- upgrade to upstream version 0.1.7

OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/bubblewrap?expand=0&rev=2
2017-03-02 09:22:03 +00:00 · 2017-03-02 09:22:03 +00:00 · 3681d5a162
commit 3681d5a162
parent 44070bf510
5 changed files with 150 additions and 53 deletions
--- a/bubblewrap.changes
+++ b/bubblewrap.changes
@ -0,0 +1,105 @@
 -------------------------------------------------------------------
 Thu Mar  2 09:08:58 UTC 2017 - sebix+novell.com@sebix.at
 - upgrade to upstream version 0.1.7
 - note that this package was *never* affected by CVE-2017-5226
  as it was introduced in version 0.1.6
 - upstream changelog of version 0.1.7:
    This release backs out the change in 0.1.6 which unconditionally
    called setsid() in order to fix a security issue with TIOCSTI, aka
    CVE-2017-522. That change caused some behavioural issues that are
    hard to work with in some cases. For instance, it makes shell job
    control not work for the bwrap command.
    Instead there is now a new option --new-session which works like
    0.1.6. It is recommended that you use this if possible, but if not we
    recommended that you neutralize this some other way, for instance
    using SECCOMP, which is what flatpak does:
    https://github.com/flatpak/flatpak/commit/902fb713990a8f968ea4350c7c2a27ff46f1a6c4
    In order to make it easy to create maximally safe sandboxes we have
    also added a new commandline switch called --unshare-all. It unshares
    all possible namespaces and is currently equivalent with:
    --unshare-user-try --unshare-ipc --unshare-pid --unshare-net
    --unshare-uts --unshare-cgroup-try
    However, the intent is that as new namespaces are added to the kernel they will
    be added to this list. Additionally, if --share-net is specified the network
    namespace is not unshared.
    This release also has some bugfixes:
        bwrap reaps (unexpected) children that are inherited from the
        parent, something which can happen if bwrap is part of a shell
        pipeline.
        bwrap clears the capability bounding set. The permitted
        capabilities was already empty, and use of PR_NO_NEW_PRIVS should
        make it impossible to increase the capabilities, but more
        layers of protection is better.
        The seccomp filter is now installed at the very end of bwrap, which
        means the requirement of the filter is minimal. Any bwrap seccomp
        filter must at least allow: execve, waitpid and write
    Alexander Larsson (7):
          Handle inherited children dying
          Clear capability bounding set
          Make the call to setsid() optional, with --new-session
          demos/bubblewrap-shell.sh: Unshare all namespaces
          Call setsid() and setexeccon() befor forking the init monitor
          Install seccomp filter at the very end
          Bump version to 0.1.7
    Colin Walters (6):
          Release 0.1.6
          man: Correct namespace user -> mount
          demo/shell: Add /var/tmp compat symlink, tweak PS1, add more docs
          Release 0.1.6
          ci: Combine ASAN and UBSAN
          Add --unshare-all and --share-net
 - upstream changelog for 0.1.6:
    This fixes a security issue with TIOCSTI, aka CVE-2017-522. Note bubblewrap is
    far from the only program that has this issue, and I think the best fix is
    probably in the kernel to support disabling this ioctl.
    Programs can also work around this by calling setsid() on their own in an exec
    handler before doing an exevp("bwrap").
 - upstream changelog for 0.1.5:
    This is a bugfix release, here are the major changes:
        Running bubblewrap as root now works again
        Various fixes for the testsuite
        Use same default compiler warnings as ostree
        Handle errors resolving symlinks during bind mounts
    Alexander Larsson (2):
          bind-mount: Check for errors in realpath()
          Bump version to 0.1.5
    Colin Walters (6):
          Don't call capset() unless we need to
          Only --unshare-user automatically if we're not root
          ci: Modernize a bit, add f25-ubsan
          README.md: Update with better one liner and more information
          utils: Add __attribute__((printf)) to die()
          build: Sync default warning -> error set from ostree
    Simon McVittie (4):
          test-run: be a bash script
          test-run: don't assume we are uid 1000
          Adapt tests so they can be run against installed binaries
          Fix incorrect nesting of backticks when finding a FUSE mount
 -------------------------------------------------------------------
 Fri Dec 16 10:14:32 UTC 2016 - sebix+novell.com@sebix.at
 - upgrade to upstream version 0.1.4
 - Build also for Leap 42.2
 -------------------------------------------------------------------
 Fri Oct 14 2016 Colin Walters <walters@verbum.org> - 0.1.3-2
 - New upstream version
 -------------------------------------------------------------------
 Mon Sep 12 2016 Kalev Lember <klember@redhat.com> - 0.1.2-1
 - Update to 0.1.2
 -------------------------------------------------------------------
 Tue Jul 12 2016 Igor Gnatenko <ignatenko@redhat.com> - 0.1.1-2
 - Trivial fixes in packaging
 -------------------------------------------------------------------
 Fri Jul 08 2016 Colin Walters <walters@verbum.org> - 0.1.1
 - Initial package
--- a/bubblewrap.spec
+++ b/bubblewrap.spec
@ -1,22 +1,44 @@
-Summary: Core execution tool for unprivileged containers
+#
-Name: bubblewrap
+# spec file for package bubblewrap
-Version: 0.1.4
+#
-Release: 1%{?dist}
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
-Source0: https://github.com/projectatomic/bubblewrap/archive/v%version.tar.gz
+#
-License: LGPL-2.0+
+# All modifications and additions to the file contributed by third parties
-URL: https://github.com/projectatomic/bubblewrap
+# remain the property of their copyright owners, unless otherwise agreed
 # upon. The license for this file, and modifications and additions to the
 # file, is the same license as for the pristine package itself (unless the
 # license for the pristine package is not an Open Source License, in which
 # case the license is the MIT License). An "Open Source License" is a
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
-BuildRequires: gcc
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
-BuildRequires: git
+#
 Name:           bubblewrap
 Version:        0.1.7
 Release:        1%{?dist}
 Summary:        Core execution tool for unprivileged containers
 License:        LGPL-2.0+
 Url:            https://github.com/projectatomic/bubblewrap
 Source:         https://github.com/projectatomic/bubblewrap/archive/v%{version}.tar.gz
 # Does not have README.md and autogen.sh included -> unusable
 # Source0:        https://github.com/projectatomic/bubblewrap/releases/download/v%%{version}/%%{name}-%%{version}.tar.xz
 # We always run autogen.sh
-BuildRequires: autoconf automake libtool
+BuildRequires:  autoconf
-BuildRequires: libcap-devel
+BuildRequires:  automake
-BuildRequires: pkgconfig(libselinux)
+BuildRequires:  docbook-xsl-stylesheets
-BuildRequires: libxslt
+BuildRequires:  gcc
-BuildRequires: docbook-xsl-stylesheets
+BuildRequires:  git
 BuildRequires:  libcap-devel
 BuildRequires:  libtool
 BuildRequires:  libxslt
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(libselinux)
 %description
-Bubblewrap (/usr/bin/bwrap) is a core execution engine for unprivileged
+Bubblewrap (%{_bindir}/bwrap) is a core execution engine for unprivileged
 containers that works as a setuid binary on kernels without
 user namespaces.
@ -27,25 +49,20 @@ sed -i '1d' completions/bash/bwrap
 %build
 env NOCONFIGURE=1 ./autogen.sh
 %configure --disable-silent-rules --with-priv-mode=none
 %if 0%{?suse_version} > 1320
 %make_build
 %else
 make %{?_smp_mflags}
 %endif
 %install
-%make_install DESTDIR=%buildroot INSTALL="install -p -c"
+%make_install DESTDIR=%{buildroot} INSTALL="install -p -c"
-find %buildroot -name '*.la' -delete
+find %{buildroot} -type f -name "*.la" -delete -print
 %files
 %defattr(-,root,root)
 %license COPYING
 %doc README.md
 %dir %{_datadir}/bash-completion
 %dir %{_datadir}/bash-completion/completions
 %{_datadir}/bash-completion/completions/bwrap
 %if (0%{?rhel} != 0 && 0%{?rhel} <= 7)
 %attr(4755,root,root) %{_bindir}/bwrap
 %else
 %{_bindir}/bwrap
 %endif
 %{_mandir}/man1/*
 %changelog
--- a/bubblewrap.spec.changes
+++ b/bubblewrap.spec.changes
@ -1,25 +0,0 @@
 -------------------------------------------------------------------
 Fri Dec 16 10:14:32 UTC 2016 - sebix+novell.com@sebix.at
 - upgrade to upstream version 0.1.4
 - Build also for Leap 42.2
 -------------------------------------------------------------------
 Fri Oct 14 2016 Colin Walters <walters@verbum.org> - 0.1.3-2
 - New upstream version
 -------------------------------------------------------------------
 Mon Sep 12 2016 Kalev Lember <klember@redhat.com> - 0.1.2-1
 - Update to 0.1.2
 -------------------------------------------------------------------
 Tue Jul 12 2016 Igor Gnatenko <ignatenko@redhat.com> - 0.1.1-2
 - Trivial fixes in packaging
 -------------------------------------------------------------------
 Fri Jul 08 2016 Colin Walters <walters@verbum.org> - 0.1.1
 - Initial package
--- a/v0.1.4.tar.gz
+++ b/v0.1.4.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:a98cf6aaafa5141a85c3fbd7f55608fb7d3ff4d10e166b27cbf371a100f9be02
 size 91854
--- a/v0.1.7.tar.gz
+++ b/v0.1.7.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:92b08803abcdafbf9e26b1bb3e7efb7cec177d27dcd58016b8629504fedcff16
 size 96634