Hello community, here is the log from the commit of package bubblewrap for openSUSE:Factory checked in at 2018-05-30 11:40:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old) and /work/SRC/openSUSE:Factory/.bubblewrap.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bubblewrap" Wed May 30 11:40:35 2018 rev:5 rq:612511 version:0.2.1 Changes: -------- --- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes 2017-10-13 14:09:17.578155078 +0200 +++ /work/SRC/openSUSE:Factory/.bubblewrap.new/bubblewrap.changes 2018-05-30 12:11:44.234907268 +0200 @@ -1,0 +2,10 @@ +Tue May 1 21:02:33 UTC 2018 - sebix+novell....@sebix.at + +- update to version 0.2.1: + * All the demos are included + * bugfixes for the demo files + * There was an issue with mkdir when running bubblewrap on an NFS + filesystem that has been fixed, so flatpak now works on NFS shares. + * Some leaks have been fixed, including a file descriptor leak. + +------------------------------------------------------------------- Old: ---- v0.2.0.tar.gz New: ---- v0.2.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bubblewrap.spec ++++++ --- /var/tmp/diff_new_pack.ddPOlh/_old 2018-05-30 12:11:45.794755665 +0200 +++ /var/tmp/diff_new_pack.ddPOlh/_new 2018-05-30 12:11:45.798755276 +0200 @@ -1,7 +1,7 @@ # # spec file for package bubblewrap # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,10 +17,10 @@ Name: bubblewrap -Version: 0.2.0 +Version: 0.2.1 Release: 0 Summary: Core execution tool for unprivileged containers -License: LGPL-2.0+ +License: LGPL-2.0-or-later Group: Productivity/Security Url: https://github.com/projectatomic/bubblewrap Source: https://github.com/projectatomic/bubblewrap/archive/v%{version}.tar.gz @@ -46,6 +46,7 @@ %prep %autosetup -n %{name}-%{version} sed -i '1d' completions/bash/bwrap +sed -i '1s/env //' demos/bubblewrap-shell.sh demos/userns-block-fd.py %build env NOCONFIGURE=1 ./autogen.sh @@ -58,7 +59,7 @@ %files %license COPYING -%doc README.md +%doc README.md demos %dir %{_datadir}/bash-completion %dir %{_datadir}/bash-completion/completions %{_datadir}/bash-completion/completions/bwrap ++++++ v0.2.0.tar.gz -> v0.2.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.2.0/Makefile.am new/bubblewrap-0.2.1/Makefile.am --- old/bubblewrap-0.2.0/Makefile.am 2017-10-09 16:11:41.000000000 +0200 +++ new/bubblewrap-0.2.1/Makefile.am 2018-04-06 17:06:15.000000000 +0200 @@ -1,6 +1,18 @@ AM_CFLAGS = $(WARN_CFLAGS) CLEANFILES = -EXTRA_DIST = +EXTRA_DIST = \ + .dir-locals.el \ + .editorconfig \ + README.md \ + autogen.sh \ + demos/bubblewrap-shell.sh \ + demos/flatpak-run.sh \ + demos/flatpak.bpf \ + demos/userns-block-fd.py \ + packaging/bubblewrap.spec \ + uncrustify.cfg \ + uncrustify.sh \ + $(NULL) GITIGNOREFILES = build-aux/ gtk-doc.make config.h.in aclocal.m4 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.2.0/README.md new/bubblewrap-0.2.1/README.md --- old/bubblewrap-0.2.0/README.md 2017-10-09 16:11:41.000000000 +0200 +++ new/bubblewrap-0.2.1/README.md 2018-04-06 17:06:15.000000000 +0200 @@ -105,7 +105,7 @@ IPC namespaces ([CLONE_NEWIPC](http://linux.die.net/man/2/clone)): The sandbox will get its own copy of all the different forms of IPCs, like SysV shared memory and semaphores. -PID namespaces ([CLONE_NEWPID](http://linux.die.net/man/2/clone)): The sandbox will not see any processes outside the sandbox. Additionally, bubblewrap will run a trivial pid1 inside your container to handle the requirements of reaping children in the sandbox. .This avoids what is known now as the [Docker pid 1 problem](https://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/). +PID namespaces ([CLONE_NEWPID](http://linux.die.net/man/2/clone)): The sandbox will not see any processes outside the sandbox. Additionally, bubblewrap will run a trivial pid1 inside your container to handle the requirements of reaping children in the sandbox. This avoids what is known now as the [Docker pid 1 problem](https://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/). Network namespaces ([CLONE_NEWNET](http://linux.die.net/man/2/clone)): The sandbox will not see the network. Instead it will have its own network namespace with only a loopback device. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.2.0/bubblewrap.c new/bubblewrap-0.2.1/bubblewrap.c --- old/bubblewrap-0.2.0/bubblewrap.c 2017-10-09 16:11:41.000000000 +0200 +++ new/bubblewrap-0.2.1/bubblewrap.c 2018-04-06 17:06:15.000000000 +0200 @@ -75,6 +75,7 @@ int opt_info_fd = -1; int opt_seccomp_fd = -1; const char *opt_sandbox_hostname = NULL; +char *opt_args_data = NULL; /* owned */ #define CAP_TO_MASK_0(x) (1L << ((x) & 31)) #define CAP_TO_MASK_1(x) CAP_TO_MASK_0(x - 32) @@ -583,9 +584,15 @@ if (keep && do_set_ambient) { +#ifdef PR_CAP_AMBIENT int res = prctl (PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0); if (res == -1 && !(errno == EINVAL || errno == EPERM)) die_with_error ("Adding ambient capability %ld", cap); +#else + /* We ignore the EINVAL that results from not having PR_CAP_AMBIENT + * in the current kernel at runtime, so also ignore not having it + * in the current kernel headers at compile-time */ +#endif } if (!keep && do_cap_bounding) @@ -766,7 +773,7 @@ else dir = xasprintf ("%d", pid); - dir_fd = openat (proc_fd, dir, O_RDONLY | O_PATH); + dir_fd = openat (proc_fd, dir, O_PATH); if (dir_fd < 0) die_with_error ("open /proc/%s failed", dir); @@ -973,7 +980,7 @@ case SETUP_BIND_MOUNT: if (source_mode == S_IFDIR) { - if (mkdir (dest, 0755) != 0 && errno != EEXIST) + if (ensure_dir (dest, 0755) != 0) die_with_error ("Can't mkdir %s", op->dest); } else if (ensure_file (dest, 0666) != 0) @@ -992,7 +999,7 @@ break; case SETUP_MOUNT_PROC: - if (mkdir (dest, 0755) != 0 && errno != EEXIST) + if (ensure_dir (dest, 0755) != 0) die_with_error ("Can't mkdir %s", op->dest); if (unshare_pid) @@ -1029,7 +1036,7 @@ break; case SETUP_MOUNT_DEV: - if (mkdir (dest, 0755) != 0 && errno != EEXIST) + if (ensure_dir (dest, 0755) != 0) die_with_error ("Can't mkdir %s", op->dest); privileged_op (privileged_op_socket, @@ -1105,7 +1112,7 @@ break; case SETUP_MOUNT_TMPFS: - if (mkdir (dest, 0755) != 0 && errno != EEXIST) + if (ensure_dir (dest, 0755) != 0) die_with_error ("Can't mkdir %s", op->dest); privileged_op (privileged_op_socket, @@ -1114,7 +1121,7 @@ break; case SETUP_MOUNT_MQUEUE: - if (mkdir (dest, 0755) != 0 && errno != EEXIST) + if (ensure_dir (dest, 0755) != 0) die_with_error ("Can't mkdir %s", op->dest); privileged_op (privileged_op_socket, @@ -1123,7 +1130,7 @@ break; case SETUP_MAKE_DIR: - if (mkdir (dest, 0755) != 0 && errno != EEXIST) + if (ensure_dir (dest, 0755) != 0) die_with_error ("Can't mkdir %s", op->dest); break; @@ -1140,6 +1147,7 @@ die_with_error ("Can't write data to file %s", op->dest); close (op->fd); + op->fd = -1; } break; @@ -1157,6 +1165,7 @@ die_with_error ("Can't write data to file %s", op->dest); close (op->fd); + op->fd = -1; assert (dest != NULL); @@ -1196,6 +1205,22 @@ PRIV_SEP_OP_DONE, 0, NULL, NULL); } +/* Do not leak file descriptors already used by setup_newroot () */ +static void +close_ops_fd (void) +{ + SetupOp *op; + + for (op = ops; op != NULL; op = op->next) + { + if (op->fd != -1) + { + (void) close (op->fd); + op->fd = -1; + } + } +} + /* We need to resolve relative symlinks in the sandbox before we chroot so that absolute symlinks are handled correctly. We also need to do this after we've switched to the real uid so that @@ -1321,7 +1346,6 @@ { int the_fd; char *endptr; - char *data = NULL; const char *p, *data_end; size_t data_len; cleanup_free const char **data_argv = NULL; @@ -1339,15 +1363,18 @@ if (argv[1][0] == 0 || endptr[0] != 0 || the_fd < 0) die ("Invalid fd: %s", argv[1]); - data = load_file_data (the_fd, &data_len); - if (data == NULL) + /* opt_args_data is essentially a recursive argv array, which we must + * keep allocated until exit time, since its argv entries get used + * by the other cases in parse_args_recurse() when we recurse. */ + opt_args_data = load_file_data (the_fd, &data_len); + if (opt_args_data == NULL) die_with_error ("Can't read --args data"); (void) close (the_fd); - data_end = data + data_len; + data_end = opt_args_data + data_len; data_argc = 0; - p = data; + p = opt_args_data; while (p != NULL && p < data_end) { data_argc++; @@ -1362,7 +1389,7 @@ data_argv = xcalloc (sizeof (char *) * (data_argc + 1)); i = 0; - p = data; + p = opt_args_data; while (p != NULL && p < data_end) { /* Note: load_file_data always adds a nul terminator, so this is safe @@ -1927,6 +1954,7 @@ cleanup_free char *seccomp_data = NULL; size_t seccomp_len; struct sock_fprog seccomp_prog; + cleanup_free char *args_data = NULL; /* Handle --version early on before we try to acquire/drop * any capabilities so it works in a build environment; @@ -1964,6 +1992,10 @@ parse_args (&argc, (const char ***) &argv); + /* suck the args into a cleanup_free variable to control their lifecycle */ + args_data = opt_args_data; + opt_args_data = NULL; + if ((requested_caps[0] || requested_caps[1]) && is_privileged) die ("--cap-add in setuid mode can be used only by root"); @@ -2042,18 +2074,18 @@ /* We need to read stuff from proc during the pivot_root dance, etc. Lets keep a fd to it open */ - proc_fd = open ("/proc", O_RDONLY | O_PATH); + proc_fd = open ("/proc", O_PATH); if (proc_fd == -1) die_with_error ("Can't open /proc"); /* We need *some* mountpoint where we can mount the root tmpfs. We first try in /run, and if that fails, try in /tmp. */ base_path = xasprintf ("/run/user/%d/.bubblewrap", real_uid); - if (mkdir (base_path, 0755) && errno != EEXIST) + if (ensure_dir (base_path, 0755)) { free (base_path); base_path = xasprintf ("/tmp/.bubblewrap-%d", real_uid); - if (mkdir (base_path, 0755) && errno != EEXIST) + if (ensure_dir (base_path, 0755)) die_with_error ("Creating root mountpoint failed"); } @@ -2310,6 +2342,8 @@ setup_newroot (opt_unshare_pid, -1); } + close_ops_fd (); + /* The old root better be rprivate or we will send unmount events to the parent namespace */ if (mount ("oldroot", "oldroot", NULL, MS_REC | MS_PRIVATE, NULL) != 0) die_with_error ("Failed to make old root rprivate"); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.2.0/configure.ac new/bubblewrap-0.2.1/configure.ac --- old/bubblewrap-0.2.0/configure.ac 2017-10-09 16:11:41.000000000 +0200 +++ new/bubblewrap-0.2.1/configure.ac 2018-04-06 17:06:15.000000000 +0200 @@ -1,5 +1,5 @@ AC_PREREQ([2.63]) -AC_INIT([bubblewrap], [0.2.0], [atomic-de...@projectatomic.io]) +AC_INIT([bubblewrap], [0.2.1], [atomic-de...@projectatomic.io]) AC_CONFIG_HEADER([config.h]) AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_AUX_DIR([build-aux]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.2.0/demos/userns-block-fd.py new/bubblewrap-0.2.1/demos/userns-block-fd.py --- old/bubblewrap-0.2.0/demos/userns-block-fd.py 2017-10-09 16:11:41.000000000 +0200 +++ new/bubblewrap-0.2.1/demos/userns-block-fd.py 2018-04-06 17:06:15.000000000 +0200 @@ -1,6 +1,6 @@ -#!/bin/python +#!/usr/bin/env python -import os, select, subprocess, json +import os, select, subprocess, sys, json pipe_info = os.pipe() userns_block = os.pipe() @@ -19,11 +19,15 @@ subprocess.call(["newuidmap", child_pid, "0", str(os.getuid()), "1"]) subprocess.call(["newgidmap", child_pid, "0", str(os.getgid()), "1"]) - os.write(userns_block[1], '1') + os.write(userns_block[1], b'1') else: os.close(pipe_info[0]) os.close(userns_block[1]) + if sys.version_info >= (3, 4): + os.set_inheritable(pipe_info[1], True) + os.set_inheritable(userns_block[0], True) + args = ["bwrap", "bwrap", "--unshare-all", @@ -33,4 +37,4 @@ "--bind", "/", "/", "cat", "/proc/self/uid_map"] - os.execl(*args) + os.execlp(*args) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.2.0/tests/test-run.sh new/bubblewrap-0.2.1/tests/test-run.sh --- old/bubblewrap-0.2.0/tests/test-run.sh 2017-10-09 16:11:41.000000000 +0200 +++ new/bubblewrap-0.2.1/tests/test-run.sh 2018-04-06 17:06:15.000000000 +0200 @@ -53,7 +53,7 @@ skip Seems like bwrap is not working at all. Maybe setuid is not working fi -echo "1..32" +echo "1..33" # Test help ${BWRAP} --help > help.txt diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.2.0/utils.c new/bubblewrap-0.2.1/utils.c --- old/bubblewrap-0.2.0/utils.c 2017-10-09 16:11:41.000000000 +0200 +++ new/bubblewrap-0.2.1/utils.c 2018-04-06 17:06:15.000000000 +0200 @@ -434,7 +434,7 @@ /* We check this ahead of time, otherwise the create file will fail in the read-only - case with EROFD instead of EEXIST */ + case with EROFS instead of EEXIST */ if (stat (path, &buf) == 0 && S_ISREG (buf.st_mode)) return 0; @@ -593,6 +593,34 @@ return buf.st_mode & S_IFMT; } +int +ensure_dir (const char *path, + mode_t mode) +{ + struct stat buf; + + /* We check this ahead of time, otherwise + the mkdir call can fail in the read-only + case with EROFS instead of EEXIST on some + filesystems (such as NFS) */ + if (stat (path, &buf) == 0) + { + if (!S_ISDIR (buf.st_mode)) + { + errno = ENOTDIR; + return -1; + } + + return 0; + } + + if (mkdir (path, mode) == -1 && errno != EEXIST) + return -1; + + return 0; +} + + /* Sets errno on error (!= 0) */ int mkdir_with_parents (const char *pathname, @@ -601,7 +629,6 @@ { cleanup_free char *fn = NULL; char *p; - struct stat buf; if (pathname == NULL || *pathname == '\0') { @@ -628,16 +655,8 @@ if (!create_last && p == NULL) break; - if (stat (fn, &buf) != 0) - { - if (mkdir (fn, mode) == -1 && errno != EEXIST) - return -1; - } - else if (!S_ISDIR (buf.st_mode)) - { - errno = ENOTDIR; - return -1; - } + if (ensure_dir (fn, mode) != 0) + return -1; if (p) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.2.0/utils.h new/bubblewrap-0.2.1/utils.h --- old/bubblewrap-0.2.0/utils.h 2017-10-09 16:11:41.000000000 +0200 +++ new/bubblewrap-0.2.1/utils.h 2018-04-06 17:06:15.000000000 +0200 @@ -101,6 +101,8 @@ const char *content); int ensure_file (const char *path, mode_t mode); +int ensure_dir (const char *path, + mode_t mode); int get_file_mode (const char *pathname); int mkdir_with_parents (const char *pathname, int mode,
