Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package bubblewrap for openSUSE:Factory
checked in at 2023-03-29 23:25:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old)
and /work/SRC/openSUSE:Factory/.bubblewrap.new.31432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bubblewrap"
Wed Mar 29 23:25:53 2023 rev:16 rq:1074772 version:0.8.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes 2022-12-09
13:16:37.398632695 +0100
+++ /work/SRC/openSUSE:Factory/.bubblewrap.new.31432/bubblewrap.changes
2023-03-29 23:25:57.667107104 +0200
@@ -1,0 +2,11 @@
+Mon Mar 27 16:39:05 UTC 2023 - Andreas Stieger <andreas.stie...@gmx.de>
+
+- update to v0.8.0:
+ * Add --disable-userns option to prevent the sandbox from
+ creating its own nested user namespace
+ * Add --assert-userns-disabled option to check that an existing
+ userns was created with --disable-userns
+ * Give a clearer error message if the kernel doesn't have
+ CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER
+
+-------------------------------------------------------------------
Old:
----
bubblewrap-0.7.0.tar.xz
New:
----
bubblewrap-0.8.0.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ bubblewrap.spec ++++++
--- /var/tmp/diff_new_pack.utY5vg/_old 2023-03-29 23:25:58.143109340 +0200
+++ /var/tmp/diff_new_pack.utY5vg/_new 2023-03-29 23:25:58.147109358 +0200
@@ -1,7 +1,7 @@
#
# spec file for package bubblewrap
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: bubblewrap
-Version: 0.7.0
+Version: 0.8.0
Release: 0
Summary: Core execution tool for unprivileged containers
License: LGPL-2.0-or-later
++++++ bubblewrap-0.7.0.tar.xz -> bubblewrap-0.8.0.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bubblewrap-0.7.0/aclocal.m4
new/bubblewrap-0.8.0/aclocal.m4
--- old/bubblewrap-0.7.0/aclocal.m4 2022-11-07 18:40:50.000000000 +0100
+++ new/bubblewrap-0.8.0/aclocal.m4 2023-02-27 13:27:04.000000000 +0100
@@ -20,7 +20,7 @@
If you have problems, you may need to regenerate the build system entirely.
To do so, use the procedure documented by the package, typically
'autoreconf'.])])
-# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*-
+# pkg.m4 - Macros to locate and use pkg-config. -*- Autoconf -*-
# serial 12 (pkg-config-0.29.2)
dnl Copyright © 2004 Scott James Remnant <sc...@netsplit.com>.
@@ -108,7 +108,7 @@
dnl PKG_CHECK_MODULES(), but does not set variables or print errors.
dnl
dnl Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG])
-dnl only at the first occurence in configure.ac, so if the first place
+dnl only at the first occurrence in configure.ac, so if the first place
dnl it's called might be skipped (such as if it is within an "if", you
dnl have to call PKG_CHECK_EXISTS manually
AC_DEFUN([PKG_CHECK_EXISTS],
@@ -177,14 +177,14 @@
AC_MSG_RESULT([no])
_PKG_SHORT_ERRORS_SUPPORTED
if test $_pkg_short_errors_supported = yes; then
- $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors
--cflags --libs "$2" 2>&1`
+ $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors
--cflags --libs "$2" 2>&1`
else
- $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs
"$2" 2>&1`
+ $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs
"$2" 2>&1`
fi
- # Put the nasty error message in config.log where it belongs
- echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD
+ # Put the nasty error message in config.log where it belongs
+ echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD
- m4_default([$4], [AC_MSG_ERROR(
+ m4_default([$4], [AC_MSG_ERROR(
[Package requirements ($2) were not met:
$$1_PKG_ERRORS
@@ -196,7 +196,7 @@
])
elif test $pkg_failed = untried; then
AC_MSG_RESULT([no])
- m4_default([$4], [AC_MSG_FAILURE(
+ m4_default([$4], [AC_MSG_FAILURE(
[The pkg-config script could not be found or is too old. Make sure it
is in your PATH or set the PKG_CONFIG environment variable to the full
path to pkg-config.
@@ -206,10 +206,10 @@
To get pkg-config, see <http://pkg-config.freedesktop.org/>.])[]dnl
])
else
- $1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS
- $1[]_LIBS=$pkg_cv_[]$1[]_LIBS
+ $1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS
+ $1[]_LIBS=$pkg_cv_[]$1[]_LIBS
AC_MSG_RESULT([yes])
- $3
+ $3
fi[]dnl
])dnl PKG_CHECK_MODULES
@@ -296,6 +296,74 @@
AS_VAR_IF([$1], [""], [$5], [$4])dnl
])dnl PKG_CHECK_VAR
+dnl PKG_WITH_MODULES(VARIABLE-PREFIX, MODULES,
+dnl [ACTION-IF-FOUND],[ACTION-IF-NOT-FOUND],
+dnl [DESCRIPTION], [DEFAULT])
+dnl ------------------------------------------
+dnl
+dnl Prepare a "--with-" configure option using the lowercase
+dnl [VARIABLE-PREFIX] name, merging the behaviour of AC_ARG_WITH and
+dnl PKG_CHECK_MODULES in a single macro.
+AC_DEFUN([PKG_WITH_MODULES],
+[
+m4_pushdef([with_arg], m4_tolower([$1]))
+
+m4_pushdef([description],
+ [m4_default([$5], [build with ]with_arg[ support])])
+
+m4_pushdef([def_arg], [m4_default([$6], [auto])])
+m4_pushdef([def_action_if_found], [AS_TR_SH([with_]with_arg)=yes])
+m4_pushdef([def_action_if_not_found], [AS_TR_SH([with_]with_arg)=no])
+
+m4_case(def_arg,
+ [yes],[m4_pushdef([with_without], [--without-]with_arg)],
+ [m4_pushdef([with_without],[--with-]with_arg)])
+
+AC_ARG_WITH(with_arg,
+ AS_HELP_STRING(with_without, description[ @<:@default=]def_arg[@:>@]),,
+ [AS_TR_SH([with_]with_arg)=def_arg])
+
+AS_CASE([$AS_TR_SH([with_]with_arg)],
+ [yes],[PKG_CHECK_MODULES([$1],[$2],$3,$4)],
+ [auto],[PKG_CHECK_MODULES([$1],[$2],
+ [m4_n([def_action_if_found]) $3],
+ [m4_n([def_action_if_not_found]) $4])])
+
+m4_popdef([with_arg])
+m4_popdef([description])
+m4_popdef([def_arg])
+
+])dnl PKG_WITH_MODULES
+
+dnl PKG_HAVE_WITH_MODULES(VARIABLE-PREFIX, MODULES,
+dnl [DESCRIPTION], [DEFAULT])
+dnl -----------------------------------------------
+dnl
+dnl Convenience macro to trigger AM_CONDITIONAL after PKG_WITH_MODULES
+dnl check._[VARIABLE-PREFIX] is exported as make variable.
+AC_DEFUN([PKG_HAVE_WITH_MODULES],
+[
+PKG_WITH_MODULES([$1],[$2],,,[$3],[$4])
+
+AM_CONDITIONAL([HAVE_][$1],
+ [test "$AS_TR_SH([with_]m4_tolower([$1]))" = "yes"])
+])dnl PKG_HAVE_WITH_MODULES
+
+dnl PKG_HAVE_DEFINE_WITH_MODULES(VARIABLE-PREFIX, MODULES,
+dnl [DESCRIPTION], [DEFAULT])
+dnl ------------------------------------------------------
+dnl
+dnl Convenience macro to run AM_CONDITIONAL and AC_DEFINE after
+dnl PKG_WITH_MODULES check. HAVE_[VARIABLE-PREFIX] is exported as make
+dnl and preprocessor variable.
+AC_DEFUN([PKG_HAVE_DEFINE_WITH_MODULES],
+[
+PKG_HAVE_WITH_MODULES([$1],[$2],[$3],[$4])
+
+AS_IF([test "$AS_TR_SH([with_]m4_tolower([$1]))" = "yes"],
+ [AC_DEFINE([HAVE_][$1], 1, [Enable ]m4_tolower([$1])[ support])])
+])dnl PKG_HAVE_DEFINE_WITH_MODULES
+
# Copyright (C) 2002-2021 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bubblewrap-0.7.0/bubblewrap.c
new/bubblewrap-0.8.0/bubblewrap.c
--- old/bubblewrap-0.7.0/bubblewrap.c 2022-10-27 19:09:27.000000000 +0200
+++ new/bubblewrap-0.8.0/bubblewrap.c 2023-02-23 11:02:08.000000000 +0100
@@ -73,6 +73,8 @@
static bool opt_as_pid_1;
const char *opt_chdir_path = NULL;
+bool opt_assert_userns_disabled = FALSE;
+bool opt_disable_userns = FALSE;
bool opt_unshare_user = FALSE;
bool opt_unshare_user_try = FALSE;
bool opt_unshare_pid = FALSE;
@@ -286,7 +288,15 @@
for (program = seccomp_programs; program != NULL; program = program->next)
{
if (prctl (PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &program->program) != 0)
- die_with_error ("prctl(PR_SET_SECCOMP)");
+ {
+ if (errno == EINVAL)
+ die ("Unable to set up system call filtering as requested: "
+ "prctl(PR_SET_SECCOMP) reported EINVAL. "
+ "(Hint: this requires a kernel configured with "
+ "CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER.)");
+
+ die_with_error ("prctl(PR_SET_SECCOMP)");
+ }
}
}
@@ -311,6 +321,8 @@
" --unshare-cgroup-try Create new cgroup namespace if
possible else continue by skipping it\n"
" --userns FD Use this user namespace (cannot
combine with --unshare-user)\n"
" --userns2 FD After setup switch to this user
namespace, only useful with --userns\n"
+ " --disable-userns Disable further use of user
namespaces inside sandbox\n"
+ " --assert-userns-disabled Fail unless further use of user
namespace inside sandbox is disabled\n"
" --pidns FD Use this pid namespace (as parent
namespace if using --unshare-pid)\n"
" --uid UID Custom uid in the sandbox
(requires --unshare-user or --userns)\n"
" --gid GID Custom gid in the sandbox
(requires --unshare-user or --userns)\n"
@@ -1777,6 +1789,14 @@
argv++;
argc--;
}
+ else if (strcmp (arg, "--disable-userns") == 0)
+ {
+ opt_disable_userns = TRUE;
+ }
+ else if (strcmp (arg, "--assert-userns-disabled") == 0)
+ {
+ opt_assert_userns_disabled = TRUE;
+ }
else if (strcmp (arg, "--remount-ro") == 0)
{
if (argc < 2)
@@ -2677,6 +2697,12 @@
if (opt_userns_fd != -1 && opt_unshare_user_try)
die ("--userns not compatible --unshare-user-try");
+ if (opt_disable_userns && !opt_unshare_user)
+ die ("--disable-userns requires --unshare-user");
+
+ if (opt_disable_userns && opt_userns_block_fd != -1)
+ die ("--disable-userns is not compatible with --userns-block-fd");
+
/* Technically using setns() is probably safe even in the privileged
* case, because we got passed in a file descriptor to the
* namespace, and that can only be gotten if you have ptrace
@@ -3155,13 +3181,34 @@
if (opt_userns2_fd > 0 && setns (opt_userns2_fd, CLONE_NEWUSER) != 0)
die_with_error ("Setting userns2 failed");
- if (opt_unshare_user &&
- (ns_uid != opt_sandbox_uid || ns_gid != opt_sandbox_gid) &&
- opt_userns_block_fd == -1)
- {
- /* Now that devpts is mounted and we've no need for mount
- permissions we can create a new userspace and map our uid
- 1:1 */
+ if (opt_unshare_user && opt_userns_block_fd == -1 &&
+ (ns_uid != opt_sandbox_uid || ns_gid != opt_sandbox_gid ||
+ opt_disable_userns))
+ {
+ /* Here we create a second level userns inside the first one. This is
+ used for one or more of these reasons:
+
+ * The 1st level namespace has a different uid/gid than the
+ requested due to requirements of beeing root in the first
+ level due for mounting devpts (opt_needs_devpts).
+
+ * To disable user namespaces we set max_user_namespaces and then
+ create the second namespace so that the sandbox cannot undo this
+ change.
+ */
+
+ if (opt_disable_userns)
+ {
+ cleanup_fd int sysctl_fd = -1;
+
+ sysctl_fd = openat (proc_fd, "sys/user/max_user_namespaces",
O_WRONLY);
+
+ if (sysctl_fd < 0)
+ die_with_error ("cannot open /proc/sys/user/max_user_namespaces");
+
+ if (write_to_fd (sysctl_fd, "1", 1) < 0)
+ die_with_error ("sysctl user.max_user_namespaces = 1");
+ }
if (unshare (CLONE_NEWUSER))
die_with_error ("unshare user ns");
@@ -3174,6 +3221,15 @@
-1, FALSE, FALSE);
}
+ if (opt_disable_userns || opt_assert_userns_disabled)
+ {
+ /* Verify that we can't make a new userns again */
+ res = unshare (CLONE_NEWUSER);
+
+ if (res == 0)
+ die ("creation of new user namespaces was not disabled as requested");
+ }
+
/* All privileged ops are done now, so drop caps we don't need */
drop_privs (!is_privileged, TRUE);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bubblewrap-0.7.0/bwrap.xml
new/bubblewrap-0.8.0/bwrap.xml
--- old/bubblewrap-0.7.0/bwrap.xml 2022-10-27 18:35:57.000000000 +0200
+++ new/bubblewrap-0.8.0/bwrap.xml 2023-01-30 11:43:46.000000000 +0100
@@ -145,6 +145,31 @@
<para>This is useful because sometimes bubblewrap itself creates nested
user namespaces (to work around some kernel issues) and --userns2 can be used
to enter these.</para></listitem>
</varlistentry>
<varlistentry>
+ <term><option>--disable-userns</option></term>
+ <listitem><para>
+ Prevent the process in the sandbox from creating further user
namespaces,
+ so that it cannot rearrange the filesystem namespace or do other more
+ complex namespace modification.
+ This is currently implemented by setting the
+ <literal>user.max_user_namespaces</literal> sysctl to 1, and then
+ entering a nested user namespace which is unable to raise that limit
+ in the outer namespace.
+ This option requires <option>--unshare-user</option>, and doesn't work
+ in the setuid version of bubblewrap.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--assert-userns-disabled</option></term>
+ <listitem><para>
+ Confirm that the process in the sandbox has been prevented from
+ creating further user namespaces, but without taking any particular
+ action to prevent that. For example, this can be combined with
+ <option>--userns</option> to check that the given user namespace
+ has already been set up to prevent the creation of further user
+ namespaces.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
<term><option>--pidns <arg choice="plain">FD</arg></option></term>
<listitem><para>Use an existing pid namespace instead of creating one.
This is often used with --userns, because the pid namespace must be owned by
the same user namespace that bwrap uses. </para>
<para>Note that this can be combined with --unshare-pid, and in that
case it means that the sandbox will be in its own pid namespace, which is a
child of the passed in one.</para></listitem>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bubblewrap-0.7.0/completions/bash/bwrap
new/bubblewrap-0.8.0/completions/bash/bwrap
--- old/bubblewrap-0.7.0/completions/bash/bwrap 2022-10-27 18:35:57.000000000
+0200
+++ new/bubblewrap-0.8.0/completions/bash/bwrap 2023-01-30 11:43:46.000000000
+0100
@@ -10,7 +10,9 @@
# Please keep sorted in LC_ALL=C order
local boolean_options="
--as-pid-1
+ --assert-userns-disabled
--clearenv
+ --disable-userns
--help
--new-session
--unshare-all
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bubblewrap-0.7.0/completions/zsh/_bwrap
new/bubblewrap-0.8.0/completions/zsh/_bwrap
--- old/bubblewrap-0.7.0/completions/zsh/_bwrap 2022-10-27 18:35:57.000000000
+0200
+++ new/bubblewrap-0.8.0/completions/zsh/_bwrap 2023-01-30 11:43:46.000000000
+0100
@@ -27,6 +27,7 @@
# Please sort alphabetically (in LC_ALL=C order) by option name
'--add-seccomp-fd[Load and use seccomp rules from FD]: :_guard "[0-9]#"
"file descriptor to read seccomp rules from"'
+ '--assert-userns-disabled[Fail unless further use of user namespace inside
sandbox is disabled]'
'--args[Parse NUL-separated args from FD]: :_guard "[0-9]#" "file
descriptor with NUL-separated arguments"'
'--as-pid-1[Do not install a reaper process with PID=1]'
'--bind-try[Equal to --bind but ignores non-existent
SRC]:source:_files:destination:_files'
@@ -41,6 +42,7 @@
'--dev-bind[Bind mount the host path SRC on DEST, allowing device
access]:source:_files:destination:_files'
'--dev[Mount new dev on DEST]:mount point for /dev:_files -/'
"--die-with-parent[Kills with SIGKILL child process (COMMAND) when bwrap
or bwrap's parent dies.]"
+ '--disable-userns[Disable further use of user namespaces inside sandbox]'
'--exec-label[Exec label for the sandbox]:SELinux label:_selinux_contexts'
'--file-label[File label for temporary sandbox content]:SELinux
label:_selinux_contexts'
'--gid[Custom gid in the sandbox (requires --unshare-user or --userns)]:
:_guard "[0-9]#" "numeric group ID"'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bubblewrap-0.7.0/configure
new/bubblewrap-0.8.0/configure
--- old/bubblewrap-0.7.0/configure 2022-11-07 18:40:51.000000000 +0100
+++ new/bubblewrap-0.8.0/configure 2023-02-27 13:27:04.000000000 +0100
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for bubblewrap 0.7.0.
+# Generated by GNU Autoconf 2.71 for bubblewrap 0.8.0.
#
# Report bugs to <atomic-de...@projectatomic.io>.
#
@@ -610,8 +610,8 @@
# Identity of this package.
PACKAGE_NAME='bubblewrap'
PACKAGE_TARNAME='bubblewrap'
-PACKAGE_VERSION='0.7.0'
-PACKAGE_STRING='bubblewrap 0.7.0'
+PACKAGE_VERSION='0.8.0'
+PACKAGE_STRING='bubblewrap 0.8.0'
PACKAGE_BUGREPORT='atomic-de...@projectatomic.io'
PACKAGE_URL=''
@@ -1344,7 +1344,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures bubblewrap 0.7.0 to adapt to many kinds of systems.
+\`configure' configures bubblewrap 0.8.0 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1411,7 +1411,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of bubblewrap 0.7.0:";;
+ short | recursive ) echo "Configuration of bubblewrap 0.8.0:";;
esac
cat <<\_ACEOF
@@ -1542,7 +1542,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-bubblewrap configure 0.7.0
+bubblewrap configure 0.8.0
generated by GNU Autoconf 2.71
Copyright (C) 2021 Free Software Foundation, Inc.
@@ -1698,7 +1698,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by bubblewrap $as_me 0.7.0, which was
+It was created by bubblewrap $as_me 0.8.0, which was
generated by GNU Autoconf 2.71. Invocation command line was
$ $0$ac_configure_args_raw
@@ -4266,7 +4266,7 @@
# Define the identity of the package.
PACKAGE='bubblewrap'
- VERSION='0.7.0'
+ VERSION='0.8.0'
# Some tools Automake needs.
@@ -5967,24 +5967,24 @@
_pkg_short_errors_supported=no
fi
if test $_pkg_short_errors_supported = yes; then
- BASH_COMPLETION_PKG_ERRORS=`$PKG_CONFIG --short-errors
--print-errors --cflags --libs "bash-completion >= 2.0" 2>&1`
+ BASH_COMPLETION_PKG_ERRORS=`$PKG_CONFIG --short-errors
--print-errors --cflags --libs "bash-completion >= 2.0" 2>&1`
else
- BASH_COMPLETION_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags
--libs "bash-completion >= 2.0" 2>&1`
+ BASH_COMPLETION_PKG_ERRORS=`$PKG_CONFIG --print-errors
--cflags --libs "bash-completion >= 2.0" 2>&1`
fi
- # Put the nasty error message in config.log where it belongs
- echo "$BASH_COMPLETION_PKG_ERRORS" >&5
+ # Put the nasty error message in config.log where it belongs
+ echo "$BASH_COMPLETION_PKG_ERRORS" >&5
- BASH_COMPLETION_DIR="$datadir/bash-completion/completions"
+ BASH_COMPLETION_DIR="$datadir/bash-completion/completions"
elif test $pkg_failed = untried; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
- BASH_COMPLETION_DIR="$datadir/bash-completion/completions"
+ BASH_COMPLETION_DIR="$datadir/bash-completion/completions"
else
- BASH_COMPLETION_CFLAGS=$pkg_cv_BASH_COMPLETION_CFLAGS
- BASH_COMPLETION_LIBS=$pkg_cv_BASH_COMPLETION_LIBS
+ BASH_COMPLETION_CFLAGS=$pkg_cv_BASH_COMPLETION_CFLAGS
+ BASH_COMPLETION_LIBS=$pkg_cv_BASH_COMPLETION_LIBS
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
printf "%s\n" "yes" >&6; }
- BASH_COMPLETION_DIR="`pkg-config --variable=completionsdir
bash-completion`"
+ BASH_COMPLETION_DIR="`pkg-config --variable=completionsdir
bash-completion`"
fi
else $as_nop
@@ -6094,21 +6094,21 @@
_pkg_short_errors_supported=no
fi
if test $_pkg_short_errors_supported = yes; then
- SELINUX_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors
--cflags --libs "libselinux >= 2.1.9" 2>&1`
+ SELINUX_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors
--cflags --libs "libselinux >= 2.1.9" 2>&1`
else
- SELINUX_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs
"libselinux >= 2.1.9" 2>&1`
+ SELINUX_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs
"libselinux >= 2.1.9" 2>&1`
fi
- # Put the nasty error message in config.log where it belongs
- echo "$SELINUX_PKG_ERRORS" >&5
+ # Put the nasty error message in config.log where it belongs
+ echo "$SELINUX_PKG_ERRORS" >&5
- have_selinux=no
+ have_selinux=no
elif test $pkg_failed = untried; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
- have_selinux=no
+ have_selinux=no
else
- SELINUX_CFLAGS=$pkg_cv_SELINUX_CFLAGS
- SELINUX_LIBS=$pkg_cv_SELINUX_LIBS
+ SELINUX_CFLAGS=$pkg_cv_SELINUX_CFLAGS
+ SELINUX_LIBS=$pkg_cv_SELINUX_LIBS
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
printf "%s\n" "yes" >&6; }
@@ -6173,21 +6173,21 @@
_pkg_short_errors_supported=no
fi
if test $_pkg_short_errors_supported = yes; then
- SELINUX_2_3_PKG_ERRORS=`$PKG_CONFIG --short-errors
--print-errors --cflags --libs "libselinux >= 2.3" 2>&1`
+ SELINUX_2_3_PKG_ERRORS=`$PKG_CONFIG --short-errors
--print-errors --cflags --libs "libselinux >= 2.3" 2>&1`
else
- SELINUX_2_3_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags
--libs "libselinux >= 2.3" 2>&1`
+ SELINUX_2_3_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags
--libs "libselinux >= 2.3" 2>&1`
fi
- # Put the nasty error message in config.log where it belongs
- echo "$SELINUX_2_3_PKG_ERRORS" >&5
+ # Put the nasty error message in config.log where it belongs
+ echo "$SELINUX_2_3_PKG_ERRORS" >&5
- :
+ :
elif test $pkg_failed = untried; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
- :
+ :
else
- SELINUX_2_3_CFLAGS=$pkg_cv_SELINUX_2_3_CFLAGS
- SELINUX_2_3_LIBS=$pkg_cv_SELINUX_2_3_LIBS
+ SELINUX_2_3_CFLAGS=$pkg_cv_SELINUX_2_3_CFLAGS
+ SELINUX_2_3_LIBS=$pkg_cv_SELINUX_2_3_LIBS
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
printf "%s\n" "yes" >&6; }
@@ -6958,7 +6958,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by bubblewrap $as_me 0.7.0, which was
+This file was extended by bubblewrap $as_me 0.8.0, which was
generated by GNU Autoconf 2.71. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -7026,7 +7026,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
-bubblewrap config.status 0.7.0
+bubblewrap config.status 0.8.0
configured by $0, generated by GNU Autoconf 2.71,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bubblewrap-0.7.0/configure.ac
new/bubblewrap-0.8.0/configure.ac
--- old/bubblewrap-0.7.0/configure.ac 2022-11-07 18:40:20.000000000 +0100
+++ new/bubblewrap-0.8.0/configure.ac 2023-02-27 13:20:56.000000000 +0100
@@ -1,5 +1,5 @@
AC_PREREQ([2.63])
-AC_INIT([bubblewrap], [0.7.0], [atomic-de...@projectatomic.io])
+AC_INIT([bubblewrap], [0.8.0], [atomic-de...@projectatomic.io])
AC_CONFIG_HEADER([config.h])
AC_CONFIG_MACRO_DIR([m4])
AC_CONFIG_AUX_DIR([build-aux])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bubblewrap-0.7.0/meson.build
new/bubblewrap-0.8.0/meson.build
--- old/bubblewrap-0.7.0/meson.build 2022-11-07 18:40:16.000000000 +0100
+++ new/bubblewrap-0.8.0/meson.build 2023-02-27 13:20:56.000000000 +0100
@@ -1,7 +1,7 @@
project(
'bubblewrap',
'c',
- version : '0.7.0',
+ version : '0.8.0',
meson_version : '>=0.49.0',
default_options : [
'warning_level=2',
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bubblewrap-0.7.0/tests/test-run.sh
new/bubblewrap-0.8.0/tests/test-run.sh
--- old/bubblewrap-0.7.0/tests/test-run.sh 2022-10-27 18:35:57.000000000
+0200
+++ new/bubblewrap-0.8.0/tests/test-run.sh 2023-02-27 13:20:29.000000000
+0100
@@ -8,7 +8,7 @@
bn=$(basename "$0")
-echo "1..57"
+echo "1..58"
# Test help
${BWRAP} --help > help.txt
@@ -112,6 +112,7 @@
if test -n "${bwrap_is_suid:-}"; then
echo "ok - # SKIP no --cap-add support"
echo "ok - # SKIP no --cap-add support"
+ echo "ok - # SKIP no --disable-userns"
else
BWRAP_RECURSE="$BWRAP --unshare-user --uid 0 --gid 0 --cap-add ALL --bind
/ / --bind /proc /proc"
@@ -123,6 +124,15 @@
$BWRAP_RECURSE -- /proc/self/exe --unshare-all ${BWRAP_RO_HOST_ARGS}
findmnt > recursive-newroot.txt
assert_file_has_content recursive-newroot.txt "/usr"
echo "ok - can pivot to new rootfs recursively"
+
+ $BWRAP --dev-bind / / -- true
+ ! $BWRAP --assert-userns-disabled --dev-bind / / -- true
+ $BWRAP --unshare-user --disable-userns --dev-bind / / -- true
+ ! $BWRAP --unshare-user --disable-userns --dev-bind / / -- $BWRAP
--dev-bind / / -- true
+ $BWRAP --unshare-user --disable-userns --dev-bind / / -- sh -c "echo 2 >
/proc/sys/user/max_user_namespaces || true; ! $BWRAP --dev-bind / / -- true"
+ $BWRAP --unshare-user --disable-userns --dev-bind / / -- sh -c "echo 100 >
/proc/sys/user/max_user_namespaces || true; ! $BWRAP --dev-bind / / -- true"
+ $BWRAP --unshare-user --disable-userns --dev-bind / / -- sh -c "! $BWRAP
--dev-bind / / --assert-userns-disabled -- true"
+ echo "ok - can disable nested userns"
fi
# Test error prefixing
@@ -143,10 +153,11 @@
done
echo "ok - we have no caps as uid != 0"
else
- capsh --print > caps.orig
+ capsh --print | sed -e 's/no-new-privs=0/no-new-privs=1/' > caps.expected
+
for OPT in "" "--as-pid-1"; do
$RUN $OPT --unshare-pid capsh --print >caps.test
- diff -u caps.orig caps.test
+ diff -u caps.expected caps.test
done
# And test that we can drop all, as well as specific caps
$RUN $OPT --cap-drop ALL --unshare-pid capsh --print >caps.test
@@ -406,27 +417,39 @@
echo "ok - tmpfs has expected permissions"
# 1048576 = 1 MiB
-$RUN \
- --size 1048576 --tmpfs "$(pwd -P)" \
- df --output=size --block-size=1K "$(pwd -P)" > dir-size
-assert_file_has_content dir-size '^ *1024$'
-$RUN \
- --size 1048576 --perms 01777 --tmpfs "$(pwd -P)" \
- stat -c '%a' "$(pwd -P)" > dir-permissions
-assert_file_has_content dir-permissions '^1777$'
-$RUN \
- --size 1048576 --perms 01777 --tmpfs "$(pwd -P)" \
- df --output=size --block-size=1K "$(pwd -P)" > dir-size
-assert_file_has_content dir-size '^ *1024$'
-$RUN \
- --perms 01777 --size 1048576 --tmpfs "$(pwd -P)" \
- stat -c '%a' "$(pwd -P)" > dir-permissions
-assert_file_has_content dir-permissions '^1777$'
-$RUN \
- --perms 01777 --size 1048576 --tmpfs "$(pwd -P)" \
- df --output=size --block-size=1K "$(pwd -P)" > dir-size
-assert_file_has_content dir-size '^ *1024$'
-echo "ok - tmpfs has expected size"
+if test -n "${bwrap_is_suid:-}"; then
+ if $RUN --size 1048576 --tmpfs "$(pwd -P)" true; then
+ assert_not_reached "Should not allow --size --tmpfs when setuid"
+ fi
+ echo "ok - --size --tmpfs is not allowed when setuid"
+elif df --output=size --block-size=1K "$(pwd -P)" >/dev/null 2>/dev/null; then
+ $RUN \
+ --size 1048576 --tmpfs "$(pwd -P)" \
+ df --output=size --block-size=1K "$(pwd -P)" > dir-size
+ assert_file_has_content dir-size '^ *1024$'
+ $RUN \
+ --size 1048576 --perms 01777 --tmpfs "$(pwd -P)" \
+ stat -c '%a' "$(pwd -P)" > dir-permissions
+ assert_file_has_content dir-permissions '^1777$'
+ $RUN \
+ --size 1048576 --perms 01777 --tmpfs "$(pwd -P)" \
+ df --output=size --block-size=1K "$(pwd -P)" > dir-size
+ assert_file_has_content dir-size '^ *1024$'
+ $RUN \
+ --perms 01777 --size 1048576 --tmpfs "$(pwd -P)" \
+ stat -c '%a' "$(pwd -P)" > dir-permissions
+ assert_file_has_content dir-permissions '^1777$'
+ $RUN \
+ --perms 01777 --size 1048576 --tmpfs "$(pwd -P)" \
+ df --output=size --block-size=1K "$(pwd -P)" > dir-size
+ assert_file_has_content dir-size '^ *1024$'
+ echo "ok - tmpfs has expected size"
+else
+ $RUN --size 1048576 --tmpfs "$(pwd -P)" true
+ $RUN --perms 01777 --size 1048576 --tmpfs "$(pwd -P)" true
+ $RUN --size 1048576 --perms 01777 --tmpfs "$(pwd -P)" true
+ echo "ok # SKIP df is too old, cannot test --size --tmpfs fully"
+fi
$RUN \
--file 0 /tmp/file \
