Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package bubblewrap for openSUSE:Factory checked in at 2022-05-20 17:50:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old) and /work/SRC/openSUSE:Factory/.bubblewrap.new.1538 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bubblewrap" Fri May 20 17:50:06 2022 rev:14 rq:977941 version:0.6.2 Changes: -------- --- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes 2022-03-14 19:37:03.250125505 +0100 +++ /work/SRC/openSUSE:Factory/.bubblewrap.new.1538/bubblewrap.changes 2022-05-20 17:50:06.703192922 +0200 @@ -1,0 +2,21 @@ +Wed May 18 12:43:26 UTC 2022 - Dominique Leuenberger <dims...@opensuse.org> + +- Update to version 0.6.2: + + New features in Meson build: + - Auto-detect whether the man page can be generated. + - -Dbwrapdir=... changes the installation directory (useful + when being used as a subproject). + - -Dtests=false disables unit tests. + + Bug fixes: + - Add --add-seccomp-fd to shell completions + - Document --add-seccomp-fd, --json-status-fd and --share-net + in the man page + - Add attributes to silence various compiler warnings + - Allow compilation of tests with musl on mips architectures + - Allow compilation with older glibc + - Disable sanitizers for a test helper whose seccomp profile + breaks the instrumentation + - Disable AddressSanitizer leak detection where it interferes + with unit testing + +------------------------------------------------------------------- Old: ---- bubblewrap-0.6.1.tar.xz New: ---- bubblewrap-0.6.2.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bubblewrap.spec ++++++ --- /var/tmp/diff_new_pack.9G4qtx/_old 2022-05-20 17:50:07.231193395 +0200 +++ /var/tmp/diff_new_pack.9G4qtx/_new 2022-05-20 17:50:07.239193402 +0200 @@ -17,7 +17,7 @@ Name: bubblewrap -Version: 0.6.1 +Version: 0.6.2 Release: 0 Summary: Core execution tool for unprivileged containers License: LGPL-2.0-or-later ++++++ bubblewrap-0.6.1.tar.xz -> bubblewrap-0.6.2.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.6.1/README.md new/bubblewrap-0.6.2/README.md --- old/bubblewrap-0.6.1/README.md 2022-02-19 15:34:58.000000000 +0100 +++ new/bubblewrap-0.6.2/README.md 2022-04-21 11:03:06.000000000 +0200 @@ -31,7 +31,7 @@ above CVE, bubblewrap does not allow control over iptables. The original bubblewrap code existed before user namespaces - it inherits code from -[xdg-app helper](https://cgit.freedesktop.org/xdg-app/xdg-app/tree/common/xdg-app-helper.c) +[xdg-app helper](https://cgit.freedesktop.org/xdg-app/xdg-app/tree/common/xdg-app-helper.c?id=4c3bf179e2e4a2a298cd1db1d045adaf3f564532) which in turn distantly derives from [linux-user-chroot](https://git.gnome.org/browse/linux-user-chroot). @@ -62,6 +62,30 @@ features would make it significantly easier to do interactive debugging scenarios and the like. +Installation +------------ + +bubblewrap is available in the package repositories of the most Linux distributions +and can be installed from there. + +If you need to build bubblewrap from source, you can do this with meson or autotools. + +meson: + +``` +meson _builddir +meson compile -C _builddir +meson install -C _builddir +``` + +autotools: + +``` +./autogen.sh +make +sudo make install +``` + Usage ----- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.6.1/bubblewrap.c new/bubblewrap-0.6.2/bubblewrap.c --- old/bubblewrap-0.6.1/bubblewrap.c 2022-02-19 15:34:58.000000000 +0100 +++ new/bubblewrap-0.6.2/bubblewrap.c 2022-05-11 15:54:47.000000000 +0200 @@ -330,7 +330,7 @@ " --ro-bind-data FD DEST Copy from FD to file which is readonly bind-mounted on DEST\n" " --symlink SRC DEST Create symlink at DEST with target SRC\n" " --seccomp FD Load and use seccomp rules from FD (not repeatable)\n" - " --add-seccomp FD Load and use seccomp rules from FD (repeatable)\n" + " --add-seccomp-fd FD Load and use seccomp rules from FD (repeatable)\n" " --block-fd FD Block on FD until some data to read is available\n" " --userns-block-fd FD Block on FD until the user namespace is ready\n" " --info-fd FD Write information about the running container to FD\n" @@ -2552,7 +2552,7 @@ struct stat sbuf; uint64_t val; int res UNUSED; - cleanup_free char *args_data = NULL; + cleanup_free char *args_data UNUSED = NULL; int intermediate_pids_sockets[2] = {-1, -1}; /* Handle --version early on before we try to acquire/drop diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.6.1/bwrap.xml new/bubblewrap-0.6.2/bwrap.xml --- old/bubblewrap-0.6.1/bwrap.xml 2022-02-18 11:12:04.000000000 +0100 +++ new/bubblewrap-0.6.2/bwrap.xml 2022-04-23 18:42:39.000000000 +0200 @@ -131,6 +131,10 @@ <listitem><para>Unshare all possible namespaces. Currently equivalent with: <option>--unshare-user-try</option> <option>--unshare-ipc</option> <option>--unshare-pid</option> <option>--unshare-net</option> <option>--unshare-uts</option> <option>--unshare-cgroup-try</option></para></listitem> </varlistentry> <varlistentry> + <term><option>--share-net</option></term> + <listitem><para>Retain the network namespace, overriding an earlier <option>--unshare-all</option> or <option>--unshare-net</option></para></listitem> + </varlistentry> + <varlistentry> <term><option>--userns <arg choice="plain">FD</arg></option></term> <listitem><para>Use an existing user namespace instead of creating a new one. The namespace must fulfil the permission requirements for setns(), which generally means that it must be a descendant of the currently active user namespace, owned by the same user. </para> <para>This is incompatible with --unshare-user, and doesn't work in the setuid version of bubblewrap.</para></listitem> @@ -382,6 +386,28 @@ </para></listitem> </varlistentry> <varlistentry> + <term><option>--json-status-fd <arg choice="plain">FD</arg></option></term> + <listitem><para> + Multiple JSON documents are written to <arg choice="plain">FD</arg>, + one per line (<ulink url="https://jsonlines.org/";>"JSON lines" format</ulink>). + Each line is a single JSON object. + After <command>bwrap</command> has started the child process inside the sandbox, + it writes an object with a <literal>child-pid</literal> member to the + <option>--json-status-fd</option> (this duplicates the older <option>--info-fd</option>). + The corresponding value is the process ID of the child process in the pid namespace from + which <command>bwrap</command> was run. + If available, the namespace IDs are also included in the object with the <literal>child-pid</literal>; + again, this duplicates the older <option>--info-fd</option>. + When the child process inside the sandbox exits, <command>bwrap</command> writes an object + with an exit-code member, and then closes the <option>--json-status-fd</option>. The value + corresponding to <literal>exit-code</literal> is the exit status of the child, in the usual + shell encoding (n if it exited normally with status n, or 128+n if it was killed by signal n). + Other members may be added to those objects in future versions of <command>bwrap</command>, + and other JSON objects may be added before or after the current objects, so readers must + ignore members and objects that they do not understand. + </para></listitem> + </varlistentry> + <varlistentry> <term><option>--new-session</option></term> <listitem><para> Create a new terminal session for the sandbox (calls setsid()). This diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.6.1/completions/bash/bwrap new/bubblewrap-0.6.2/completions/bash/bwrap --- old/bubblewrap-0.6.1/completions/bash/bwrap 2022-01-31 18:19:17.000000000 +0100 +++ new/bubblewrap-0.6.2/completions/bash/bwrap 2022-04-21 11:02:36.000000000 +0200 @@ -28,6 +28,7 @@ # Please keep sorted in LC_ALL=C order local options_with_args=" $boolean_optons + --add-seccomp-fd --args --bind --bind-data diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.6.1/completions/zsh/_bwrap new/bubblewrap-0.6.2/completions/zsh/_bwrap --- old/bubblewrap-0.6.1/completions/zsh/_bwrap 2022-02-25 18:41:35.000000000 +0100 +++ new/bubblewrap-0.6.2/completions/zsh/_bwrap 2022-04-21 11:02:36.000000000 +0200 @@ -14,6 +14,7 @@ $_bwrap_args_after_perms # Please sort alphabetically (in LC_ALL=C order) by option name + '--add-seccomp-fd[Load and use seccomp rules from FD]: :_guard "[0-9]#" "file descriptor to read seccomp rules from"' '--args[Parse NUL-separated args from FD]: :_guard "[0-9]#" "file descriptor with NUL-separated arguments"' '--as-pid-1[Do not install a reaper process with PID=1]' '--bind-try[Equal to --bind but ignores non-existent SRC]:source:_files:destination:_files' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.6.1/configure new/bubblewrap-0.6.2/configure --- old/bubblewrap-0.6.1/configure 2022-02-25 18:44:28.000000000 +0100 +++ new/bubblewrap-0.6.2/configure 2022-05-11 16:05:52.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for bubblewrap 0.6.1. +# Generated by GNU Autoconf 2.71 for bubblewrap 0.6.2. # # Report bugs to <atomic-de...@projectatomic.io>. # @@ -610,8 +610,8 @@ # Identity of this package. PACKAGE_NAME='bubblewrap' PACKAGE_TARNAME='bubblewrap' -PACKAGE_VERSION='0.6.1' -PACKAGE_STRING='bubblewrap 0.6.1' +PACKAGE_VERSION='0.6.2' +PACKAGE_STRING='bubblewrap 0.6.2' PACKAGE_BUGREPORT='atomic-de...@projectatomic.io' PACKAGE_URL='' @@ -1344,7 +1344,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures bubblewrap 0.6.1 to adapt to many kinds of systems. +\`configure' configures bubblewrap 0.6.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1411,7 +1411,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of bubblewrap 0.6.1:";; + short | recursive ) echo "Configuration of bubblewrap 0.6.2:";; esac cat <<\_ACEOF @@ -1542,7 +1542,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -bubblewrap configure 0.6.1 +bubblewrap configure 0.6.2 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -1698,7 +1698,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by bubblewrap $as_me 0.6.1, which was +It was created by bubblewrap $as_me 0.6.2, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -4266,7 +4266,7 @@ # Define the identity of the package. PACKAGE='bubblewrap' - VERSION='0.6.1' + VERSION='0.6.2' # Some tools Automake needs. @@ -6947,7 +6947,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by bubblewrap $as_me 0.6.1, which was +This file was extended by bubblewrap $as_me 0.6.2, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -7015,7 +7015,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -bubblewrap config.status 0.6.1 +bubblewrap config.status 0.6.2 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.6.1/configure.ac new/bubblewrap-0.6.2/configure.ac --- old/bubblewrap-0.6.1/configure.ac 2022-02-25 18:43:32.000000000 +0100 +++ new/bubblewrap-0.6.2/configure.ac 2022-05-11 16:05:17.000000000 +0200 @@ -1,5 +1,5 @@ AC_PREREQ([2.63]) -AC_INIT([bubblewrap], [0.6.1], [atomic-de...@projectatomic.io]) +AC_INIT([bubblewrap], [0.6.2], [atomic-de...@projectatomic.io]) AC_CONFIG_HEADER([config.h]) AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_AUX_DIR([build-aux]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.6.1/meson.build new/bubblewrap-0.6.2/meson.build --- old/bubblewrap-0.6.1/meson.build 2022-02-25 18:43:37.000000000 +0100 +++ new/bubblewrap-0.6.2/meson.build 2022-05-11 16:05:25.000000000 +0200 @@ -1,7 +1,7 @@ project( 'bubblewrap', 'c', - version : '0.6.1', + version : '0.6.2', meson_version : '>=0.49.0', default_options : [ 'warning_level=2', @@ -101,12 +101,14 @@ configuration : cdata, ) -if meson.is_subproject() - bwrapdir = get_option('libexecdir') +if meson.is_subproject() and get_option('program_prefix') == '' + error('program_prefix option must be set when bwrap is a subproject') +endif - if get_option('program_prefix') == '' - error('program_prefix option must be set when bwrap is a subproject') - endif +if get_option('bwrapdir') != '' + bwrapdir = get_option('bwrapdir') +elif meson.is_subproject() + bwrapdir = get_option('libexecdir') else bwrapdir = get_option('bindir') endif @@ -124,9 +126,24 @@ dependencies : [selinux_dep, libcap_dep], ) +manpages_xsl = 'http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl' xsltproc = find_program('xsltproc', required : get_option('man')) +build_man_page = false if xsltproc.found() and not meson.is_subproject() + if run_command([ + xsltproc, '--nonet', manpages_xsl, + ], check : false).returncode() == 0 + message('Docbook XSL found, man page enabled') + build_man_page = true + elif get_option('man').enabled() + error('Man page requested, but Docbook XSL stylesheets not found') + else + message('Docbook XSL not found, man page disabled automatically') + endif +endif + +if build_man_page custom_target( 'bwrap.1', output : 'bwrap.1', @@ -140,7 +157,7 @@ '--stringparam', 'man.authors.section.enabled', '0', '--stringparam', 'man.copyright.section.enabled', '0', '-o', '@OUTPUT@', - 'http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl', + manpages_xsl, '@INPUT@', ], install : true, @@ -152,4 +169,6 @@ subdir('completions') endif -subdir('tests') +if get_option('tests') + subdir('tests') +endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.6.1/meson_options.txt new/bubblewrap-0.6.2/meson_options.txt --- old/bubblewrap-0.6.1/meson_options.txt 2022-02-20 12:38:18.000000000 +0100 +++ new/bubblewrap-0.6.2/meson_options.txt 2022-05-11 12:04:42.000000000 +0200 @@ -11,6 +11,11 @@ value : '', ) option( + 'bwrapdir', + type : 'string', + description : 'install bwrap in this directory [default: bindir, or libexecdir in subprojects]', +) +option( 'man', type : 'feature', description : 'generate man pages', @@ -39,6 +44,12 @@ value : 'auto', ) option( + 'tests', + type : 'boolean', + description : 'build tests', + value : 'true', +) +option( 'zsh_completion', type : 'feature', description : 'install zsh completion script', diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.6.1/tests/meson.build new/bubblewrap-0.6.2/tests/meson.build --- old/bubblewrap-0.6.1/tests/meson.build 2022-02-20 12:42:08.000000000 +0100 +++ new/bubblewrap-0.6.2/tests/meson.build 2022-04-23 18:42:58.000000000 +0200 @@ -12,6 +12,7 @@ executable( 'try-syscall', 'try-syscall.c', + override_options: ['b_sanitize=none'], ) test_scripts = [ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.6.1/tests/test-specifying-pidns.sh new/bubblewrap-0.6.2/tests/test-specifying-pidns.sh --- old/bubblewrap-0.6.1/tests/test-specifying-pidns.sh 2022-02-20 12:42:08.000000000 +0100 +++ new/bubblewrap-0.6.2/tests/test-specifying-pidns.sh 2022-04-23 18:42:58.000000000 +0200 @@ -10,14 +10,13 @@ # This test needs user namespaces if test -n "${bwrap_is_suid:-}"; then echo "ok - # SKIP no setuid support for --unshare-user" -elif test -n "${CI_MESON_DIST:-}"; then - echo "not ok - # TODO this test hangs under 'meson dist' during Github Workflow CI" else mkfifo donepipe $RUN --info-fd 42 --unshare-user --unshare-pid sh -c 'readlink /proc/self/ns/pid > sandbox-pidns; cat < donepipe' >/dev/null 42>info.json & while ! test -f sandbox-pidns; do sleep 1; done SANDBOX1PID=$(extract_child_pid info.json) + ASAN_OPTIONS=detect_leaks=0 LSAN_OPTIONS=detect_leaks=0 \ $RUN --userns 11 --pidns 12 readlink /proc/self/ns/pid > sandbox2-pidns 11< /proc/$SANDBOX1PID/ns/user 12< /proc/$SANDBOX1PID/ns/pid echo foo > donepipe diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.6.1/tests/test-utils.c new/bubblewrap-0.6.2/tests/test-utils.c --- old/bubblewrap-0.6.1/tests/test-utils.c 2022-02-20 12:42:08.000000000 +0100 +++ new/bubblewrap-0.6.2/tests/test-utils.c 2022-04-21 11:02:36.000000000 +0200 @@ -25,6 +25,8 @@ /* A small implementation of TAP */ static unsigned int test_number = 0; + +__attribute__((format(printf, 1, 2))) static void ok (const char *format, ...) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.6.1/tests/try-syscall.c new/bubblewrap-0.6.2/tests/try-syscall.c --- old/bubblewrap-0.6.1/tests/try-syscall.c 2022-02-18 11:12:04.000000000 +0100 +++ new/bubblewrap-0.6.2/tests/try-syscall.c 2022-05-11 12:04:42.000000000 +0200 @@ -24,11 +24,11 @@ #include <sys/types.h> #if defined(_MIPS_SIM) -# if _MIPS_SIM == _MIPS_SIM_ABI32 +# if _MIPS_SIM == _ABIO32 # define MISSING_SYSCALL_BASE 4000 -# elif _MIPS_SIM == _MIPS_SIM_ABI64 +# elif _MIPS_SIM == _ABI64 # define MISSING_SYSCALL_BASE 5000 -# elif _MIPS_SIM == _MIPS_SIM_NABI32 +# elif _MIPS_SIM == _ABIN32 # define MISSING_SYSCALL_BASE 6000 # else # error "Unknown MIPS ABI" @@ -71,6 +71,10 @@ */ #define WRONG_POINTER ((char *) 1) +#ifndef PR_GET_CHILD_SUBREAPER +#define PR_GET_CHILD_SUBREAPER 37 +#endif + int main (int argc, char **argv) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.6.1/utils.c new/bubblewrap-0.6.2/utils.c --- old/bubblewrap-0.6.1/utils.c 2022-01-31 18:19:17.000000000 +0100 +++ new/bubblewrap-0.6.2/utils.c 2022-05-11 15:54:47.000000000 +0200 @@ -82,7 +82,7 @@ } void -die_unless_label_valid (const char *label) +die_unless_label_valid (UNUSED const char *label) { #ifdef HAVE_SELINUX if (is_selinux_enabled () == 1) @@ -854,7 +854,7 @@ } char * -label_mount (const char *opt, const char *mount_label) +label_mount (const char *opt, UNUSED const char *mount_label) { #ifdef HAVE_SELINUX if (mount_label) @@ -871,7 +871,7 @@ } int -label_create_file (const char *file_label) +label_create_file (UNUSED const char *file_label) { #ifdef HAVE_SELINUX if (is_selinux_enabled () > 0 && file_label) @@ -881,7 +881,7 @@ } int -label_exec (const char *exec_label) +label_exec (UNUSED const char *exec_label) { #ifdef HAVE_SELINUX if (is_selinux_enabled () > 0 && exec_label) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.6.1/utils.h new/bubblewrap-0.6.2/utils.h --- old/bubblewrap-0.6.1/utils.h 2022-01-31 18:19:17.000000000 +0100 +++ new/bubblewrap-0.6.2/utils.h 2022-05-11 12:04:42.000000000 +0200 @@ -48,6 +48,10 @@ #define PIPE_READ_END 0 #define PIPE_WRITE_END 1 +#ifndef PR_SET_CHILD_SUBREAPER +#define PR_SET_CHILD_SUBREAPER 36 +#endif + void warn (const char *format, ...) __attribute__((format (printf, 1, 2))); void die_with_error (const char *format,
