Hello community, here is the log from the commit of package bubblewrap for openSUSE:Factory checked in at 2018-07-22 23:03:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old) and /work/SRC/openSUSE:Factory/.bubblewrap.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bubblewrap" Sun Jul 22 23:03:30 2018 rev:6 rq:624477 version:0.3.0 Changes: -------- --- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes 2018-05-30 12:11:44.234907268 +0200 +++ /work/SRC/openSUSE:Factory/.bubblewrap.new/bubblewrap.changes 2018-07-22 23:03:32.780945917 +0200 @@ -1,0 +2,6 @@ +Sat Jul 14 20:06:50 UTC 2018 - [email protected] + +- update to version 0.3.0: + * no upstream changelog available + +------------------------------------------------------------------- Old: ---- v0.2.1.tar.gz New: ---- v0.3.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bubblewrap.spec ++++++ --- /var/tmp/diff_new_pack.uoNXtd/_old 2018-07-22 23:03:33.544945634 +0200 +++ /var/tmp/diff_new_pack.uoNXtd/_new 2018-07-22 23:03:33.548945633 +0200 @@ -17,7 +17,7 @@ Name: bubblewrap -Version: 0.2.1 +Version: 0.3.0 Release: 0 Summary: Core execution tool for unprivileged containers License: LGPL-2.0-or-later ++++++ v0.2.1.tar.gz -> v0.3.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.2.1/.papr.yml new/bubblewrap-0.3.0/.papr.yml --- old/bubblewrap-0.2.1/.papr.yml 2018-04-06 17:06:15.000000000 +0200 +++ new/bubblewrap-0.3.0/.papr.yml 2018-07-11 17:32:00.000000000 +0200 @@ -19,10 +19,10 @@ inherit: true host: - distro: fedora/26/atomic + distro: fedora/27/atomic -context: f26-sanitizer +context: f27-sanitizer required: true tests: - - env CFLAGS='-g -Og -fsanitize=undefined -fsanitize=address -O2 -Wp,-D_FORTIFY_SOURCE=2' ./ci/papr.sh registry.fedoraproject.org/fedora:26 + - env CFLAGS='-g -Og -fsanitize=undefined -fsanitize=address -O2 -Wp,-D_FORTIFY_SOURCE=2' ./ci/papr.sh registry.fedoraproject.org/fedora:27 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.2.1/bubblewrap.c new/bubblewrap-0.3.0/bubblewrap.c --- old/bubblewrap-0.2.1/bubblewrap.c 2018-04-06 17:06:15.000000000 +0200 +++ new/bubblewrap-0.3.0/bubblewrap.c 2018-07-11 17:32:00.000000000 +0200 @@ -182,7 +182,7 @@ static void usage (int ecode, FILE *out) { - fprintf (out, "usage: %s [OPTIONS...] COMMAND [ARGS...]\n\n", argv0); + fprintf (out, "usage: %s [OPTIONS...] [--] COMMAND [ARGS...]\n\n", argv0); fprintf (out, " --help Print this help\n" @@ -316,7 +316,7 @@ * the exit status via a eventfd. We also track the exit of the sandbox * pid 1 via a signalfd for SIGCHLD, and exit with an error in this case. * This is to catch e.g. problems during setup. */ -static void +static int monitor_child (int event_fd, pid_t child_pid) { int res; @@ -368,7 +368,7 @@ if (s == -1 && errno != EINTR && errno != EAGAIN) die_with_error ("read eventfd"); else if (s == 8) - exit ((int) val - 1); + return ((int) val - 1); } /* We need to read the signal_fd, or it will keep polling as read, @@ -385,9 +385,13 @@ /* We may be getting sigchild from other children too. For instance if someone created a child process, and then exec:ed bubblewrap. Ignore them */ if (died_pid == child_pid) - exit (propagate_exit_status (died_status)); + return propagate_exit_status (died_status); } } + + die ("Should not be reached"); + + return 0; } /* This is pid 1 in the app sandbox. It is needed because we're using @@ -1025,9 +1029,15 @@ for (i = 0; i < N_ELEMENTS (cover_proc_dirs); i++) { cleanup_free char *subdir = strconcat3 (dest, "/", cover_proc_dirs[i]); - /* Some of these may not exist */ - if (get_file_mode (subdir) == -1) - continue; + if (access (subdir, W_OK) < 0) + { + /* The file is already read-only or doesn't exist. */ + if (errno == EACCES || errno == ENOENT) + continue; + + die_with_error ("Can't access %s", subdir); + } + privileged_op (privileged_op_socket, PRIV_SEP_OP_BIND_MOUNT, BIND_READONLY, subdir, subdir); @@ -1885,6 +1895,12 @@ argv += 1; argc -= 1; } + else if (strcmp (arg, "--") == 0) + { + argv += 1; + argc -= 1; + break; + } else if (*arg == '-') { die ("Unknown option %s", arg); @@ -2197,8 +2213,7 @@ /* Ignore res, if e.g. the child died and closed child_wait_fd we don't want to error out here */ close (child_wait_fd); - monitor_child (event_fd, pid); - exit (0); /* Should not be reached, but better safe... */ + return monitor_child (event_fd, pid); } /* Child, in sandbox, privileged in the parent or in the user namespace (if --unshare-user). @@ -2283,6 +2298,9 @@ if (mkdir ("newroot", 0755)) die_with_error ("Creating newroot failed"); + if (mount ("newroot", "newroot", NULL, MS_MGC_VAL | MS_BIND | MS_REC, NULL) < 0) + die_with_error ("setting up newroot bind"); + if (mkdir ("oldroot", 0755)) die_with_error ("Creating oldroot failed"); @@ -2351,6 +2369,37 @@ if (umount2 ("oldroot", MNT_DETACH)) die_with_error ("unmount old root"); + /* This is our second pivot. It's like we're a Silicon Valley startup flush + * with cash but short on ideas! + * + * We're aiming to make /newroot the real root, and get rid of /oldroot. To do + * that we need a temporary place to store it before we can unmount it. + */ + { cleanup_fd int oldrootfd = open ("/", O_DIRECTORY | O_RDONLY); + if (oldrootfd < 0) + die_with_error ("can't open /"); + if (chdir ("/newroot") != 0) + die_with_error ("chdir /newroot"); + /* While the documentation claims that put_old must be underneath + * new_root, it is perfectly fine to use the same directory as the + * kernel checks only if old_root is accessible from new_root. + * + * Both runc and LXC are using this "alternative" method for + * setting up the root of the container: + * + * https://github.com/opencontainers/runc/blob/master/libcontainer/rootfs_linux.go#L671 + * https://github.com/lxc/lxc/blob/master/src/lxc/conf.c#L1121 + */ + if (pivot_root (".", ".") != 0) + die_with_error ("pivot_root(/newroot)"); + if (fchdir (oldrootfd) < 0) + die_with_error ("fchdir to oldroot"); + if (umount2 (".", MNT_DETACH) < 0) + die_with_error ("umount old root"); + if (chdir ("/") != 0) + die_with_error ("chdir /"); + } + if (opt_unshare_user && (ns_uid != opt_sandbox_uid || ns_gid != opt_sandbox_gid) && opt_userns_block_fd == -1) @@ -2367,14 +2416,6 @@ -1, FALSE, FALSE); } - /* Now make /newroot the real root */ - if (chdir ("/newroot") != 0) - die_with_error ("chdir newroot"); - if (chroot ("/newroot") != 0) - die_with_error ("chroot /newroot"); - if (chdir ("/") != 0) - die_with_error ("chdir /"); - /* All privileged ops are done now, so drop caps we don't need */ drop_privs (!is_privileged); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.2.1/ci/papr.sh new/bubblewrap-0.3.0/ci/papr.sh --- old/bubblewrap-0.2.1/ci/papr.sh 2018-04-06 17:06:15.000000000 +0200 +++ new/bubblewrap-0.3.0/ci/papr.sh 2018-07-11 17:32:00.000000000 +0200 @@ -29,7 +29,7 @@ fi done rsync -rlv ${tmpd}/usr/ /host/usr/ - if ${BWRAP_SUID}; then + if test -n "${BWRAP_SUID:-}"; then chmod u+s /host/usr/bin/bwrap fi rm ${tmpd} -rf diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.2.1/configure.ac new/bubblewrap-0.3.0/configure.ac --- old/bubblewrap-0.2.1/configure.ac 2018-04-06 17:06:15.000000000 +0200 +++ new/bubblewrap-0.3.0/configure.ac 2018-07-11 17:32:00.000000000 +0200 @@ -1,5 +1,5 @@ AC_PREREQ([2.63]) -AC_INIT([bubblewrap], [0.2.1], [[email protected]]) +AC_INIT([bubblewrap], [0.3.0], [[email protected]]) AC_CONFIG_HEADER([config.h]) AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_AUX_DIR([build-aux]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.2.1/tests/test-run.sh new/bubblewrap-0.3.0/tests/test-run.sh --- old/bubblewrap-0.2.1/tests/test-run.sh 2018-04-06 17:06:15.000000000 +0200 +++ new/bubblewrap-0.3.0/tests/test-run.sh 2018-07-11 17:32:00.000000000 +0200 @@ -24,6 +24,9 @@ cd ${tempdir} : "${BWRAP:=bwrap}" +if test -u "$(type -p ${BWRAP})"; then + bwrap_is_suid=true +fi FUSE_DIR= for mp in $(cat /proc/self/mounts | grep " fuse[. ]" | grep user_id=$(id -u) | awk '{print $2}'); do @@ -46,6 +49,17 @@ UNREADABLE= fi +# https://github.com/projectatomic/bubblewrap/issues/217 +BWRAP_RO_HOST_ARGS="--ro-bind /usr /usr + --ro-bind /etc /etc + --dir /var/tmp + --symlink usr/lib /lib + --symlink usr/lib64 /lib64 + --symlink usr/bin /bin + --symlink usr/sbin /sbin + --proc /proc + --dev /dev" + # Default arg, bind whole host fs to /, tmpfs on /tmp RUN="${BWRAP} --bind / / --tmpfs /tmp" @@ -53,7 +67,7 @@ skip Seems like bwrap is not working at all. Maybe setuid is not working fi -echo "1..33" +echo "1..38" # Test help ${BWRAP} --help > help.txt @@ -78,7 +92,7 @@ echo -n "expect EPERM: " >&2 # Test caps when bwrap is not setuid - if ! test -u ${BWRAP}; then + if test -n "${bwrap_is_suid:-}"; then CAP="--cap-add ALL" else CAP="" @@ -113,6 +127,21 @@ assert_file_has_content as_pid_1.txt "1" echo "ok - can run as pid 1" +# These tests require --unshare-user +if test -n "${bwrap_is_suid:-}"; then + echo "ok - # SKIP no --cap-add support" + echo "ok - # SKIP no --cap-add support" +else + BWRAP_RECURSE="$BWRAP --unshare-all --uid 0 --gid 0 --cap-add ALL --bind / / --bind /proc /proc" + $BWRAP_RECURSE -- $BWRAP --unshare-all --bind / / --bind /proc /proc echo hello > recursive_proc.txt + assert_file_has_content recursive_proc.txt "hello" + echo "ok - can mount /proc recursively" + + $BWRAP_RECURSE -- $BWRAP --unshare-all ${BWRAP_RO_HOST_ARGS} findmnt > recursive-newroot.txt + assert_file_has_content recursive-newroot.txt "/usr" + echo "ok - can pivot to new rootfs recursively" +fi + # Test error prefixing if $RUN --unshare-pid --bind /source-enoent /dest true 2>err.txt; then assert_not_reached "bound nonexistent source" @@ -199,4 +228,19 @@ $RUN --args 3 test -d /tmp/hello/world 3<test.args echo "ok - we can parse arguments from a fd" +mkdir bin +echo "#!/bin/sh" > bin/--inadvisable-executable-name-- +echo "echo hello" >> bin/--inadvisable-executable-name-- +chmod +x bin/--inadvisable-executable-name-- +PATH="${srcd}:$PATH" $RUN -- sh -c "echo hello" > stdout +assert_file_has_content stdout hello +echo "ok - we can run with --" +PATH="$(pwd)/bin:$PATH" $RUN -- --inadvisable-executable-name-- > stdout +assert_file_has_content stdout hello +echo "ok - we can run an inadvisable executable name with --" +if $RUN -- --dev-bind /dev /dev sh -c 'echo should not have run'; then + assert_not_reached "'--dev-bind' should have been interpreted as a (silly) executable name" +fi +echo "ok - options like --dev-bind are defanged by --" + echo "ok - End of test"
