn "$tables" && return 1
+    fi
  fi

  # shellcheck disable=SC2086
@@ -536,13 +536,11 @@ configureNAT() {

 closeBridge() {

-  local pid="/var/run/dnsmasq.pid"
-  [ -s "$pid" ] && pKill "$(<"$pid")"
-  rm -f "$pid"
+  [ -s "$PASST_PID" ] && pKill "$(<"$PASST_PID")"
+  rm -f "$PASST_PID"

-  pid="/var/run/passt.pid"
-  [ -s "$pid" ] && pKill "$(<"$pid")"
-  rm -f "$pid"
+  [ -s "$DNSMASQ_PID" ] && pKill "$(<"$DNSMASQ_PID")"
+  rm -f "$DNSMASQ_PID"

  case "${NETWORK,,}" in
    "user"* | "passt" | "slirp" ) return 0 ;;
@@ -598,9 +596,9 @@ closeNetwork() {
 cleanUp() {

  # Clean up old files
+  rm -f "$PASST_PID"
+  rm -f "$DNSMASQ_PID"
  rm -f /etc/resolv.dnsmasq
-  rm -f /var/run/passt.pid
-  rm -f /var/run/dnsmasq.pid

  if [[ -d "/sys/class/net/$VM_NET_TAP" ]]; then
    info "Lingering interface will be removed..."
@@ -640,7 +638,7 @@ getInfo() {
    [ -d "/sys/class/net/net1" ] && VM_NET_DEV="net1"
    [ -d "/sys/class/net/net2" ] && VM_NET_DEV="net2"
    [ -d "/sys/class/net/net3" ] && VM_NET_DEV="net3"
-    # Automaticly detect the default network interface
+    # Automatically detect the default network interface
    [ -z "$VM_NET_DEV" ] && VM_NET_DEV=$(awk '$2 == 00000000 { print $1 }' /proc/net/route)
    [ -z "$VM_NET_DEV" ] && VM_NET_DEV="eth0"
  fi
@@ -802,7 +800,7 @@ else
        closeBridge
        NETWORK="user"

-        if [[ "$PODMAN" != [Yy1]* ]]; then
+        if [[ "$ROOTLESS" != [Yy1]* || "$DEBUG" == [Yy1]* ]]; then
          msg="falling back to user-mode networking!"
          msg="failed to setup NAT networking, $msg"
          warn "$msg"
--- a/src/reset.sh
+++ b/src/reset.sh
@@ -24,19 +24,40 @@ trap 'error "Status $? while: $BASH_COMMAND (line $LINENO/$BASH_LINENO)"' ERR

 # Helper variables

-PODMAN="N"
+ROOTLESS="N"
+PRIVILEGED="N"
 ENGINE="Docker"
 PROCESS="${APP,,}"
 PROCESS="${PROCESS// /-}"

 if [ -f "/run/.containerenv" ]; then
-  PODMAN="Y"
-  ENGINE="Podman"
+  ENGINE="${container:-}"
+  if [[ "${ENGINE,,}" == *"podman"* ]]; then
+    ROOTLESS="Y"
+    ENGINE="Podman"
+  else
+    [ -z "$ENGINE" ] && ENGINE="Kubernetes"
+  fi
 fi

 echo "❯ Starting $APP for $ENGINE v$(</run/version)..."
 echo "❯ For support visit $SUPPORT"

+# Get the capability bounding set
+CAP_BND=$(grep '^CapBnd:' /proc/$$/status | awk '{print $2}')
+CAP_BND=$(printf "%d" "0x${CAP_BND}")
+
+# Get the last capability number
+LAST_CAP=$(cat /proc/sys/kernel/cap_last_cap)
+
+# Calculate the maximum capability value
+MAX_CAP=$(((1 << (LAST_CAP + 1)) - 1))
+
+if [ "${CAP_BND}" -eq "${MAX_CAP}" ]; then
+  ROOTLESS="N"
+  PRIVILEGED="Y"
+fi
+
 INFO="/run/shm/msg.html"
 PAGE="/run/shm/index.html"
 TEMPLATE="/var/www/index.html"
Author	SHA1	Message	Date
Kroese	471cdbb338	fix: Workaround AppArmor profile for passt (#1108 )	2025-11-12 07:03:22 +01:00
Kroese	e77bca202b	fix: Spelling mistake (#1105 )	2025-11-06 03:46:35 +01:00
Kroese	2e6c01e934	feat: Detect if container is running in privileged mode (#1104 )	2025-11-06 03:39:46 +01:00
Kroese	302c991c0c	fix: Change condition for OverlayFS warning (#1103 )	2025-11-06 03:22:47 +01:00