commit bubblewrap for openSUSE:Factory
Hello community, here is the log from the commit of package bubblewrap for openSUSE:Factory checked in at 2020-04-05 20:51:39 Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old) and /work/SRC/openSUSE:Factory/.bubblewrap.new.3248 (New) Package is "bubblewrap" Sun Apr 5 20:51:39 2020 rev:11 rq:790515 version:0.4.1 Changes: --- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes2019-12-28 13:40:18.562926637 +0100 +++ /work/SRC/openSUSE:Factory/.bubblewrap.new.3248/bubblewrap.changes 2020-04-05 20:51:49.737084100 +0200 @@ -1,0 +2,12 @@ +Wed Apr 1 10:03:39 UTC 2020 - Sebastian Wagner + +- Update to version 0.4.1: + * retcode: fix return code with syncfd and no event_fd + * Ensure we're always clearing the cap bounding set + * tests: Update output patterns for libcap >= 2.29 + * Don't rely on geteuid() to know when to switch back from setuid root + * Don't support --userns2 in setuid mode + * fixes CVE-2020-5291 + * fixes bsc#1168291 + +--- Old: bubblewrap-0.4.0.tar.xz New: bubblewrap-0.4.1.tar.xz Other differences: -- ++ bubblewrap.spec ++ --- /var/tmp/diff_new_pack.li2KxO/_old 2020-04-05 20:51:50.253084594 +0200 +++ /var/tmp/diff_new_pack.li2KxO/_new 2020-04-05 20:51:50.257084598 +0200 @@ -1,7 +1,7 @@ # # spec file for package bubblewrap # -# Copyright (c) 2019 SUSE LLC +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: bubblewrap -Version:0.4.0 +Version:0.4.1 Release:0 Summary:Core execution tool for unprivileged containers License:LGPL-2.0-or-later ++ bubblewrap-0.4.0.tar.xz -> bubblewrap-0.4.1.tar.xz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.4.0/bubblewrap.c new/bubblewrap-0.4.1/bubblewrap.c --- old/bubblewrap-0.4.0/bubblewrap.c 2019-11-27 13:34:31.0 +0100 +++ new/bubblewrap-0.4.1/bubblewrap.c 2020-03-30 15:09:24.0 +0200 @@ -532,17 +532,20 @@ int status; child = wait (&status); - if (child == initial_pid && event_fd != -1) + if (child == initial_pid) { - uint64_t val; - int res UNUSED; - initial_exit_status = propagate_exit_status (status); - val = initial_exit_status + 1; - res = write (event_fd, &val, 8); - /* Ignore res, if e.g. the parent died and closed event_fd - we don't want to error out here */ + if(event_fd != -1) +{ + uint64_t val; + int res UNUSED; + + val = initial_exit_status + 1; + res = write (event_fd, &val, 8); + /* Ignore res, if e.g. the parent died and closed event_fd + we don't want to error out here */ +} } if (child == -1 && errno != EINTR) @@ -834,11 +837,13 @@ /* Call setuid() and use capset() to adjust capabilities */ static void -drop_privs (bool keep_requested_caps) +drop_privs (bool keep_requested_caps, +bool already_changed_uid) { assert (!keep_requested_caps || !is_privileged); /* Drop root uid */ - if (geteuid () == 0 && setuid (opt_sandbox_uid) < 0) + if (is_privileged && !already_changed_uid && + setuid (opt_sandbox_uid) < 0) die_with_error ("unable to drop root uid"); drop_all_caps (keep_requested_caps); @@ -2296,6 +2301,9 @@ if (opt_userns_fd != -1 && is_privileged) die ("--userns doesn't work in setuid mode"); + if (opt_userns2_fd != -1 && is_privileged) +die ("--userns2 doesn't work in setuid mode"); + /* We have to do this if we weren't installed setuid (and we're not * root), so let's just DWIM */ if (!is_privileged && getuid () != 0 && opt_userns_fd == -1) @@ -2499,7 +2507,7 @@ die_with_error ("Setting userns2 failed"); /* We don't need any privileges in the launcher, drop them immediately. */ - drop_privs (FALSE); + drop_privs (FALSE, FALSE); /* Optionally bind our lifecycle to that of the parent */ handle_die_with_parent (); @@ -2674,7 +2682,7 @@ if (child == 0) { /* Unprivileged setup process */ - drop_privs (FALSE); + drop_privs (FALSE, TRUE); close (privsep_sockets[0]); setup_newroot (opt_unshare_pid, privsep_sockets[1]); exit (0); @@ -2763,13 +2771,16 @@ if (unshare (CLONE_NEWUSER)) die_with_error ("unshare user ns"); + /* We're in a new user namespace,
commit bubblewrap for openSUSE:Factory
Hello community, here is the log from the commit of package bubblewrap for openSUSE:Factory checked in at 2019-12-28 13:40:14 Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old) and /work/SRC/openSUSE:Factory/.bubblewrap.new.6675 (New) Package is "bubblewrap" Sat Dec 28 13:40:14 2019 rev:10 rq:759115 version:0.4.0 Changes: --- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes2019-07-08 15:04:48.662878022 +0200 +++ /work/SRC/openSUSE:Factory/.bubblewrap.new.6675/bubblewrap.changes 2019-12-28 13:40:18.562926637 +0100 @@ -1,0 +2,12 @@ +Fri Dec 20 22:59:52 UTC 2019 - Bjørn Lie + +- Update to version 0.4.0: + + The biggest feature in this release is the support for joining +existing user and pid namespaces. This doesn't work in the +setuid mode (at the moment). + + Other changes: +- Stores namespace info in status json. +- In setuid mode pid 1 is now marked dumpable. +- Now builds with musl libc. + +--- Old: bubblewrap-0.3.3.tar.xz New: bubblewrap-0.4.0.tar.xz Other differences: -- ++ bubblewrap.spec ++ --- /var/tmp/diff_new_pack.Zz5AcS/_old 2019-12-28 13:40:19.898927311 +0100 +++ /var/tmp/diff_new_pack.Zz5AcS/_new 2019-12-28 13:40:19.934927329 +0100 @@ -1,7 +1,7 @@ # # spec file for package bubblewrap # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,13 +17,13 @@ Name: bubblewrap -Version:0.3.3 +Version:0.4.0 Release:0 Summary:Core execution tool for unprivileged containers License:LGPL-2.0-or-later Group: Productivity/Security -Url:https://github.com/projectatomic/bubblewrap -Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/%{name}-%{version}.tar.xz +URL:https://github.com/projectatomic/bubblewrap +Source0:%{url}/releases/download/v%{version}/%{name}-%{version}.tar.xz BuildRequires: autoconf BuildRequires: automake BuildRequires: docbook-xsl-stylesheets @@ -41,7 +41,7 @@ user namespaces. %prep -%autosetup -n %{name}-%{version} +%autosetup -p1 -n %{name}-%{version} sed -i '1d' completions/bash/bwrap %if 0%{?suse_version} < 1500 sed -i '1s,/usr/bin/env bash,/bin/bash,' demos/bubblewrap-shell.sh ++ bubblewrap-0.3.3.tar.xz -> bubblewrap-0.4.0.tar.xz ++ 15274 lines of diff (skipped) retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/bubblewrap-0.3.3/bubblewrap.c new/bubblewrap-0.4.0/bubblewrap.c --- old/bubblewrap-0.3.3/bubblewrap.c 2019-05-01 10:44:10.0 +0200 +++ new/bubblewrap-0.4.0/bubblewrap.c 2019-11-27 13:34:31.0 +0100 @@ -42,6 +42,15 @@ #define CLONE_NEWCGROUP 0x0200 /* New cgroup namespace */ #endif +#ifndef TEMP_FAILURE_RETRY +#define TEMP_FAILURE_RETRY(expression) \ + (__extension__ \ +({ long int __result; \ + do __result = (long int) (expression); \ + while (__result == -1L && errno == EINTR); \ + __result; })) +#endif + /* Globals to avoid having to use getuid(), since the uid/gid changes during runtime */ static uid_t real_uid; static gid_t real_gid; @@ -77,10 +86,34 @@ int opt_seccomp_fd = -1; const char *opt_sandbox_hostname = NULL; char *opt_args_data = NULL; /* owned */ +int opt_userns_fd = -1; +int opt_userns2_fd = -1; +int opt_pidns_fd = -1; #define CAP_TO_MASK_0(x) (1L << ((x) & 31)) #define CAP_TO_MASK_1(x) CAP_TO_MASK_0(x - 32) +typedef struct _NsInfo NsInfo; + +struct _NsInfo { + const char *name; + bool *do_unshare; + ino_t id; +}; + +static NsInfo ns_infos[] = { + {"cgroup", &opt_unshare_cgroup, 0}, + {"ipc",&opt_unshare_ipc,0}, + {"mnt",NULL,0}, + {"net",&opt_unshare_net,0}, + {"pid",&opt_unshare_pid,0}, + /* user namespace info omitted because it + * is not (yet) valid when we obtain the + * namespace info (get un-shared later) */ + {"uts",&opt_unshare_uts,0}, + {NULL, NULL,0} +}; + typedef enum { SETUP_BIND_MOUNT,
commit bubblewrap for openSUSE:Factory
Hello community, here is the log from the commit of package bubblewrap for openSUSE:Factory checked in at 2019-07-08 15:04:47 Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old) and /work/SRC/openSUSE:Factory/.bubblewrap.new.4615 (New) Package is "bubblewrap" Mon Jul 8 15:04:47 2019 rev:9 rq:713457 version:0.3.3 Changes: --- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes2019-06-04 12:09:11.779883557 +0200 +++ /work/SRC/openSUSE:Factory/.bubblewrap.new.4615/bubblewrap.changes 2019-07-08 15:04:48.662878022 +0200 @@ -1,0 +2,5 @@ +Fri Jun 7 14:38:21 UTC 2019 - Antonio Larrosa + +- Use /bin/bash instead of /usr/bin/bash in SLE12 + +--- Other differences: -- ++ bubblewrap.spec ++ --- /var/tmp/diff_new_pack.3p0W9M/_old 2019-07-08 15:04:49.474879249 +0200 +++ /var/tmp/diff_new_pack.3p0W9M/_new 2019-07-08 15:04:49.474879249 +0200 @@ -43,7 +43,12 @@ %prep %autosetup -n %{name}-%{version} sed -i '1d' completions/bash/bwrap +%if 0%{?suse_version} < 1500 +sed -i '1s,/usr/bin/env bash,/bin/bash,' demos/bubblewrap-shell.sh +sed -i '1s/env //' demos/userns-block-fd.py +%else sed -i '1s/env //' demos/bubblewrap-shell.sh demos/userns-block-fd.py +%endif %build env NOCONFIGURE=1 ./autogen.sh
commit bubblewrap for openSUSE:Factory
Hello community, here is the log from the commit of package bubblewrap for openSUSE:Factory checked in at 2019-06-04 12:09:07 Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old) and /work/SRC/openSUSE:Factory/.bubblewrap.new.5148 (New) Package is "bubblewrap" Tue Jun 4 12:09:07 2019 rev:8 rq:706819 version:0.3.3 Changes: --- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes2018-10-25 08:10:52.376245754 +0200 +++ /work/SRC/openSUSE:Factory/.bubblewrap.new.5148/bubblewrap.changes 2019-06-04 12:09:11.779883557 +0200 @@ -1,0 +2,20 @@ +Sat Jun 1 15:08:49 UTC 2019 - Sebastian Wagner + +- Update to version 0.3.3: + - This release is the same as 0.3.2 but the version number in configure.ac + was accidentally still set to 0.3.1 +- Update to version 0.3.2: + - fixes boo#1136958 / CVE-2019-12439 + This release fixes a mostly theoretical security issue in unusual/broken + setups where `$XDG_RUNTIME_DIR` is unset. + There are some other smaller fixes, as well as an addition to the JSON + API that allows reading the inner process exit code, separately from + the `bwrap` exit code. + - Print "Out of memory" on stderr, not stdout + - bwrap: add option json-status-fd to show child exit code + - bwrap: Report COMMAND exit code in json-status-fd + - man page: Describe --chdir, not nonexistent --cwd + - Don't create our own temporary mount point for pivot_root + - Make lockdata long enough on 32-bit with 64-bit file pointers. + +--- Old: v0.3.1.tar.gz New: bubblewrap-0.3.3.tar.xz Other differences: -- ++ bubblewrap.spec ++ --- /var/tmp/diff_new_pack.nAie10/_old 2019-06-04 12:09:12.803883221 +0200 +++ /var/tmp/diff_new_pack.nAie10/_new 2019-06-04 12:09:12.803883221 +0200 @@ -1,7 +1,7 @@ # # spec file for package bubblewrap # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,16 +17,13 @@ Name: bubblewrap -Version:0.3.1 +Version:0.3.3 Release:0 Summary:Core execution tool for unprivileged containers License:LGPL-2.0-or-later Group: Productivity/Security Url:https://github.com/projectatomic/bubblewrap -Source: https://github.com/projectatomic/bubblewrap/archive/v%{version}.tar.gz -# Does not have README.md and autogen.sh included -> unusable -# Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%%{version}/%%{name}-%%{version}.tar.xz -# We always run autogen.sh +Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/%{name}-%{version}.tar.xz BuildRequires: autoconf BuildRequires: automake BuildRequires: docbook-xsl-stylesheets
commit bubblewrap for openSUSE:Factory
Hello community, here is the log from the commit of package bubblewrap for openSUSE:Factory checked in at 2018-10-25 08:10:49 Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old) and /work/SRC/openSUSE:Factory/.bubblewrap.new (New) Package is "bubblewrap" Thu Oct 25 08:10:49 2018 rev:7 rq:641812 version:0.3.1 Changes: --- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes2018-07-22 23:03:32.780945917 +0200 +++ /work/SRC/openSUSE:Factory/.bubblewrap.new/bubblewrap.changes 2018-10-25 08:10:52.376245754 +0200 @@ -1,0 +2,12 @@ +Thu Oct 11 16:41:12 UTC 2018 - Antonio Larrosa - 0.3.1 + +- update to version 0.3.1: + * New feature in this release is --bind-try (as well as --dev-bind-try +and --ro-bind-try) which works like the regular versions if the source +exists, but does nothing if it doesn't exist. + + * The mount type for the root tmpfs was also changed to "tmpfs" instead +of being empty, as the later could cause problems with some programs +when parsing the mountinfo files in /proc. + +--- @@ -5 +17,16 @@ - * no upstream changelog available + * The biggest feature from this release is that bwrap +now supports being invoked recursively (from other container +runtimes such as Docker/podman/runc as well as bwrap itself) +when user namespaces are enabled, and the outer container manager +allows it (Docker's default seccomp policy doesn't). + + * This is useful for testing scenarios; for example a project +uses Kubernetes for its CI, but inside build the project wants to run +each unit test in their own pid namespace, without going out +and creating a new pod for every single unit test. + + * Similarly, rpm-ostree compose tree uses bwrap internally for scripts, +and we want to support running rpm-ostree inside a container as well. + + * Another feature is bwrap now supports -- to terminate argument +parsing. To detect availablity of this, you could parse bwrap --version. Old: v0.3.0.tar.gz New: v0.3.1.tar.gz Other differences: -- ++ bubblewrap.spec ++ --- /var/tmp/diff_new_pack.Ovcqfs/_old 2018-10-25 08:10:52.872245429 +0200 +++ /var/tmp/diff_new_pack.Ovcqfs/_new 2018-10-25 08:10:52.876245426 +0200 @@ -12,12 +12,12 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: bubblewrap -Version:0.3.0 +Version:0.3.1 Release:0 Summary:Core execution tool for unprivileged containers License:LGPL-2.0-or-later ++ v0.3.0.tar.gz -> v0.3.1.tar.gz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.3.0/bubblewrap.c new/bubblewrap-0.3.1/bubblewrap.c --- old/bubblewrap-0.3.0/bubblewrap.c 2018-07-11 17:32:00.0 +0200 +++ new/bubblewrap-0.3.1/bubblewrap.c 2018-08-09 15:34:51.0 +0200 @@ -99,6 +99,7 @@ typedef enum { NO_CREATE_DEST = (1 << 0), + ALLOW_NOTEXIST = (2 << 0), } SetupOpFlag; typedef struct _SetupOp SetupOp; @@ -207,8 +208,11 @@ "--lock-file DEST Take a lock on DEST while sandbox is running\n" "--sync-fd FD Keep this fd open while sandbox is running\n" "--bind SRC DEST Bind mount the host path SRC on DEST\n" + "--bind-try SRC DEST Equal to --bind but ignores non-existant SRC\n" "--dev-bind SRC DEST Bind mount the host path SRC on DEST, allowing device access\n" + "--dev-bind-try SRC DEST Equal to --dev-bind but ignores non-existant SRC\n" "--ro-bind SRC DEST Bind mount the host path SRC readonly on DEST\n" + "--ro-bind-try SRC DEST Equal to --ro-bind but ignores non-existant SRC\n" "--remount-ro DESTRemount DEST as readonly; does not recursively remount\n" "--exec-label LABEL Exec label for the sandbox\n" "--file-label LABEL File label for temporary sandbox content\n" @@ -966,7 +970,11 @@ source = get_oldroot_path (op->source); source_mode = get_file_mode (source); if (source_mode < 0) -die_with_error ("Can't get type of source %s", op->source); +{ + if (op->flags & ALLOW_NOTEXIST && errno == ENOENT) +continue; /* Ignore and move on */ + die_with_error("Can't get
commit bubblewrap for openSUSE:Factory
Hello community, here is the log from the commit of package bubblewrap for openSUSE:Factory checked in at 2018-07-22 23:03:30 Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old) and /work/SRC/openSUSE:Factory/.bubblewrap.new (New) Package is "bubblewrap" Sun Jul 22 23:03:30 2018 rev:6 rq:624477 version:0.3.0 Changes: --- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes2018-05-30 12:11:44.234907268 +0200 +++ /work/SRC/openSUSE:Factory/.bubblewrap.new/bubblewrap.changes 2018-07-22 23:03:32.780945917 +0200 @@ -1,0 +2,6 @@ +Sat Jul 14 20:06:50 UTC 2018 - sebix+novell@sebix.at + +- update to version 0.3.0: + * no upstream changelog available + +--- Old: v0.2.1.tar.gz New: v0.3.0.tar.gz Other differences: -- ++ bubblewrap.spec ++ --- /var/tmp/diff_new_pack.uoNXtd/_old 2018-07-22 23:03:33.544945634 +0200 +++ /var/tmp/diff_new_pack.uoNXtd/_new 2018-07-22 23:03:33.548945633 +0200 @@ -17,7 +17,7 @@ Name: bubblewrap -Version:0.2.1 +Version:0.3.0 Release:0 Summary:Core execution tool for unprivileged containers License:LGPL-2.0-or-later ++ v0.2.1.tar.gz -> v0.3.0.tar.gz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.2.1/.papr.yml new/bubblewrap-0.3.0/.papr.yml --- old/bubblewrap-0.2.1/.papr.yml 2018-04-06 17:06:15.0 +0200 +++ new/bubblewrap-0.3.0/.papr.yml 2018-07-11 17:32:00.0 +0200 @@ -19,10 +19,10 @@ inherit: true host: -distro: fedora/26/atomic +distro: fedora/27/atomic -context: f26-sanitizer +context: f27-sanitizer required: true tests: - - env CFLAGS='-g -Og -fsanitize=undefined -fsanitize=address -O2 -Wp,-D_FORTIFY_SOURCE=2' ./ci/papr.sh registry.fedoraproject.org/fedora:26 + - env CFLAGS='-g -Og -fsanitize=undefined -fsanitize=address -O2 -Wp,-D_FORTIFY_SOURCE=2' ./ci/papr.sh registry.fedoraproject.org/fedora:27 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.2.1/bubblewrap.c new/bubblewrap-0.3.0/bubblewrap.c --- old/bubblewrap-0.2.1/bubblewrap.c 2018-04-06 17:06:15.0 +0200 +++ new/bubblewrap-0.3.0/bubblewrap.c 2018-07-11 17:32:00.0 +0200 @@ -182,7 +182,7 @@ static void usage (int ecode, FILE *out) { - fprintf (out, "usage: %s [OPTIONS...] COMMAND [ARGS...]\n\n", argv0); + fprintf (out, "usage: %s [OPTIONS...] [--] COMMAND [ARGS...]\n\n", argv0); fprintf (out, "--help Print this help\n" @@ -316,7 +316,7 @@ * the exit status via a eventfd. We also track the exit of the sandbox * pid 1 via a signalfd for SIGCHLD, and exit with an error in this case. * This is to catch e.g. problems during setup. */ -static void +static int monitor_child (int event_fd, pid_t child_pid) { int res; @@ -368,7 +368,7 @@ if (s == -1 && errno != EINTR && errno != EAGAIN) die_with_error ("read eventfd"); else if (s == 8) -exit ((int) val - 1); +return ((int) val - 1); } /* We need to read the signal_fd, or it will keep polling as read, @@ -385,9 +385,13 @@ /* We may be getting sigchild from other children too. For instance if someone created a child process, and then exec:ed bubblewrap. Ignore them */ if (died_pid == child_pid) -exit (propagate_exit_status (died_status)); +return propagate_exit_status (died_status); } } + + die ("Should not be reached"); + + return 0; } /* This is pid 1 in the app sandbox. It is needed because we're using @@ -1025,9 +1029,15 @@ for (i = 0; i < N_ELEMENTS (cover_proc_dirs); i++) { cleanup_free char *subdir = strconcat3 (dest, "/", cover_proc_dirs[i]); - /* Some of these may not exist */ - if (get_file_mode (subdir) == -1) -continue; + if (access (subdir, W_OK) < 0) +{ + /* The file is already read-only or doesn't exist. */ + if (errno == EACCES || errno == ENOENT) +continue; + + die_with_error ("Can't access %s", subdir); +} + privileged_op (privileged_op_socket, PRIV_SEP_OP_BIND_MOUNT, BIND_READONLY, subdir, subdir); @@ -1885,6 +1895,12 @@ argv += 1; argc -= 1; } + else if (strcmp (arg, "--") == 0) +{ + argv += 1; + argc -= 1; + b
commit bubblewrap for openSUSE:Factory
Hello community, here is the log from the commit of package bubblewrap for openSUSE:Factory checked in at 2018-05-30 11:40:35 Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old) and /work/SRC/openSUSE:Factory/.bubblewrap.new (New) Package is "bubblewrap" Wed May 30 11:40:35 2018 rev:5 rq:612511 version:0.2.1 Changes: --- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes2017-10-13 14:09:17.578155078 +0200 +++ /work/SRC/openSUSE:Factory/.bubblewrap.new/bubblewrap.changes 2018-05-30 12:11:44.234907268 +0200 @@ -1,0 +2,10 @@ +Tue May 1 21:02:33 UTC 2018 - sebix+novell@sebix.at + +- update to version 0.2.1: + * All the demos are included + * bugfixes for the demo files + * There was an issue with mkdir when running bubblewrap on an NFS + filesystem that has been fixed, so flatpak now works on NFS shares. + * Some leaks have been fixed, including a file descriptor leak. + +--- Old: v0.2.0.tar.gz New: v0.2.1.tar.gz Other differences: -- ++ bubblewrap.spec ++ --- /var/tmp/diff_new_pack.ddPOlh/_old 2018-05-30 12:11:45.794755665 +0200 +++ /var/tmp/diff_new_pack.ddPOlh/_new 2018-05-30 12:11:45.798755276 +0200 @@ -1,7 +1,7 @@ # # spec file for package bubblewrap # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,10 +17,10 @@ Name: bubblewrap -Version:0.2.0 +Version:0.2.1 Release:0 Summary:Core execution tool for unprivileged containers -License:LGPL-2.0+ +License:LGPL-2.0-or-later Group: Productivity/Security Url:https://github.com/projectatomic/bubblewrap Source: https://github.com/projectatomic/bubblewrap/archive/v%{version}.tar.gz @@ -46,6 +46,7 @@ %prep %autosetup -n %{name}-%{version} sed -i '1d' completions/bash/bwrap +sed -i '1s/env //' demos/bubblewrap-shell.sh demos/userns-block-fd.py %build env NOCONFIGURE=1 ./autogen.sh @@ -58,7 +59,7 @@ %files %license COPYING -%doc README.md +%doc README.md demos %dir %{_datadir}/bash-completion %dir %{_datadir}/bash-completion/completions %{_datadir}/bash-completion/completions/bwrap ++ v0.2.0.tar.gz -> v0.2.1.tar.gz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.2.0/Makefile.am new/bubblewrap-0.2.1/Makefile.am --- old/bubblewrap-0.2.0/Makefile.am2017-10-09 16:11:41.0 +0200 +++ new/bubblewrap-0.2.1/Makefile.am2018-04-06 17:06:15.0 +0200 @@ -1,6 +1,18 @@ AM_CFLAGS = $(WARN_CFLAGS) CLEANFILES = -EXTRA_DIST = +EXTRA_DIST = \ + .dir-locals.el \ + .editorconfig \ + README.md \ + autogen.sh \ + demos/bubblewrap-shell.sh \ + demos/flatpak-run.sh \ + demos/flatpak.bpf \ + demos/userns-block-fd.py \ + packaging/bubblewrap.spec \ + uncrustify.cfg \ + uncrustify.sh \ + $(NULL) GITIGNOREFILES = build-aux/ gtk-doc.make config.h.in aclocal.m4 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.2.0/README.md new/bubblewrap-0.2.1/README.md --- old/bubblewrap-0.2.0/README.md 2017-10-09 16:11:41.0 +0200 +++ new/bubblewrap-0.2.1/README.md 2018-04-06 17:06:15.0 +0200 @@ -105,7 +105,7 @@ IPC namespaces ([CLONE_NEWIPC](http://linux.die.net/man/2/clone)): The sandbox will get its own copy of all the different forms of IPCs, like SysV shared memory and semaphores. -PID namespaces ([CLONE_NEWPID](http://linux.die.net/man/2/clone)): The sandbox will not see any processes outside the sandbox. Additionally, bubblewrap will run a trivial pid1 inside your container to handle the requirements of reaping children in the sandbox. .This avoids what is known now as the [Docker pid 1 problem](https://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/). +PID namespaces ([CLONE_NEWPID](http://linux.die.net/man/2/clone)): The sandbox will not see any processes outside the sandbox. Additionally, bubblewrap will run a trivial pid1 inside your container to handle the requirements of reaping children in the sandbox. This avoids what is known now as the [Docker pid 1 problem](https://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/). Network namespaces ([CLONE_NEWNET](http://linux.die.net/man/2/clone)): The sandbox will not see the network. Instead it will have its own network namespace with o
commit bubblewrap for openSUSE:Factory
Hello community, here is the log from the commit of package bubblewrap for openSUSE:Factory checked in at 2017-10-13 14:09:16 Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old) and /work/SRC/openSUSE:Factory/.bubblewrap.new (New) Package is "bubblewrap" Fri Oct 13 14:09:16 2017 rev:4 rq:532853 version:0.2.0 Changes: --- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes2017-09-21 12:32:47.996533808 +0200 +++ /work/SRC/openSUSE:Factory/.bubblewrap.new/bubblewrap.changes 2017-10-13 14:09:17.578155078 +0200 @@ -1,0 +2,17 @@ +Mon Oct 9 17:53:37 UTC 2017 - sebix+novell@sebix.at + +- update to version 0.2.0 + - bwrap now automatically detects the new + user namespace restrictions in Red Hat Enterprise Linux 7.4: + bubblewrap: check for max_user_namespaces == 0. + - The most notable features are new arguments --as-pid1, and + --cap-add/--cap-drop. These were added for running systemd (or in general a + "full" init system) inside bubblewrap. But the capability options are also + useful for unprivileged callers to potentially retain capbilities inside the + sandbox (for example CAP_NET_ADMIN), when user namespaces are enabled. + Conversely, privileged callers (uid 0) can conversely drop capabilities (without + user namespaces). Contributed by Giuseppe Scrivano. + - With --dev, add /dev/fd and /dev/core symlinks + which should improve compatibility with older software. + +--- Old: v0.1.8.tar.gz New: v0.2.0.tar.gz Other differences: -- ++ bubblewrap.spec ++ --- /var/tmp/diff_new_pack.oNiZK5/_old 2017-10-13 14:09:18.454116559 +0200 +++ /var/tmp/diff_new_pack.oNiZK5/_new 2017-10-13 14:09:18.458116383 +0200 @@ -17,7 +17,7 @@ Name: bubblewrap -Version:0.1.8 +Version:0.2.0 Release:0 Summary:Core execution tool for unprivileged containers License:LGPL-2.0+ ++ v0.1.8.tar.gz -> v0.2.0.tar.gz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.1.8/.papr.yml new/bubblewrap-0.2.0/.papr.yml --- old/bubblewrap-0.1.8/.papr.yml 1970-01-01 01:00:00.0 +0100 +++ new/bubblewrap-0.2.0/.papr.yml 2017-10-09 16:11:41.0 +0200 @@ -0,0 +1,28 @@ +context: centos7 +required: true + +branches: +- master +- auto +- try + +host: +distro: centos/7/atomic + +tests: + - env BWRAP_SUID=true ./ci/papr.sh centos:7 + +timeout: 30m + +--- + +inherit: true + +host: +distro: fedora/26/atomic + +context: f26-sanitizer +required: true + +tests: + - env CFLAGS='-g -Og -fsanitize=undefined -fsanitize=address -O2 -Wp,-D_FORTIFY_SOURCE=2' ./ci/papr.sh registry.fedoraproject.org/fedora:26 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.1.8/.redhat-ci.yml new/bubblewrap-0.2.0/.redhat-ci.yml --- old/bubblewrap-0.1.8/.redhat-ci.yml 2017-03-28 16:26:53.0 +0200 +++ new/bubblewrap-0.2.0/.redhat-ci.yml 1970-01-01 01:00:00.0 +0100 @@ -1,25 +0,0 @@ -context: centos7 -required: true - -branches: -- master -- auto -- try - -host: -distro: centos/7/atomic - -tests: - - env BWRAP_SUID=true ./ci/redhat-ci.sh centos:7 - -timeout: 30m - - -inherit: true - -context: f25-asan-ubsan -required: true - -tests: - - env CFLAGS='-g -Og -fsanitize=undefined -fsanitize=address' ./ci/redhat-ci.sh fedora:25 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.1.8/Makefile.am new/bubblewrap-0.2.0/Makefile.am --- old/bubblewrap-0.1.8/Makefile.am2017-03-28 16:26:53.0 +0200 +++ new/bubblewrap-0.2.0/Makefile.am2017-10-09 16:11:41.0 +0200 @@ -29,10 +29,13 @@ include Makefile-docs.am +LOG_DRIVER = env AM_TAP_AWK='$(AWK)' $(SHELL) $(top_srcdir)/build-aux/tap-driver.sh +LOG_COMPILER = TESTS = tests/test-run.sh TESTS_ENVIRONMENT = BWRAP=$(abs_top_builddir)/test-bwrap EXTRA_DIST += $(TESTS) +EXTRA_DIST += tests/libtest-core.sh if ENABLE_BASH_COMPLETION bashcompletiondir = $(BASH_COMPLETION_DIR) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.1.8/README.md new/bubblewrap-0.2.0/README.md --- old/bubblewrap-0.1.8/README.md 2017-03-28 16:26:53.0 +0200 +++ new/bubblewrap-0.2.0/README.md 2017-10-09 16:11:41.0 +0200 @@ -55,6 +55,7 @@ - [Flatpak](http://www.flatpak.org) - [rpm-ostree unprivileged](https://github.com/projectatomic/rpm-ostree/pull/209) + - [bwrap-oci](https://github.com/projectatomic/bwrap-oci) We would also like to see this be available in Kubernetes/Ope
commit bubblewrap for openSUSE:Factory
Hello community, here is the log from the commit of package bubblewrap for openSUSE:Factory checked in at 2017-09-21 12:32:46 Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old) and /work/SRC/openSUSE:Factory/.bubblewrap.new (New) Package is "bubblewrap" Thu Sep 21 12:32:46 2017 rev:3 rq:527016 version:0.1.8 Changes: --- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes2017-07-17 09:11:33.312582144 +0200 +++ /work/SRC/openSUSE:Factory/.bubblewrap.new/bubblewrap.changes 2017-09-21 12:32:47.996533808 +0200 @@ -1,0 +2,5 @@ +Mon Sep 18 12:39:54 UTC 2017 - sebix+novell@sebix.at + +- add group + +--- Other differences: -- ++ bubblewrap.spec ++ --- /var/tmp/diff_new_pack.YNTvJy/_old 2017-09-21 12:32:49.024389162 +0200 +++ /var/tmp/diff_new_pack.YNTvJy/_new 2017-09-21 12:32:49.028388599 +0200 @@ -18,9 +18,10 @@ Name: bubblewrap Version:0.1.8 -Release:1%{?dist} +Release:0 Summary:Core execution tool for unprivileged containers License:LGPL-2.0+ +Group: Productivity/Security Url:https://github.com/projectatomic/bubblewrap Source: https://github.com/projectatomic/bubblewrap/archive/v%{version}.tar.gz # Does not have README.md and autogen.sh included -> unusable @@ -56,7 +57,6 @@ find %{buildroot} -type f -name "*.la" -delete -print %files -%defattr(-,root,root) %license COPYING %doc README.md %dir %{_datadir}/bash-completion
commit bubblewrap for openSUSE:Factory
Hello community, here is the log from the commit of package bubblewrap for openSUSE:Factory checked in at 2017-07-17 09:11:32 Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old) and /work/SRC/openSUSE:Factory/.bubblewrap.new (New) Package is "bubblewrap" Mon Jul 17 09:11:32 2017 rev:2 rq:510257 version:0.1.8 Changes: --- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes2017-07-05 23:57:11.882716063 +0200 +++ /work/SRC/openSUSE:Factory/.bubblewrap.new/bubblewrap.changes 2017-07-17 09:11:33.312582144 +0200 @@ -1,0 +2,5 @@ +Fri Jul 7 09:40:27 UTC 2017 - sebix+novell@sebix.at + +- fix build macro with rpm < 4.12 (non-Factory currently) + +--- Other differences: -- ++ bubblewrap.spec ++ --- /var/tmp/diff_new_pack.jcfKd7/_old 2017-07-17 09:11:33.908498208 +0200 +++ /var/tmp/diff_new_pack.jcfKd7/_new 2017-07-17 09:11:33.912497644 +0200 @@ -49,7 +49,7 @@ %build env NOCONFIGURE=1 ./autogen.sh %configure --disable-silent-rules --with-priv-mode=none -%make_build +make %{?_smp_mflags} %install %make_install DESTDIR=%{buildroot} INSTALL="install -p -c"