* retcode: fix return code with syncfd and no event_fd
* Ensure we're always clearing the cap bounding set
* tests: Update output patterns for libcap >= 2.29
* Don't rely on geteuid() to know when to switch back from setuid root
* Don't support --userns2 in setuid mode
* fixes CVE-2020-5291
* fixes bsc#1168291
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/bubblewrap?expand=0&rev=24
- This release is the same as 0.3.2 but the version number in configure.ac
was accidentally still set to 0.3.1
- Update to version 0.3.2:
- fixes boo#1136958 / CVE-2019-12439
This release fixes a mostly theoretical security issue in unusual/broken
setups where `$XDG_RUNTIME_DIR` is unset.
There are some other smaller fixes, as well as an addition to the JSON
API that allows reading the inner process exit code, separately from
the `bwrap` exit code.
- Print "Out of memory" on stderr, not stdout
- bwrap: add option json-status-fd to show child exit code
- bwrap: Report COMMAND exit code in json-status-fd
- man page: Describe --chdir, not nonexistent --cwd
- Don't create our own temporary mount point for pivot_root
- Make lockdata long enough on 32-bit with 64-bit file pointers.
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/bubblewrap?expand=0&rev=17
- update to version 0.3.1:
* New feature in this release is --bind-try (as well as --dev-bind-try
and --ro-bind-try) which works like the regular versions if the source
exists, but does nothing if it doesn't exist.
* The mount type for the root tmpfs was also changed to "tmpfs" instead
of being empty, as the later could cause problems with some programs
when parsing the mountinfo files in /proc.
* The biggest feature from this release is that bwrap
now supports being invoked recursively (from other container
runtimes such as Docker/podman/runc as well as bwrap itself)
when user namespaces are enabled, and the outer container manager
allows it (Docker's default seccomp policy doesn't).
* This is useful for testing scenarios; for example a project
uses Kubernetes for its CI, but inside build the project wants to run
each unit test in their own pid namespace, without going out
and creating a new pod for every single unit test.
* Similarly, rpm-ostree compose tree uses bwrap internally for scripts,
and we want to support running rpm-ostree inside a container as well.
* Another feature is bwrap now supports -- to terminate argument
parsing. To detect availablity of this, you could parse bwrap --version.
OBS-URL: https://build.opensuse.org/request/show/641328
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/bubblewrap?expand=0&rev=15
