This version adds new --[ro-]bind-fd option, which other programs can
use to avoid TOCTOU attacks. Release notes:
https://github.com/containers/bubblewrap/releases/tag/v0.10.0
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This version adds a new --argv0 flag, has better error reporting, and
fixes and important file descriptor double-close when using --args,
--seccomp, and --seccomp-fd. Release notes:
https://github.com/containers/bubblewrap/releases/tag/v0.9.0
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This version allows disabling usage of nested user namespaces and
improves error messages. Release notes:
https://github.com/containers/bubblewrap/releases/tag/v0.8.0
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This version contains a few minor fixes, provides better error messages,
and includes a new option to set the size of created tmpfs volumes.
Release notes:
https://github.com/containers/bubblewrap/releases/tag/v0.7.0
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This version now allows to disable building tests, which allows dropping
the patch "0001-meson-add-tests-option.patch", and contains a few minor
fixes. Release notes can be found at:
https://github.com/containers/bubblewrap/releases/tag/v0.6.2
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Version 0.6.0 introduced a Meson build system, and upstream seems to
have the intention to abandon the previous autotools based one. Switch
to Meson for future proofing.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This version includes a new feature which allows specifying multiple
seccomp filters. There is now a Meson-based build system as well, but
for the moment the build recipe keeps using the autotools based one.
Release notes can be found at:
https://github.com/containers/bubblewrap/releases/tag/v0.6.0https://github.com/containers/bubblewrap/releases/tag/v0.6.1
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Not much new, but has a few interesting bug fixes. Release notes:
https://github.com/containers/bubblewrap/releases/tag/v0.5.0
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fix CVE-2020-5291: Bubblewrap (bwrap) before version 0.4.1, if installed
in setuid mode and the kernel supports unprivileged user namespaces,
then the `bwrap --userns2` option can be used to make the setuid process
keep running as root while being traceable. This can in turn be used to
gain root permissions. Note that this only affects the combination of
bubblewrap in setuid mode (which is typically used when unprivileged
user namespaces are not supported) and the support of unprivileged user
namespaces.
Also update indentation of hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bubblewrap is a sandboxing tool based on kernel namespaces, typically
used as lower-level infastructure by other end-user tools e.g. Flatpak.
https://github.com/containers/bubblewrap
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
[Peter: needs mmu and !musl toolchain]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
