From 3681d5a162c4a6286225afc933e698094b663a5eecea1be74e97b49cb26c74ad Mon Sep 17 00:00:00 2001 From: Sebastian Wagner Date: Thu, 2 Mar 2017 09:22:03 +0000 Subject: [PATCH] - upgrade to upstream version 0.1.7 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/bubblewrap?expand=0&rev=2 --- bubblewrap.changes | 105 ++++++++++++++++++++++++++++++++++++++++ bubblewrap.spec | 67 +++++++++++++++---------- bubblewrap.spec.changes | 25 ---------- v0.1.4.tar.gz | 3 -- v0.1.7.tar.gz | 3 ++ 5 files changed, 150 insertions(+), 53 deletions(-) create mode 100644 bubblewrap.changes delete mode 100644 bubblewrap.spec.changes delete mode 100644 v0.1.4.tar.gz create mode 100644 v0.1.7.tar.gz diff --git a/bubblewrap.changes b/bubblewrap.changes new file mode 100644 index 0000000..041467d --- /dev/null +++ b/bubblewrap.changes @@ -0,0 +1,105 @@ +------------------------------------------------------------------- +Thu Mar 2 09:08:58 UTC 2017 - sebix+novell.com@sebix.at + +- upgrade to upstream version 0.1.7 +- note that this package was *never* affected by CVE-2017-5226 + as it was introduced in version 0.1.6 +- upstream changelog of version 0.1.7: + This release backs out the change in 0.1.6 which unconditionally + called setsid() in order to fix a security issue with TIOCSTI, aka + CVE-2017-522. That change caused some behavioural issues that are + hard to work with in some cases. For instance, it makes shell job + control not work for the bwrap command. + Instead there is now a new option --new-session which works like + 0.1.6. It is recommended that you use this if possible, but if not we + recommended that you neutralize this some other way, for instance + using SECCOMP, which is what flatpak does: + https://github.com/flatpak/flatpak/commit/902fb713990a8f968ea4350c7c2a27ff46f1a6c4 + In order to make it easy to create maximally safe sandboxes we have + also added a new commandline switch called --unshare-all. It unshares + all possible namespaces and is currently equivalent with: + --unshare-user-try --unshare-ipc --unshare-pid --unshare-net + --unshare-uts --unshare-cgroup-try + However, the intent is that as new namespaces are added to the kernel they will + be added to this list. Additionally, if --share-net is specified the network + namespace is not unshared. + This release also has some bugfixes: + bwrap reaps (unexpected) children that are inherited from the + parent, something which can happen if bwrap is part of a shell + pipeline. + bwrap clears the capability bounding set. The permitted + capabilities was already empty, and use of PR_NO_NEW_PRIVS should + make it impossible to increase the capabilities, but more + layers of protection is better. + The seccomp filter is now installed at the very end of bwrap, which + means the requirement of the filter is minimal. Any bwrap seccomp + filter must at least allow: execve, waitpid and write + Alexander Larsson (7): + Handle inherited children dying + Clear capability bounding set + Make the call to setsid() optional, with --new-session + demos/bubblewrap-shell.sh: Unshare all namespaces + Call setsid() and setexeccon() befor forking the init monitor + Install seccomp filter at the very end + Bump version to 0.1.7 + Colin Walters (6): + Release 0.1.6 + man: Correct namespace user -> mount + demo/shell: Add /var/tmp compat symlink, tweak PS1, add more docs + Release 0.1.6 + ci: Combine ASAN and UBSAN + Add --unshare-all and --share-net +- upstream changelog for 0.1.6: + This fixes a security issue with TIOCSTI, aka CVE-2017-522. Note bubblewrap is + far from the only program that has this issue, and I think the best fix is + probably in the kernel to support disabling this ioctl. + + Programs can also work around this by calling setsid() on their own in an exec + handler before doing an exevp("bwrap"). +- upstream changelog for 0.1.5: + This is a bugfix release, here are the major changes: + Running bubblewrap as root now works again + Various fixes for the testsuite + Use same default compiler warnings as ostree + Handle errors resolving symlinks during bind mounts + Alexander Larsson (2): + bind-mount: Check for errors in realpath() + Bump version to 0.1.5 + Colin Walters (6): + Don't call capset() unless we need to + Only --unshare-user automatically if we're not root + ci: Modernize a bit, add f25-ubsan + README.md: Update with better one liner and more information + utils: Add __attribute__((printf)) to die() + build: Sync default warning -> error set from ostree + Simon McVittie (4): + test-run: be a bash script + test-run: don't assume we are uid 1000 + Adapt tests so they can be run against installed binaries + Fix incorrect nesting of backticks when finding a FUSE mount + +------------------------------------------------------------------- +Fri Dec 16 10:14:32 UTC 2016 - sebix+novell.com@sebix.at + +- upgrade to upstream version 0.1.4 +- Build also for Leap 42.2 + +------------------------------------------------------------------- +Fri Oct 14 2016 Colin Walters - 0.1.3-2 + +- New upstream version + +------------------------------------------------------------------- +Mon Sep 12 2016 Kalev Lember - 0.1.2-1 + +- Update to 0.1.2 + +------------------------------------------------------------------- +Tue Jul 12 2016 Igor Gnatenko - 0.1.1-2 + +- Trivial fixes in packaging + +------------------------------------------------------------------- +Fri Jul 08 2016 Colin Walters - 0.1.1 + +- Initial package diff --git a/bubblewrap.spec b/bubblewrap.spec index 0e01735..5188b64 100644 --- a/bubblewrap.spec +++ b/bubblewrap.spec @@ -1,22 +1,44 @@ -Summary: Core execution tool for unprivileged containers -Name: bubblewrap -Version: 0.1.4 -Release: 1%{?dist} -Source0: https://github.com/projectatomic/bubblewrap/archive/v%version.tar.gz -License: LGPL-2.0+ -URL: https://github.com/projectatomic/bubblewrap +# +# spec file for package bubblewrap +# +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. -BuildRequires: gcc -BuildRequires: git +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + + +Name: bubblewrap +Version: 0.1.7 +Release: 1%{?dist} +Summary: Core execution tool for unprivileged containers +License: LGPL-2.0+ +Url: https://github.com/projectatomic/bubblewrap +Source: https://github.com/projectatomic/bubblewrap/archive/v%{version}.tar.gz +# Does not have README.md and autogen.sh included -> unusable +# Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%%{version}/%%{name}-%%{version}.tar.xz # We always run autogen.sh -BuildRequires: autoconf automake libtool -BuildRequires: libcap-devel -BuildRequires: pkgconfig(libselinux) -BuildRequires: libxslt -BuildRequires: docbook-xsl-stylesheets +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: docbook-xsl-stylesheets +BuildRequires: gcc +BuildRequires: git +BuildRequires: libcap-devel +BuildRequires: libtool +BuildRequires: libxslt +BuildRequires: pkgconfig +BuildRequires: pkgconfig(libselinux) %description -Bubblewrap (/usr/bin/bwrap) is a core execution engine for unprivileged +Bubblewrap (%{_bindir}/bwrap) is a core execution engine for unprivileged containers that works as a setuid binary on kernels without user namespaces. @@ -27,25 +49,20 @@ sed -i '1d' completions/bash/bwrap %build env NOCONFIGURE=1 ./autogen.sh %configure --disable-silent-rules --with-priv-mode=none -%if 0%{?suse_version} > 1320 %make_build -%else -make %{?_smp_mflags} -%endif %install -%make_install DESTDIR=%buildroot INSTALL="install -p -c" -find %buildroot -name '*.la' -delete +%make_install DESTDIR=%{buildroot} INSTALL="install -p -c" +find %{buildroot} -type f -name "*.la" -delete -print %files +%defattr(-,root,root) %license COPYING %doc README.md %dir %{_datadir}/bash-completion %dir %{_datadir}/bash-completion/completions %{_datadir}/bash-completion/completions/bwrap -%if (0%{?rhel} != 0 && 0%{?rhel} <= 7) -%attr(4755,root,root) %{_bindir}/bwrap -%else %{_bindir}/bwrap -%endif %{_mandir}/man1/* + +%changelog diff --git a/bubblewrap.spec.changes b/bubblewrap.spec.changes deleted file mode 100644 index bfdd2a2..0000000 --- a/bubblewrap.spec.changes +++ /dev/null @@ -1,25 +0,0 @@ -------------------------------------------------------------------- -Fri Dec 16 10:14:32 UTC 2016 - sebix+novell.com@sebix.at - -- upgrade to upstream version 0.1.4 -- Build also for Leap 42.2 - -------------------------------------------------------------------- -Fri Oct 14 2016 Colin Walters - 0.1.3-2 - -- New upstream version - -------------------------------------------------------------------- -Mon Sep 12 2016 Kalev Lember - 0.1.2-1 - -- Update to 0.1.2 - -------------------------------------------------------------------- -Tue Jul 12 2016 Igor Gnatenko - 0.1.1-2 - -- Trivial fixes in packaging - -------------------------------------------------------------------- -Fri Jul 08 2016 Colin Walters - 0.1.1 - -- Initial package diff --git a/v0.1.4.tar.gz b/v0.1.4.tar.gz deleted file mode 100644 index 925108f..0000000 --- a/v0.1.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a98cf6aaafa5141a85c3fbd7f55608fb7d3ff4d10e166b27cbf371a100f9be02 -size 91854 diff --git a/v0.1.7.tar.gz b/v0.1.7.tar.gz new file mode 100644 index 0000000..ca99de7 --- /dev/null +++ b/v0.1.7.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:92b08803abcdafbf9e26b1bb3e7efb7cec177d27dcd58016b8629504fedcff16 +size 96634