* New features: Add the --[ro-]bind-fd option, which can be used
to mount a filesystem represented by a file descriptor without
time-of-check/time-of-use attacks. This is needed when
resolving CVE-2024-42472 in Flatpak.
* Other changes: Fix some confusing syntax in SetupOpFlag (no
functional change).
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/bubblewrap?expand=0&rev=37
- update to v0.7.0:
* --size option controls the size of a subsequent --tmpfs (#509)
* Better error messages if a mount operation fails (#472)
* Better error message if creating the new user namespace fails with
ENOSPC (#487)
* When building as a Meson subproject, a RUNPATH can be set on the
executable to make it easier to bundle its libcap dependency
* Fix test failures when running as uid 0 but with limited capabilities
(#510)
* Use POSIX command -v in preference to non-standard which (#527)
* Fix a copy/paste error in --help (#531)
OBS-URL: https://build.opensuse.org/request/show/1041249
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/bubblewrap?expand=0&rev=31
- Add a release checklist
- completions: Make zsh completion non-executable
The Autotools build system installed it with 0644 permissions because
it's listed as DATA, but the Meson build system installs executable
files as executable by default.
zsh completions don't need to be executable to work, and this one doesn't
have the `#!` marker that should start an executable script.
- update to 0.6.0:
- meson: Improve compatibility with Meson 0.49
That version doesn't allow more than two arguments for define_variable.
- Disable test-specifying-pidns.sh under 'meson dist' while I investigate
This test is hanging when run under 'meson dist' for some reason, but
not when run under 'meson test', and not locally, only in the Github
Workflow-based CI. Disable it for now.
- meson: Actually build and run the tests
- tests: Fix compiler warnings for unused arguments
- meson: Run test scripts from $srcdir
- meson: Make G_TEST_SRCDIR, G_TEST_BUILDDIR match Autotools
- meson: Run the Python test script with Python, not bash
The python build option can be used to swap to a different interpreter,
for environments like the Steam Runtime where the python3 executable in
the PATH is extremely old but there is a better interpreter available.
This is treated as non-optional, because Meson is written in Python,
so the situation where there is no Python interpreter at build-time
shouldn't arise.
- meson: Build the try-syscall helper
- meson: Build tests with equivalent of -I$(top_srcdir) -I$(top_builddir)
- meson.build: Remove unnecessary check for sh
- Add a Meson build system
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/bubblewrap?expand=0&rev=27
* retcode: fix return code with syncfd and no event_fd
* Ensure we're always clearing the cap bounding set
* tests: Update output patterns for libcap >= 2.29
* Don't rely on geteuid() to know when to switch back from setuid root
* Don't support --userns2 in setuid mode
* fixes CVE-2020-5291
* fixes bsc#1168291
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/bubblewrap?expand=0&rev=24
- Update to version 0.3.3:
- This release is the same as 0.3.2 but the version number in configure.ac
was accidentally still set to 0.3.1
- Update to version 0.3.2:
- fixes boo#1136958 / CVE-2019-12439
This release fixes a mostly theoretical security issue in unusual/broken
setups where `$XDG_RUNTIME_DIR` is unset.
There are some other smaller fixes, as well as an addition to the JSON
API that allows reading the inner process exit code, separately from
the `bwrap` exit code.
- Print "Out of memory" on stderr, not stdout
- bwrap: add option json-status-fd to show child exit code
- bwrap: Report COMMAND exit code in json-status-fd
- man page: Describe --chdir, not nonexistent --cwd
- Don't create our own temporary mount point for pivot_root
- Make lockdata long enough on 32-bit with 64-bit file pointers.
OBS-URL: https://build.opensuse.org/request/show/706819
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bubblewrap?expand=0&rev=8
- This release is the same as 0.3.2 but the version number in configure.ac
was accidentally still set to 0.3.1
- Update to version 0.3.2:
- fixes boo#1136958 / CVE-2019-12439
This release fixes a mostly theoretical security issue in unusual/broken
setups where `$XDG_RUNTIME_DIR` is unset.
There are some other smaller fixes, as well as an addition to the JSON
API that allows reading the inner process exit code, separately from
the `bwrap` exit code.
- Print "Out of memory" on stderr, not stdout
- bwrap: add option json-status-fd to show child exit code
- bwrap: Report COMMAND exit code in json-status-fd
- man page: Describe --chdir, not nonexistent --cwd
- Don't create our own temporary mount point for pivot_root
- Make lockdata long enough on 32-bit with 64-bit file pointers.
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/bubblewrap?expand=0&rev=17
- update to version 0.3.1:
* New feature in this release is --bind-try (as well as --dev-bind-try
and --ro-bind-try) which works like the regular versions if the source
exists, but does nothing if it doesn't exist.
* The mount type for the root tmpfs was also changed to "tmpfs" instead
of being empty, as the later could cause problems with some programs
when parsing the mountinfo files in /proc.
* The biggest feature from this release is that bwrap
now supports being invoked recursively (from other container
runtimes such as Docker/podman/runc as well as bwrap itself)
when user namespaces are enabled, and the outer container manager
allows it (Docker's default seccomp policy doesn't).
* This is useful for testing scenarios; for example a project
uses Kubernetes for its CI, but inside build the project wants to run
each unit test in their own pid namespace, without going out
and creating a new pod for every single unit test.
* Similarly, rpm-ostree compose tree uses bwrap internally for scripts,
and we want to support running rpm-ostree inside a container as well.
* Another feature is bwrap now supports -- to terminate argument
parsing. To detect availablity of this, you could parse bwrap --version.
OBS-URL: https://build.opensuse.org/request/show/641328
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/bubblewrap?expand=0&rev=15
