Package: bubblewrap
Version: 0~git160513-2
Severity: wishlist
Tags: patch
Control: block 824647 by -1
As of a couple of days ago, bubblewrap has a release, versioned 0.1.0.
This is functionally equivalent to what is in flatpak 0.1.0; in
particular, it addresses #824968 and supersedes the patches I attached
there.
The attached debdiff represents what I would upload if I was a
co-maintainer (apart from the obvious versioning and Uploaders changes),
and was generated with
git diff debian/0_git160513-2..debian/master -- debian
in the git tree that is available here:
https://anonscm.debian.org/cgit/users/smcv/bubblewrap.git
May I add myself as a co-maintainer, move that git tree into collab-maint,
and upload? I would like to be able to keep Flatpak and Bubblewrap in sync
so that Flatpak doesn't have to ship its own private copy of Bubblewrap.
Regards,
S
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages bubblewrap depends on:
ii libc6 2.22-10
ii libselinux1 2.5-3
bubblewrap recommends no packages.
bubblewrap suggests no packages.
-- no debconf information
diff --git a/debian/changelog b/debian/changelog
index 558a546..57f489e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,19 @@
+bubblewrap (0.1.0-1) UNRELEASED; urgency=medium
+
+ * New upstream release
+ + --dev can now coexist with --unshare-user (Closes: #824968)
+ * debian/copyright: correct package name and source
+ * debian/control: make the whole package Linux-only. Like Flatpak, this
+ package is inherently non-portable.
+ * Move from Section: web to Section: admin (Closes: #824969)
+ * Increase Priority to optional, because this tool is likely to be
+ depended on by gnome-software (via Flatpak) in future
+ * debian/gbp.conf: add DEP-14-style git-buildpackage configuration
+ * Add some simple autopkgtests, including one for bug 71
+ * debian/watch: add
+
+ -- Simon McVittie <[email protected]> Sat, 21 May 2016 15:10:56 +0100
+
bubblewrap (0~git160513-2) unstable; urgency=low
* Install bwrap binary setuid (closes: #824646).
diff --git a/debian/control b/debian/control
index 21a4806..e43e10e 100644
--- a/debian/control
+++ b/debian/control
@@ -1,13 +1,13 @@
Source: bubblewrap
-Section: web
-Priority: extra
+Section: admin
+Priority: optional
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
-Build-Depends: debhelper (>= 9), dh-autoreconf, pkg-config, libselinux1-dev (>= 2.1.9) [linux-any], libcap-dev, bash-completion, xsltproc, docbook-xsl
+Build-Depends: debhelper (>= 9), dh-autoreconf, pkg-config, libselinux1-dev (>= 2.1.9), libcap-dev, bash-completion, xsltproc, docbook-xsl
Standards-Version: 3.9.8
Homepage: https://github.com/projectatomic/bubblewrap
Package: bubblewrap
-Architecture: any
+Architecture: linux-any
Depends: ${shlibs:Depends}, ${misc:Depends}
Description: setuid wrapper for unprivileged chroot and namespace manipulation
Core execution engine for unprivileged containers that works as a setuid
diff --git a/debian/copyright b/debian/copyright
index ef1f2a3..6d5d6de 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,6 +1,6 @@
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Upstream-Name: paxctld
-Source: https://grsecurity.net
+Upstream-Name: bubblewrap
+Source: https://github.com/projectatomic/bubblewrap/
Files: *
Copyright: 2016 Alexander Larsson
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..76a4dd1
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,5 @@
+[DEFAULT]
+pristine-tar = True
+debian-branch = debian/master
+upstream-branch = upstream/latest
+patch-numbers = False
diff --git a/debian/tests/basic b/debian/tests/basic
new file mode 100755
index 0000000..41d6597
--- /dev/null
+++ b/debian/tests/basic
@@ -0,0 +1,13 @@
+#!/usr/bin/bats
+# vim:set sw=4 sts=4 et ft=sh:
+
+set -e
+
+. debian/tests/testlib.sh
+
+@test "Basic usage" {
+ ret=0
+ run bwrap --ro-bind / / /usr/bin/id
+ is "$status" 0
+ is "$output" "$(id)"
+}
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..d388486
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,14 @@
+Tests:
+ basic
+ dev
+ userns
+Depends:
+ bats,
+ bubblewrap,
+
+Tests:
+ net
+Depends:
+ bats,
+ bubblewrap,
+ iproute2,
diff --git a/debian/tests/dev b/debian/tests/dev
new file mode 100755
index 0000000..f14b7e8
--- /dev/null
+++ b/debian/tests/dev
@@ -0,0 +1,36 @@
+#!/usr/bin/bats
+# vim:set sw=4 sts=4 et ft=sh:
+
+set -e
+
+. debian/tests/testlib.sh
+
+@test "Mount new minimal /dev" {
+ run bwrap --ro-bind / / --dev /dev /bin/sh -c 'echo /dev/*'
+
+ like " $output " " /dev/full "
+ like " $output " " /dev/null "
+ like " $output " " /dev/pts "
+ like " $output " " /dev/random "
+ like " $output " " /dev/shm "
+ like " $output " " /dev/stderr "
+ like " $output " " /dev/stdin "
+ like " $output " " /dev/stdout "
+ like " $output " " /dev/tty "
+ like " $output " " /dev/urandom "
+ like " $output " " /dev/zero "
+
+ # an arbitrary selection of devices not expected to be passed through
+ unlike " $output " " /dev/hda "
+ unlike " $output " " /dev/dsp "
+ unlike " $output " " /dev/fuse "
+ unlike " $output " " /dev/kmsg "
+ unlike " $output " " /dev/loop0 "
+ unlike " $output " " /dev/mem "
+ unlike " $output " " /dev/sda "
+ unlike " $output " " /dev/snd "
+ unlike " $output " " /dev/tty1 "
+ unlike " $output " " /dev/vda "
+
+ is "$status" 0
+}
diff --git a/debian/tests/net b/debian/tests/net
new file mode 100644
index 0000000..9287c16
--- /dev/null
+++ b/debian/tests/net
@@ -0,0 +1,16 @@
+#!/usr/bin/bats
+# vim:set sw=4 sts=4 et ft=sh:
+
+set -e
+
+. debian/tests/testlib.sh
+
+@test "Unshare network namespace" {
+ run bwrap --ro-bind / / --unshare-net /bin/sh -c 'ip link ls'
+
+ like "$output" $'(^|\n)[0-9]+: lo:'
+ unlike "$output" $'(^|\n)[0-9]+: en[^:]*:'
+ unlike "$output" $'(^|\n)[0-9]+: eth[^:]*:'
+ unlike "$output" $'(^|\n)[0-9]+: wl[^:]*:'
+ is "$status" 0
+}
diff --git a/debian/tests/testlib.sh b/debian/tests/testlib.sh
new file mode 100644
index 0000000..31946b0
--- /dev/null
+++ b/debian/tests/testlib.sh
@@ -0,0 +1,40 @@
+# vim:set sw=4 sts=4 et ft=sh:
+
+# is GOT EXPECTED
+# Assert that GOT == EXPECTED.
+# (Inspired by Perl's Test::More)
+is () {
+ if [ "x$1" = "x$2" ]; then
+ return 0
+ else
+ printf "# got: %q\n" "$1"
+ printf "# expected: %q\n" "$2"
+ return 1
+ fi
+}
+
+# like GOT EREGEX
+# Assert that GOT matches EREGEX.
+# (Inspired by Perl's Test::More)
+like () {
+ if [[ $1 =~ $2 ]]; then
+ return 0
+ else
+ printf "# got: %q\n" "$1"
+ printf "# should match ERE: %q\n" "$2"
+ return 1
+ fi
+}
+
+# unlike GOT EREGEX
+# Assert that GOT matches EREGEX.
+# (Inspired by Perl's Test::More)
+unlike () {
+ if [[ $1 =~ $2 ]]; then
+ printf "# got: %q\n" "$1"
+ printf "# should not match ERE: %q\n" "$2"
+ return 1
+ else
+ return 0
+ fi
+}
diff --git a/debian/tests/userns b/debian/tests/userns
new file mode 100755
index 0000000..c8862c6
--- /dev/null
+++ b/debian/tests/userns
@@ -0,0 +1,35 @@
+#!/usr/bin/bats
+# vim:set sw=4 sts=4 et ft=sh:
+
+set -e
+
+. debian/tests/testlib.sh
+
+@test "Unshare user ID" {
+ run bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 /usr/bin/id -u
+ is "$status" 0
+ is "$output" 2
+ run bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 /usr/bin/id -g
+ is "$status" 0
+ is "$output" 3
+ run bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 /bin/sh -c 'ls -l /etc/passwd'
+ is "$status" 0
+ like "$output" " nobody nogroup "
+}
+
+@test "Combine new /dev with new user namespace (#71)" {
+ run bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 --dev /dev /bin/sh -c 'echo /dev/*'
+
+ like " $output " " /dev/full "
+ unlike " $output " " /dev/tty1 "
+
+ is "$status" 0
+
+ run bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 --dev /dev /usr/bin/id -u
+ is "$status" 0
+ is "$output" 2
+
+ run bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 --dev /dev /usr/bin/id -g
+ is "$status" 0
+ is "$output" 3
+}
diff --git a/debian/watch b/debian/watch
new file mode 100644
index 0000000..62aa320
--- /dev/null
+++ b/debian/watch
@@ -0,0 +1,3 @@
+version=2
+opts=filenamemangle=s/.+\/v(\d\S*)\.tar\.gz/bubblewrap-$1\.tar\.gz/ \
+ https://github.com/projectatomic/bubblewrap/tags .*/v(\d\S*)\.tar\.gz
