WIP: Change ownership of /dev/std*

[JonathonReinhart]

This updates scubainit to change ownership of /dev/std* before switching users to the scubauser. This fixes the common case of #126, where scubauser cannot write to /dev/stdout:

$ scuba /bin/sh -c 'echo hello > /dev/stdout'
hello

Unfortunately this fix is not perfect, but I'm not sure that it can be.

If scuba's standard output is redirected to e.g. /dev/null, then scuba will not tell docker to create a tty. When this happens, scubainit ends up trying to call fchown on a fd that refers to /dev/null. This actually causes an AVC denial on Fedora 28. So I add the following check:

if (!isatty(fd))
    continue

This allows the following behaviors:

$ scuba /bin/sh -c 'echo hello > /dev/stdout' >/dev/null
/bin/sh: 1: cannot create /dev/stdout: Permission denied

$ scuba /bin/sh -c 'echo hello > /dev/stdout' | cat
/bin/sh: 1: cannot create /dev/stdout: Permission denied

However, I'm not entirely sure why:

$ scuba /bin/sh -c 'ls -l /proc/self/fd' | cat
total 0
lr-x------. 1 scubauser scubauser 64 Mar 23 20:24 0 -> pipe:[3630051]
l-wx------. 1 scubauser scubauser 64 Mar 23 20:24 1 -> pipe:[3630052]
l-wx------. 1 scubauser scubauser 64 Mar 23 20:24 2 -> pipe:[3630053]
lr-x------. 1 scubauser scubauser 64 Mar 23 20:24 3 -> /proc/9/fd

[codecov-io]

Codecov Report

Merging #131 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #131   +/-   ##
=======================================
  Coverage   94.95%   94.95%           
=======================================
  Files           9        9           
  Lines         615      615           
=======================================
  Hits          584      584           
  Misses         31       31

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8352625...feecfb6. Read the comment docs.

[github-actions]

Test Results

    5 files      5 suites   1m 59s ⏱️
161 tests 158 ✔️   2 💤 1 ❌
805 runs  790 ✔️ 10 💤 5 ❌

For more details on these failures, see this check.

Results for commit e4c1fed.