commit bubblewrap for openSUSE:Factory
Hello community,
here is the log from the commit of package bubblewrap for openSUSE:Factory
checked in at 2020-04-05 20:51:39
Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old)
and /work/SRC/openSUSE:Factory/.bubblewrap.new.3248 (New)
Package is "bubblewrap"
Sun Apr 5 20:51:39 2020 rev:11 rq:790515 version:0.4.1
Changes:
--- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes2019-12-28
13:40:18.562926637 +0100
+++ /work/SRC/openSUSE:Factory/.bubblewrap.new.3248/bubblewrap.changes
2020-04-05 20:51:49.737084100 +0200
@@ -1,0 +2,12 @@
+Wed Apr 1 10:03:39 UTC 2020 - Sebastian Wagner
+
+- Update to version 0.4.1:
+ * retcode: fix return code with syncfd and no event_fd
+ * Ensure we're always clearing the cap bounding set
+ * tests: Update output patterns for libcap >= 2.29
+ * Don't rely on geteuid() to know when to switch back from setuid root
+ * Don't support --userns2 in setuid mode
+ * fixes CVE-2020-5291
+ * fixes bsc#1168291
+
+---
Old:
bubblewrap-0.4.0.tar.xz
New:
bubblewrap-0.4.1.tar.xz
Other differences:
--
++ bubblewrap.spec ++
--- /var/tmp/diff_new_pack.li2KxO/_old 2020-04-05 20:51:50.253084594 +0200
+++ /var/tmp/diff_new_pack.li2KxO/_new 2020-04-05 20:51:50.257084598 +0200
@@ -1,7 +1,7 @@
#
# spec file for package bubblewrap
#
-# Copyright (c) 2019 SUSE LLC
+# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: bubblewrap
-Version:0.4.0
+Version:0.4.1
Release:0
Summary:Core execution tool for unprivileged containers
License:LGPL-2.0-or-later
++ bubblewrap-0.4.0.tar.xz -> bubblewrap-0.4.1.tar.xz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bubblewrap-0.4.0/bubblewrap.c
new/bubblewrap-0.4.1/bubblewrap.c
--- old/bubblewrap-0.4.0/bubblewrap.c 2019-11-27 13:34:31.0 +0100
+++ new/bubblewrap-0.4.1/bubblewrap.c 2020-03-30 15:09:24.0 +0200
@@ -532,17 +532,20 @@
int status;
child = wait (&status);
- if (child == initial_pid && event_fd != -1)
+ if (child == initial_pid)
{
- uint64_t val;
- int res UNUSED;
-
initial_exit_status = propagate_exit_status (status);
- val = initial_exit_status + 1;
- res = write (event_fd, &val, 8);
- /* Ignore res, if e.g. the parent died and closed event_fd
- we don't want to error out here */
+ if(event_fd != -1)
+{
+ uint64_t val;
+ int res UNUSED;
+
+ val = initial_exit_status + 1;
+ res = write (event_fd, &val, 8);
+ /* Ignore res, if e.g. the parent died and closed event_fd
+ we don't want to error out here */
+}
}
if (child == -1 && errno != EINTR)
@@ -834,11 +837,13 @@
/* Call setuid() and use capset() to adjust capabilities */
static void
-drop_privs (bool keep_requested_caps)
+drop_privs (bool keep_requested_caps,
+bool already_changed_uid)
{
assert (!keep_requested_caps || !is_privileged);
/* Drop root uid */
- if (geteuid () == 0 && setuid (opt_sandbox_uid) < 0)
+ if (is_privileged && !already_changed_uid &&
+ setuid (opt_sandbox_uid) < 0)
die_with_error ("unable to drop root uid");
drop_all_caps (keep_requested_caps);
@@ -2296,6 +2301,9 @@
if (opt_userns_fd != -1 && is_privileged)
die ("--userns doesn't work in setuid mode");
+ if (opt_userns2_fd != -1 && is_privileged)
+die ("--userns2 doesn't work in setuid mode");
+
/* We have to do this if we weren't installed setuid (and we're not
* root), so let's just DWIM */
if (!is_privileged && getuid () != 0 && opt_userns_fd == -1)
@@ -2499,7 +2507,7 @@
die_with_error ("Setting userns2 failed");
/* We don't need any privileges in the launcher, drop them immediately.
*/
- drop_privs (FALSE);
+ drop_privs (FALSE, FALSE);
/* Optionally bind our lifecycle to that of the parent */
handle_die_with_parent ();
@@ -2674,7 +2682,7 @@
if (child == 0)
{
/* Unprivileged setup process */
- drop_privs (FALSE);
+ drop_privs (FALSE, TRUE);
close (privsep_sockets[0]);
setup_newroot (opt_unshare_pid, privsep_sockets[1]);
exit (0);
@@ -2763,13 +2771,16 @@
if (unshare (CLONE_NEWUSER))
die_with_error ("unshare user ns");
+ /* We're in a new user namespace,
commit bubblewrap for openSUSE:Factory
Hello community,
here is the log from the commit of package bubblewrap for openSUSE:Factory
checked in at 2017-07-17 09:11:32
Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old)
and /work/SRC/openSUSE:Factory/.bubblewrap.new (New)
Package is "bubblewrap"
Mon Jul 17 09:11:32 2017 rev:2 rq:510257 version:0.1.8
Changes:
--- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes2017-07-05
23:57:11.882716063 +0200
+++ /work/SRC/openSUSE:Factory/.bubblewrap.new/bubblewrap.changes
2017-07-17 09:11:33.312582144 +0200
@@ -1,0 +2,5 @@
+Fri Jul 7 09:40:27 UTC 2017 - sebix+novell@sebix.at
+
+- fix build macro with rpm < 4.12 (non-Factory currently)
+
+---
Other differences:
--
++ bubblewrap.spec ++
--- /var/tmp/diff_new_pack.jcfKd7/_old 2017-07-17 09:11:33.908498208 +0200
+++ /var/tmp/diff_new_pack.jcfKd7/_new 2017-07-17 09:11:33.912497644 +0200
@@ -49,7 +49,7 @@
%build
env NOCONFIGURE=1 ./autogen.sh
%configure --disable-silent-rules --with-priv-mode=none
-%make_build
+make %{?_smp_mflags}
%install
%make_install DESTDIR=%{buildroot} INSTALL="install -p -c"
commit bubblewrap for openSUSE:Factory
Hello community,
here is the log from the commit of package bubblewrap for openSUSE:Factory
checked in at 2018-05-30 11:40:35
Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old)
and /work/SRC/openSUSE:Factory/.bubblewrap.new (New)
Package is "bubblewrap"
Wed May 30 11:40:35 2018 rev:5 rq:612511 version:0.2.1
Changes:
--- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes2017-10-13
14:09:17.578155078 +0200
+++ /work/SRC/openSUSE:Factory/.bubblewrap.new/bubblewrap.changes
2018-05-30 12:11:44.234907268 +0200
@@ -1,0 +2,10 @@
+Tue May 1 21:02:33 UTC 2018 - sebix+novell@sebix.at
+
+- update to version 0.2.1:
+ * All the demos are included
+ * bugfixes for the demo files
+ * There was an issue with mkdir when running bubblewrap on an NFS
+ filesystem that has been fixed, so flatpak now works on NFS shares.
+ * Some leaks have been fixed, including a file descriptor leak.
+
+---
Old:
v0.2.0.tar.gz
New:
v0.2.1.tar.gz
Other differences:
--
++ bubblewrap.spec ++
--- /var/tmp/diff_new_pack.ddPOlh/_old 2018-05-30 12:11:45.794755665 +0200
+++ /var/tmp/diff_new_pack.ddPOlh/_new 2018-05-30 12:11:45.798755276 +0200
@@ -1,7 +1,7 @@
#
# spec file for package bubblewrap
#
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,10 +17,10 @@
Name: bubblewrap
-Version:0.2.0
+Version:0.2.1
Release:0
Summary:Core execution tool for unprivileged containers
-License:LGPL-2.0+
+License:LGPL-2.0-or-later
Group: Productivity/Security
Url:https://github.com/projectatomic/bubblewrap
Source:
https://github.com/projectatomic/bubblewrap/archive/v%{version}.tar.gz
@@ -46,6 +46,7 @@
%prep
%autosetup -n %{name}-%{version}
sed -i '1d' completions/bash/bwrap
+sed -i '1s/env //' demos/bubblewrap-shell.sh demos/userns-block-fd.py
%build
env NOCONFIGURE=1 ./autogen.sh
@@ -58,7 +59,7 @@
%files
%license COPYING
-%doc README.md
+%doc README.md demos
%dir %{_datadir}/bash-completion
%dir %{_datadir}/bash-completion/completions
%{_datadir}/bash-completion/completions/bwrap
++ v0.2.0.tar.gz -> v0.2.1.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bubblewrap-0.2.0/Makefile.am
new/bubblewrap-0.2.1/Makefile.am
--- old/bubblewrap-0.2.0/Makefile.am2017-10-09 16:11:41.0 +0200
+++ new/bubblewrap-0.2.1/Makefile.am2018-04-06 17:06:15.0 +0200
@@ -1,6 +1,18 @@
AM_CFLAGS = $(WARN_CFLAGS)
CLEANFILES =
-EXTRA_DIST =
+EXTRA_DIST = \
+ .dir-locals.el \
+ .editorconfig \
+ README.md \
+ autogen.sh \
+ demos/bubblewrap-shell.sh \
+ demos/flatpak-run.sh \
+ demos/flatpak.bpf \
+ demos/userns-block-fd.py \
+ packaging/bubblewrap.spec \
+ uncrustify.cfg \
+ uncrustify.sh \
+ $(NULL)
GITIGNOREFILES = build-aux/ gtk-doc.make config.h.in aclocal.m4
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bubblewrap-0.2.0/README.md
new/bubblewrap-0.2.1/README.md
--- old/bubblewrap-0.2.0/README.md 2017-10-09 16:11:41.0 +0200
+++ new/bubblewrap-0.2.1/README.md 2018-04-06 17:06:15.0 +0200
@@ -105,7 +105,7 @@
IPC namespaces ([CLONE_NEWIPC](http://linux.die.net/man/2/clone)): The sandbox
will get its own copy of all the
different forms of IPCs, like SysV shared memory and semaphores.
-PID namespaces ([CLONE_NEWPID](http://linux.die.net/man/2/clone)): The sandbox
will not see any processes outside the sandbox. Additionally, bubblewrap will
run a trivial pid1 inside your container to handle the requirements of reaping
children in the sandbox. .This avoids what is known now as the [Docker pid 1
problem](https://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/).
+PID namespaces ([CLONE_NEWPID](http://linux.die.net/man/2/clone)): The sandbox
will not see any processes outside the sandbox. Additionally, bubblewrap will
run a trivial pid1 inside your container to handle the requirements of reaping
children in the sandbox. This avoids what is known now as the [Docker pid 1
problem](https://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/).
Network namespaces ([CLONE_NEWNET](http://linux.die.net/man/2/clone)): The
sandbox will not see the network. Instead it will have its own network
namespace with o
commit bubblewrap for openSUSE:Factory
Hello community,
here is the log from the commit of package bubblewrap for openSUSE:Factory
checked in at 2019-06-04 12:09:07
Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old)
and /work/SRC/openSUSE:Factory/.bubblewrap.new.5148 (New)
Package is "bubblewrap"
Tue Jun 4 12:09:07 2019 rev:8 rq:706819 version:0.3.3
Changes:
--- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes2018-10-25
08:10:52.376245754 +0200
+++ /work/SRC/openSUSE:Factory/.bubblewrap.new.5148/bubblewrap.changes
2019-06-04 12:09:11.779883557 +0200
@@ -1,0 +2,20 @@
+Sat Jun 1 15:08:49 UTC 2019 - Sebastian Wagner
+
+- Update to version 0.3.3:
+ - This release is the same as 0.3.2 but the version number in configure.ac
+ was accidentally still set to 0.3.1
+- Update to version 0.3.2:
+ - fixes boo#1136958 / CVE-2019-12439
+ This release fixes a mostly theoretical security issue in unusual/broken
+ setups where `$XDG_RUNTIME_DIR` is unset.
+ There are some other smaller fixes, as well as an addition to the JSON
+ API that allows reading the inner process exit code, separately from
+ the `bwrap` exit code.
+ - Print "Out of memory" on stderr, not stdout
+ - bwrap: add option json-status-fd to show child exit code
+ - bwrap: Report COMMAND exit code in json-status-fd
+ - man page: Describe --chdir, not nonexistent --cwd
+ - Don't create our own temporary mount point for pivot_root
+ - Make lockdata long enough on 32-bit with 64-bit file pointers.
+
+---
Old:
v0.3.1.tar.gz
New:
bubblewrap-0.3.3.tar.xz
Other differences:
--
++ bubblewrap.spec ++
--- /var/tmp/diff_new_pack.nAie10/_old 2019-06-04 12:09:12.803883221 +0200
+++ /var/tmp/diff_new_pack.nAie10/_new 2019-06-04 12:09:12.803883221 +0200
@@ -1,7 +1,7 @@
#
# spec file for package bubblewrap
#
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,16 +17,13 @@
Name: bubblewrap
-Version:0.3.1
+Version:0.3.3
Release:0
Summary:Core execution tool for unprivileged containers
License:LGPL-2.0-or-later
Group: Productivity/Security
Url:https://github.com/projectatomic/bubblewrap
-Source:
https://github.com/projectatomic/bubblewrap/archive/v%{version}.tar.gz
-# Does not have README.md and autogen.sh included -> unusable
-# Source0:
https://github.com/projectatomic/bubblewrap/releases/download/v%%{version}/%%{name}-%%{version}.tar.xz
-# We always run autogen.sh
+Source0:
https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/%{name}-%{version}.tar.xz
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: docbook-xsl-stylesheets
commit bubblewrap for openSUSE:Factory
Hello community,
here is the log from the commit of package bubblewrap for openSUSE:Factory
checked in at 2019-07-08 15:04:47
Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old)
and /work/SRC/openSUSE:Factory/.bubblewrap.new.4615 (New)
Package is "bubblewrap"
Mon Jul 8 15:04:47 2019 rev:9 rq:713457 version:0.3.3
Changes:
--- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes2019-06-04
12:09:11.779883557 +0200
+++ /work/SRC/openSUSE:Factory/.bubblewrap.new.4615/bubblewrap.changes
2019-07-08 15:04:48.662878022 +0200
@@ -1,0 +2,5 @@
+Fri Jun 7 14:38:21 UTC 2019 - Antonio Larrosa
+
+- Use /bin/bash instead of /usr/bin/bash in SLE12
+
+---
Other differences:
--
++ bubblewrap.spec ++
--- /var/tmp/diff_new_pack.3p0W9M/_old 2019-07-08 15:04:49.474879249 +0200
+++ /var/tmp/diff_new_pack.3p0W9M/_new 2019-07-08 15:04:49.474879249 +0200
@@ -43,7 +43,12 @@
%prep
%autosetup -n %{name}-%{version}
sed -i '1d' completions/bash/bwrap
+%if 0%{?suse_version} < 1500
+sed -i '1s,/usr/bin/env bash,/bin/bash,' demos/bubblewrap-shell.sh
+sed -i '1s/env //' demos/userns-block-fd.py
+%else
sed -i '1s/env //' demos/bubblewrap-shell.sh demos/userns-block-fd.py
+%endif
%build
env NOCONFIGURE=1 ./autogen.sh
commit bubblewrap for openSUSE:Factory
Hello community,
here is the log from the commit of package bubblewrap for openSUSE:Factory
checked in at 2017-09-21 12:32:46
Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old)
and /work/SRC/openSUSE:Factory/.bubblewrap.new (New)
Package is "bubblewrap"
Thu Sep 21 12:32:46 2017 rev:3 rq:527016 version:0.1.8
Changes:
--- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes2017-07-17
09:11:33.312582144 +0200
+++ /work/SRC/openSUSE:Factory/.bubblewrap.new/bubblewrap.changes
2017-09-21 12:32:47.996533808 +0200
@@ -1,0 +2,5 @@
+Mon Sep 18 12:39:54 UTC 2017 - sebix+novell@sebix.at
+
+- add group
+
+---
Other differences:
--
++ bubblewrap.spec ++
--- /var/tmp/diff_new_pack.YNTvJy/_old 2017-09-21 12:32:49.024389162 +0200
+++ /var/tmp/diff_new_pack.YNTvJy/_new 2017-09-21 12:32:49.028388599 +0200
@@ -18,9 +18,10 @@
Name: bubblewrap
Version:0.1.8
-Release:1%{?dist}
+Release:0
Summary:Core execution tool for unprivileged containers
License:LGPL-2.0+
+Group: Productivity/Security
Url:https://github.com/projectatomic/bubblewrap
Source:
https://github.com/projectatomic/bubblewrap/archive/v%{version}.tar.gz
# Does not have README.md and autogen.sh included -> unusable
@@ -56,7 +57,6 @@
find %{buildroot} -type f -name "*.la" -delete -print
%files
-%defattr(-,root,root)
%license COPYING
%doc README.md
%dir %{_datadir}/bash-completion
commit bubblewrap for openSUSE:Factory
Hello community, here is the log from the commit of package bubblewrap for openSUSE:Factory checked in at 2017-10-13 14:09:16 Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old) and /work/SRC/openSUSE:Factory/.bubblewrap.new (New) Package is "bubblewrap" Fri Oct 13 14:09:16 2017 rev:4 rq:532853 version:0.2.0 Changes: --- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes2017-09-21 12:32:47.996533808 +0200 +++ /work/SRC/openSUSE:Factory/.bubblewrap.new/bubblewrap.changes 2017-10-13 14:09:17.578155078 +0200 @@ -1,0 +2,17 @@ +Mon Oct 9 17:53:37 UTC 2017 - sebix+novell@sebix.at + +- update to version 0.2.0 + - bwrap now automatically detects the new + user namespace restrictions in Red Hat Enterprise Linux 7.4: + bubblewrap: check for max_user_namespaces == 0. + - The most notable features are new arguments --as-pid1, and + --cap-add/--cap-drop. These were added for running systemd (or in general a + "full" init system) inside bubblewrap. But the capability options are also + useful for unprivileged callers to potentially retain capbilities inside the + sandbox (for example CAP_NET_ADMIN), when user namespaces are enabled. + Conversely, privileged callers (uid 0) can conversely drop capabilities (without + user namespaces). Contributed by Giuseppe Scrivano. + - With --dev, add /dev/fd and /dev/core symlinks + which should improve compatibility with older software. + +--- Old: v0.1.8.tar.gz New: v0.2.0.tar.gz Other differences: -- ++ bubblewrap.spec ++ --- /var/tmp/diff_new_pack.oNiZK5/_old 2017-10-13 14:09:18.454116559 +0200 +++ /var/tmp/diff_new_pack.oNiZK5/_new 2017-10-13 14:09:18.458116383 +0200 @@ -17,7 +17,7 @@ Name: bubblewrap -Version:0.1.8 +Version:0.2.0 Release:0 Summary:Core execution tool for unprivileged containers License:LGPL-2.0+ ++ v0.1.8.tar.gz -> v0.2.0.tar.gz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.1.8/.papr.yml new/bubblewrap-0.2.0/.papr.yml --- old/bubblewrap-0.1.8/.papr.yml 1970-01-01 01:00:00.0 +0100 +++ new/bubblewrap-0.2.0/.papr.yml 2017-10-09 16:11:41.0 +0200 @@ -0,0 +1,28 @@ +context: centos7 +required: true + +branches: +- master +- auto +- try + +host: +distro: centos/7/atomic + +tests: + - env BWRAP_SUID=true ./ci/papr.sh centos:7 + +timeout: 30m + +--- + +inherit: true + +host: +distro: fedora/26/atomic + +context: f26-sanitizer +required: true + +tests: + - env CFLAGS='-g -Og -fsanitize=undefined -fsanitize=address -O2 -Wp,-D_FORTIFY_SOURCE=2' ./ci/papr.sh registry.fedoraproject.org/fedora:26 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.1.8/.redhat-ci.yml new/bubblewrap-0.2.0/.redhat-ci.yml --- old/bubblewrap-0.1.8/.redhat-ci.yml 2017-03-28 16:26:53.0 +0200 +++ new/bubblewrap-0.2.0/.redhat-ci.yml 1970-01-01 01:00:00.0 +0100 @@ -1,25 +0,0 @@ -context: centos7 -required: true - -branches: -- master -- auto -- try - -host: -distro: centos/7/atomic - -tests: - - env BWRAP_SUID=true ./ci/redhat-ci.sh centos:7 - -timeout: 30m - - -inherit: true - -context: f25-asan-ubsan -required: true - -tests: - - env CFLAGS='-g -Og -fsanitize=undefined -fsanitize=address' ./ci/redhat-ci.sh fedora:25 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.1.8/Makefile.am new/bubblewrap-0.2.0/Makefile.am --- old/bubblewrap-0.1.8/Makefile.am2017-03-28 16:26:53.0 +0200 +++ new/bubblewrap-0.2.0/Makefile.am2017-10-09 16:11:41.0 +0200 @@ -29,10 +29,13 @@ include Makefile-docs.am +LOG_DRIVER = env AM_TAP_AWK='$(AWK)' $(SHELL) $(top_srcdir)/build-aux/tap-driver.sh +LOG_COMPILER = TESTS = tests/test-run.sh TESTS_ENVIRONMENT = BWRAP=$(abs_top_builddir)/test-bwrap EXTRA_DIST += $(TESTS) +EXTRA_DIST += tests/libtest-core.sh if ENABLE_BASH_COMPLETION bashcompletiondir = $(BASH_COMPLETION_DIR) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.1.8/README.md new/bubblewrap-0.2.0/README.md --- old/bubblewrap-0.1.8/README.md 2017-03-28 16:26:53.0 +0200 +++ new/bubblewrap-0.2.0/README.md 2017-10-09 16:11:41.0 +0200 @@ -55,6 +55,7 @@ - [Flatpak](http://www.flatpak.org) - [rpm-ostree unprivileged](https://github.com/projectatomic/rpm-ostree/pull/209) + - [bwrap-oci](https://github.com/projectatomic/bwrap-oci) We would also like to see this be available in Kubernetes/Ope
commit bubblewrap for openSUSE:Factory
Hello community,
here is the log from the commit of package bubblewrap for openSUSE:Factory
checked in at 2019-12-28 13:40:14
Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old)
and /work/SRC/openSUSE:Factory/.bubblewrap.new.6675 (New)
Package is "bubblewrap"
Sat Dec 28 13:40:14 2019 rev:10 rq:759115 version:0.4.0
Changes:
--- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes2019-07-08
15:04:48.662878022 +0200
+++ /work/SRC/openSUSE:Factory/.bubblewrap.new.6675/bubblewrap.changes
2019-12-28 13:40:18.562926637 +0100
@@ -1,0 +2,12 @@
+Fri Dec 20 22:59:52 UTC 2019 - Bjørn Lie
+
+- Update to version 0.4.0:
+ + The biggest feature in this release is the support for joining
+existing user and pid namespaces. This doesn't work in the
+setuid mode (at the moment).
+ + Other changes:
+- Stores namespace info in status json.
+- In setuid mode pid 1 is now marked dumpable.
+- Now builds with musl libc.
+
+---
Old:
bubblewrap-0.3.3.tar.xz
New:
bubblewrap-0.4.0.tar.xz
Other differences:
--
++ bubblewrap.spec ++
--- /var/tmp/diff_new_pack.Zz5AcS/_old 2019-12-28 13:40:19.898927311 +0100
+++ /var/tmp/diff_new_pack.Zz5AcS/_new 2019-12-28 13:40:19.934927329 +0100
@@ -1,7 +1,7 @@
#
# spec file for package bubblewrap
#
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,13 +17,13 @@
Name: bubblewrap
-Version:0.3.3
+Version:0.4.0
Release:0
Summary:Core execution tool for unprivileged containers
License:LGPL-2.0-or-later
Group: Productivity/Security
-Url:https://github.com/projectatomic/bubblewrap
-Source0:
https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/%{name}-%{version}.tar.xz
+URL:https://github.com/projectatomic/bubblewrap
+Source0:%{url}/releases/download/v%{version}/%{name}-%{version}.tar.xz
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: docbook-xsl-stylesheets
@@ -41,7 +41,7 @@
user namespaces.
%prep
-%autosetup -n %{name}-%{version}
+%autosetup -p1 -n %{name}-%{version}
sed -i '1d' completions/bash/bwrap
%if 0%{?suse_version} < 1500
sed -i '1s,/usr/bin/env bash,/bin/bash,' demos/bubblewrap-shell.sh
++ bubblewrap-0.3.3.tar.xz -> bubblewrap-0.4.0.tar.xz ++
15274 lines of diff (skipped)
retrying with extended exclude list
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/bubblewrap-0.3.3/bubblewrap.c new/bubblewrap-0.4.0/bubblewrap.c
--- old/bubblewrap-0.3.3/bubblewrap.c 2019-05-01 10:44:10.0 +0200
+++ new/bubblewrap-0.4.0/bubblewrap.c 2019-11-27 13:34:31.0 +0100
@@ -42,6 +42,15 @@
#define CLONE_NEWCGROUP 0x0200 /* New cgroup namespace */
#endif
+#ifndef TEMP_FAILURE_RETRY
+#define TEMP_FAILURE_RETRY(expression) \
+ (__extension__ \
+({ long int __result; \
+ do __result = (long int) (expression); \
+ while (__result == -1L && errno == EINTR); \
+ __result; }))
+#endif
+
/* Globals to avoid having to use getuid(), since the uid/gid changes during
runtime */
static uid_t real_uid;
static gid_t real_gid;
@@ -77,10 +86,34 @@
int opt_seccomp_fd = -1;
const char *opt_sandbox_hostname = NULL;
char *opt_args_data = NULL; /* owned */
+int opt_userns_fd = -1;
+int opt_userns2_fd = -1;
+int opt_pidns_fd = -1;
#define CAP_TO_MASK_0(x) (1L << ((x) & 31))
#define CAP_TO_MASK_1(x) CAP_TO_MASK_0(x - 32)
+typedef struct _NsInfo NsInfo;
+
+struct _NsInfo {
+ const char *name;
+ bool *do_unshare;
+ ino_t id;
+};
+
+static NsInfo ns_infos[] = {
+ {"cgroup", &opt_unshare_cgroup, 0},
+ {"ipc",&opt_unshare_ipc,0},
+ {"mnt",NULL,0},
+ {"net",&opt_unshare_net,0},
+ {"pid",&opt_unshare_pid,0},
+ /* user namespace info omitted because it
+ * is not (yet) valid when we obtain the
+ * namespace info (get un-shared later) */
+ {"uts",&opt_unshare_uts,0},
+ {NULL, NULL,0}
+};
+
typedef enum {
SETUP_BIND_MOUNT,
commit bubblewrap for openSUSE:Factory
Hello community,
here is the log from the commit of package bubblewrap for openSUSE:Factory
checked in at 2018-07-22 23:03:30
Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old)
and /work/SRC/openSUSE:Factory/.bubblewrap.new (New)
Package is "bubblewrap"
Sun Jul 22 23:03:30 2018 rev:6 rq:624477 version:0.3.0
Changes:
--- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes2018-05-30
12:11:44.234907268 +0200
+++ /work/SRC/openSUSE:Factory/.bubblewrap.new/bubblewrap.changes
2018-07-22 23:03:32.780945917 +0200
@@ -1,0 +2,6 @@
+Sat Jul 14 20:06:50 UTC 2018 - sebix+novell@sebix.at
+
+- update to version 0.3.0:
+ * no upstream changelog available
+
+---
Old:
v0.2.1.tar.gz
New:
v0.3.0.tar.gz
Other differences:
--
++ bubblewrap.spec ++
--- /var/tmp/diff_new_pack.uoNXtd/_old 2018-07-22 23:03:33.544945634 +0200
+++ /var/tmp/diff_new_pack.uoNXtd/_new 2018-07-22 23:03:33.548945633 +0200
@@ -17,7 +17,7 @@
Name: bubblewrap
-Version:0.2.1
+Version:0.3.0
Release:0
Summary:Core execution tool for unprivileged containers
License:LGPL-2.0-or-later
++ v0.2.1.tar.gz -> v0.3.0.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bubblewrap-0.2.1/.papr.yml
new/bubblewrap-0.3.0/.papr.yml
--- old/bubblewrap-0.2.1/.papr.yml 2018-04-06 17:06:15.0 +0200
+++ new/bubblewrap-0.3.0/.papr.yml 2018-07-11 17:32:00.0 +0200
@@ -19,10 +19,10 @@
inherit: true
host:
-distro: fedora/26/atomic
+distro: fedora/27/atomic
-context: f26-sanitizer
+context: f27-sanitizer
required: true
tests:
- - env CFLAGS='-g -Og -fsanitize=undefined -fsanitize=address -O2
-Wp,-D_FORTIFY_SOURCE=2' ./ci/papr.sh registry.fedoraproject.org/fedora:26
+ - env CFLAGS='-g -Og -fsanitize=undefined -fsanitize=address -O2
-Wp,-D_FORTIFY_SOURCE=2' ./ci/papr.sh registry.fedoraproject.org/fedora:27
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bubblewrap-0.2.1/bubblewrap.c
new/bubblewrap-0.3.0/bubblewrap.c
--- old/bubblewrap-0.2.1/bubblewrap.c 2018-04-06 17:06:15.0 +0200
+++ new/bubblewrap-0.3.0/bubblewrap.c 2018-07-11 17:32:00.0 +0200
@@ -182,7 +182,7 @@
static void
usage (int ecode, FILE *out)
{
- fprintf (out, "usage: %s [OPTIONS...] COMMAND [ARGS...]\n\n", argv0);
+ fprintf (out, "usage: %s [OPTIONS...] [--] COMMAND [ARGS...]\n\n", argv0);
fprintf (out,
"--help Print this help\n"
@@ -316,7 +316,7 @@
* the exit status via a eventfd. We also track the exit of the sandbox
* pid 1 via a signalfd for SIGCHLD, and exit with an error in this case.
* This is to catch e.g. problems during setup. */
-static void
+static int
monitor_child (int event_fd, pid_t child_pid)
{
int res;
@@ -368,7 +368,7 @@
if (s == -1 && errno != EINTR && errno != EAGAIN)
die_with_error ("read eventfd");
else if (s == 8)
-exit ((int) val - 1);
+return ((int) val - 1);
}
/* We need to read the signal_fd, or it will keep polling as read,
@@ -385,9 +385,13 @@
/* We may be getting sigchild from other children too. For instance
if
someone created a child process, and then exec:ed bubblewrap.
Ignore them */
if (died_pid == child_pid)
-exit (propagate_exit_status (died_status));
+return propagate_exit_status (died_status);
}
}
+
+ die ("Should not be reached");
+
+ return 0;
}
/* This is pid 1 in the app sandbox. It is needed because we're using
@@ -1025,9 +1029,15 @@
for (i = 0; i < N_ELEMENTS (cover_proc_dirs); i++)
{
cleanup_free char *subdir = strconcat3 (dest, "/",
cover_proc_dirs[i]);
- /* Some of these may not exist */
- if (get_file_mode (subdir) == -1)
-continue;
+ if (access (subdir, W_OK) < 0)
+{
+ /* The file is already read-only or doesn't exist. */
+ if (errno == EACCES || errno == ENOENT)
+continue;
+
+ die_with_error ("Can't access %s", subdir);
+}
+
privileged_op (privileged_op_socket,
PRIV_SEP_OP_BIND_MOUNT, BIND_READONLY,
subdir, subdir);
@@ -1885,6 +1895,12 @@
argv += 1;
argc -= 1;
}
+ else if (strcmp (arg, "--") == 0)
+{
+ argv += 1;
+ argc -= 1;
+ b
commit bubblewrap for openSUSE:Factory
Hello community,
here is the log from the commit of package bubblewrap for openSUSE:Factory
checked in at 2018-10-25 08:10:49
Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old)
and /work/SRC/openSUSE:Factory/.bubblewrap.new (New)
Package is "bubblewrap"
Thu Oct 25 08:10:49 2018 rev:7 rq:641812 version:0.3.1
Changes:
--- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes2018-07-22
23:03:32.780945917 +0200
+++ /work/SRC/openSUSE:Factory/.bubblewrap.new/bubblewrap.changes
2018-10-25 08:10:52.376245754 +0200
@@ -1,0 +2,12 @@
+Thu Oct 11 16:41:12 UTC 2018 - Antonio Larrosa - 0.3.1
+
+- update to version 0.3.1:
+ * New feature in this release is --bind-try (as well as --dev-bind-try
+and --ro-bind-try) which works like the regular versions if the source
+exists, but does nothing if it doesn't exist.
+
+ * The mount type for the root tmpfs was also changed to "tmpfs" instead
+of being empty, as the later could cause problems with some programs
+when parsing the mountinfo files in /proc.
+
+---
@@ -5 +17,16 @@
- * no upstream changelog available
+ * The biggest feature from this release is that bwrap
+now supports being invoked recursively (from other container
+runtimes such as Docker/podman/runc as well as bwrap itself)
+when user namespaces are enabled, and the outer container manager
+allows it (Docker's default seccomp policy doesn't).
+
+ * This is useful for testing scenarios; for example a project
+uses Kubernetes for its CI, but inside build the project wants to run
+each unit test in their own pid namespace, without going out
+and creating a new pod for every single unit test.
+
+ * Similarly, rpm-ostree compose tree uses bwrap internally for scripts,
+and we want to support running rpm-ostree inside a container as well.
+
+ * Another feature is bwrap now supports -- to terminate argument
+parsing. To detect availablity of this, you could parse bwrap --version.
Old:
v0.3.0.tar.gz
New:
v0.3.1.tar.gz
Other differences:
--
++ bubblewrap.spec ++
--- /var/tmp/diff_new_pack.Ovcqfs/_old 2018-10-25 08:10:52.872245429 +0200
+++ /var/tmp/diff_new_pack.Ovcqfs/_new 2018-10-25 08:10:52.876245426 +0200
@@ -12,12 +12,12 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: bubblewrap
-Version:0.3.0
+Version:0.3.1
Release:0
Summary:Core execution tool for unprivileged containers
License:LGPL-2.0-or-later
++ v0.3.0.tar.gz -> v0.3.1.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bubblewrap-0.3.0/bubblewrap.c
new/bubblewrap-0.3.1/bubblewrap.c
--- old/bubblewrap-0.3.0/bubblewrap.c 2018-07-11 17:32:00.0 +0200
+++ new/bubblewrap-0.3.1/bubblewrap.c 2018-08-09 15:34:51.0 +0200
@@ -99,6 +99,7 @@
typedef enum {
NO_CREATE_DEST = (1 << 0),
+ ALLOW_NOTEXIST = (2 << 0),
} SetupOpFlag;
typedef struct _SetupOp SetupOp;
@@ -207,8 +208,11 @@
"--lock-file DEST Take a lock on DEST while sandbox
is running\n"
"--sync-fd FD Keep this fd open while sandbox
is running\n"
"--bind SRC DEST Bind mount the host path SRC on
DEST\n"
+ "--bind-try SRC DEST Equal to --bind but ignores
non-existant SRC\n"
"--dev-bind SRC DEST Bind mount the host path SRC on
DEST, allowing device access\n"
+ "--dev-bind-try SRC DEST Equal to --dev-bind but ignores
non-existant SRC\n"
"--ro-bind SRC DEST Bind mount the host path SRC
readonly on DEST\n"
+ "--ro-bind-try SRC DEST Equal to --ro-bind but ignores
non-existant SRC\n"
"--remount-ro DESTRemount DEST as readonly; does
not recursively remount\n"
"--exec-label LABEL Exec label for the sandbox\n"
"--file-label LABEL File label for temporary sandbox
content\n"
@@ -966,7 +970,11 @@
source = get_oldroot_path (op->source);
source_mode = get_file_mode (source);
if (source_mode < 0)
-die_with_error ("Can't get type of source %s", op->source);
+{
+ if (op->flags & ALLOW_NOTEXIST && errno == ENOENT)
+continue; /* Ignore and move on */
+ die_with_error("Can't get
