- upgrade to upstream version 0.1.7

OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/bubblewrap?expand=0&rev=2
2017-03-02 09:22:03 +00:00 · 2017-03-02 09:22:03 +00:00 · 3681d5a162
commit 3681d5a162
parent 44070bf510
5 changed files with 150 additions and 53 deletions
--- a/bubblewrap.changes
+++ b/bubblewrap.changes
@ -0,0 +1,105 @@
+-------------------------------------------------------------------
+Thu Mar  2 09:08:58 UTC 2017 - sebix+novell.com@sebix.at
+
+- upgrade to upstream version 0.1.7
+- note that this package was *never* affected by CVE-2017-5226
+  as it was introduced in version 0.1.6
+- upstream changelog of version 0.1.7:
+    This release backs out the change in 0.1.6 which unconditionally
+    called setsid() in order to fix a security issue with TIOCSTI, aka
+    CVE-2017-522. That change caused some behavioural issues that are
+    hard to work with in some cases. For instance, it makes shell job
+    control not work for the bwrap command.
+    Instead there is now a new option --new-session which works like
+    0.1.6. It is recommended that you use this if possible, but if not we
+    recommended that you neutralize this some other way, for instance
+    using SECCOMP, which is what flatpak does:
+    https://github.com/flatpak/flatpak/commit/902fb713990a8f968ea4350c7c2a27ff46f1a6c4
+    In order to make it easy to create maximally safe sandboxes we have
+    also added a new commandline switch called --unshare-all. It unshares
+    all possible namespaces and is currently equivalent with:
+    --unshare-user-try --unshare-ipc --unshare-pid --unshare-net
+    --unshare-uts --unshare-cgroup-try
+    However, the intent is that as new namespaces are added to the kernel they will
+    be added to this list. Additionally, if --share-net is specified the network
+    namespace is not unshared.
+    This release also has some bugfixes:
+        bwrap reaps (unexpected) children that are inherited from the
+        parent, something which can happen if bwrap is part of a shell
+        pipeline.
+        bwrap clears the capability bounding set. The permitted
+        capabilities was already empty, and use of PR_NO_NEW_PRIVS should
+        make it impossible to increase the capabilities, but more
+        layers of protection is better.
+        The seccomp filter is now installed at the very end of bwrap, which
+        means the requirement of the filter is minimal. Any bwrap seccomp
+        filter must at least allow: execve, waitpid and write
+    Alexander Larsson (7):
+          Handle inherited children dying
+          Clear capability bounding set
+          Make the call to setsid() optional, with --new-session
+          demos/bubblewrap-shell.sh: Unshare all namespaces
+          Call setsid() and setexeccon() befor forking the init monitor
+          Install seccomp filter at the very end
+          Bump version to 0.1.7
+    Colin Walters (6):
+          Release 0.1.6
+          man: Correct namespace user -> mount
+          demo/shell: Add /var/tmp compat symlink, tweak PS1, add more docs
+          Release 0.1.6
+          ci: Combine ASAN and UBSAN
+          Add --unshare-all and --share-net
+- upstream changelog for 0.1.6:
+    This fixes a security issue with TIOCSTI, aka CVE-2017-522. Note bubblewrap is
+    far from the only program that has this issue, and I think the best fix is
+    probably in the kernel to support disabling this ioctl.
+
+    Programs can also work around this by calling setsid() on their own in an exec
+    handler before doing an exevp("bwrap").
+- upstream changelog for 0.1.5:
+    This is a bugfix release, here are the major changes:
+        Running bubblewrap as root now works again
+        Various fixes for the testsuite
+        Use same default compiler warnings as ostree
+        Handle errors resolving symlinks during bind mounts
+    Alexander Larsson (2):
+          bind-mount: Check for errors in realpath()
+          Bump version to 0.1.5
+    Colin Walters (6):
+          Don't call capset() unless we need to
+          Only --unshare-user automatically if we're not root
+          ci: Modernize a bit, add f25-ubsan
+          README.md: Update with better one liner and more information
+          utils: Add __attribute__((printf)) to die()
+          build: Sync default warning -> error set from ostree
+    Simon McVittie (4):
+          test-run: be a bash script
+          test-run: don't assume we are uid 1000
+          Adapt tests so they can be run against installed binaries
+          Fix incorrect nesting of backticks when finding a FUSE mount
+
+-------------------------------------------------------------------
+Fri Dec 16 10:14:32 UTC 2016 - sebix+novell.com@sebix.at
+
+- upgrade to upstream version 0.1.4
+- Build also for Leap 42.2
+
+-------------------------------------------------------------------
+Fri Oct 14 2016 Colin Walters <walters@verbum.org> - 0.1.3-2
+
+- New upstream version
+
+-------------------------------------------------------------------
+Mon Sep 12 2016 Kalev Lember <klember@redhat.com> - 0.1.2-1
+
+- Update to 0.1.2
+
+-------------------------------------------------------------------
+Tue Jul 12 2016 Igor Gnatenko <ignatenko@redhat.com> - 0.1.1-2
+
+- Trivial fixes in packaging
+
+-------------------------------------------------------------------
+Fri Jul 08 2016 Colin Walters <walters@verbum.org> - 0.1.1
+
+- Initial package
--- a/bubblewrap.spec
+++ b/bubblewrap.spec
@ -1,22 +1,44 @@
-Summary: Core execution tool for unprivileged containers
-Name: bubblewrap
-Version: 0.1.4
-Release: 1%{?dist}
-Source0: https://github.com/projectatomic/bubblewrap/archive/v%version.tar.gz
-License: LGPL-2.0+
-URL: https://github.com/projectatomic/bubblewrap
+#
+# spec file for package bubblewrap
+#
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.

-BuildRequires: gcc
-BuildRequires: git
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
+#
+
+
+Name:           bubblewrap
+Version:        0.1.7
+Release:        1%{?dist}
+Summary:        Core execution tool for unprivileged containers
+License:        LGPL-2.0+
+Url:            https://github.com/projectatomic/bubblewrap
+Source:         https://github.com/projectatomic/bubblewrap/archive/v%{version}.tar.gz
+# Does not have README.md and autogen.sh included -> unusable
+# Source0:        https://github.com/projectatomic/bubblewrap/releases/download/v%%{version}/%%{name}-%%{version}.tar.xz
 # We always run autogen.sh
-BuildRequires: autoconf automake libtool
-BuildRequires: libcap-devel
-BuildRequires: pkgconfig(libselinux)
-BuildRequires: libxslt
-BuildRequires: docbook-xsl-stylesheets
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  docbook-xsl-stylesheets
+BuildRequires:  gcc
+BuildRequires:  git
+BuildRequires:  libcap-devel
+BuildRequires:  libtool
+BuildRequires:  libxslt
+BuildRequires:  pkgconfig
+BuildRequires:  pkgconfig(libselinux)

 %description
-Bubblewrap (/usr/bin/bwrap) is a core execution engine for unprivileged
+Bubblewrap (%{_bindir}/bwrap) is a core execution engine for unprivileged
 containers that works as a setuid binary on kernels without
 user namespaces.

@ -27,25 +49,20 @@ sed -i '1d' completions/bash/bwrap
 %build
 env NOCONFIGURE=1 ./autogen.sh
 %configure --disable-silent-rules --with-priv-mode=none
-%if 0%{?suse_version} > 1320
 %make_build
-%else
-make %{?_smp_mflags}
-%endif

 %install
-%make_install DESTDIR=%buildroot INSTALL="install -p -c"
-find %buildroot -name '*.la' -delete
+%make_install DESTDIR=%{buildroot} INSTALL="install -p -c"
+find %{buildroot} -type f -name "*.la" -delete -print

 %files
+%defattr(-,root,root)
 %license COPYING
 %doc README.md
 %dir %{_datadir}/bash-completion
 %dir %{_datadir}/bash-completion/completions
 %{_datadir}/bash-completion/completions/bwrap
-%if (0%{?rhel} != 0 && 0%{?rhel} <= 7)
-%attr(4755,root,root) %{_bindir}/bwrap
-%else
 %{_bindir}/bwrap
-%endif
 %{_mandir}/man1/*
+
+%changelog
--- a/bubblewrap.spec.changes
+++ b/bubblewrap.spec.changes
@ -1,25 +0,0 @@
-------------------------------------------------------------------
-Fri Dec 16 10:14:32 UTC 2016 - sebix+novell.com@sebix.at
-
- upgrade to upstream version 0.1.4
- Build also for Leap 42.2
-
-------------------------------------------------------------------
-Fri Oct 14 2016 Colin Walters <walters@verbum.org> - 0.1.3-2
-
- New upstream version
-
-------------------------------------------------------------------
-Mon Sep 12 2016 Kalev Lember <klember@redhat.com> - 0.1.2-1
-
- Update to 0.1.2
-
-------------------------------------------------------------------
-Tue Jul 12 2016 Igor Gnatenko <ignatenko@redhat.com> - 0.1.1-2
-
- Trivial fixes in packaging
-
-------------------------------------------------------------------
-Fri Jul 08 2016 Colin Walters <walters@verbum.org> - 0.1.1
-
- Initial package
--- a/v0.1.4.tar.gz
+++ b/v0.1.4.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a98cf6aaafa5141a85c3fbd7f55608fb7d3ff4d10e166b27cbf371a100f9be02
-size 91854
--- a/v0.1.7.tar.gz
+++ b/v0.1.7.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:92b08803abcdafbf9e26b1bb3e7efb7cec177d27dcd58016b8629504fedcff16
+size 96634