Releases: containers/bubblewrap
0.10.0
New features:
- Add the
--[ro-]bind-fd
option, which can be used to mount a filesystem represented by a file descriptor without time-of-check/time-of-use attacks. This is needed when resolving CVE-2024-42472 (GHSA-7hgv-f2j8-xw87) in Flatpak.
Other changes:
- Fix some confusing syntax in
SetupOpFlag
(no functional change). (#636)
0.6.3
This release is intended to be used as part of Flatpak 1.14.x. If possible, please upgrade to 0.10.0 or later instead.
- Backport the
--[ro-]bind-fd
option from 0.10.0. This can be used to mount a filesystem represented by a file descriptor without time-of-check/time-of-use attacks, and is needed when resolving CVE-2024-42472 (GHSA-7hgv-f2j8-xw87) in Flatpak.
d8cab8943a36cd1bc1b8c63596c6ef6b29b12883d90ed9b14a969795ac60ddef bubblewrap-0.6.3.tar.xz
0.9.0
Build system
- Building this version of bubblewrap with Meson is recommended. The source release
bubblewrap-0.9.0.tar.xz
no longer contains Autotools-generated files, although this version can still be built using Autotools after running./autogen.sh
. Future versions are likely to remove the Autotools build system altogether.
New features
- Add
--argv0
(#91)
Other enhancements
--symlink
is now idempotent, meaning it succeeds if the symlink already exists and already has the desired target (#549, flatpak/flatpak#2387, flatpak/flatpak#3477, flatpak/flatpak#5255)- Clarify security considerations in documentation (#555, #560, #621)
- Clarify documentation for
--cap-add
(#562) - Report a better error message if
mount(2)
fails withENOSPC
(#615, ValveSoftware/steam-runtime#637) - Make it easier to add new unit tests (#420)
- Drop support for ancient Python versions in demo code
Bug fixes
- Fix a double-close on error reading from
--args
,--seccomp
or--add-seccomp-fd
argument (#558) - Improve memory allocation behaviour (#556, #624)
- Silence various compiler warnings (#559)
- Silence an Automake warning (#622)
- Fix a test failure when running as uid 0 in a container (#488)
- Fix a test failure when
/mnt
is a symlink (#599) - Fix a test failure on NixOS (#603)
c6347eaced49ac0141996f46bba3b089e5e6ea4408bc1c43bab9f2d05dd094e1 *bubblewrap-0.9.0.tar.xz
0.8.0
New features:
- Add
--disable-userns
option to prevent the sandbox from creating its own nested user namespace (#488) - Add
--assert-userns-disabled
option to check that an existing userns was created with--disable-userns
(#488) - Give a clearer error message if the kernel doesn't have
CONFIG_SECCOMP
andCONFIG_SECCOMP_FILTER
(#550)
Bug fixes:
- Fix test failure with recent versions of
capsh
(#544) - Fix test failure since 0.7.0 when not using post-2013 GNU coreutils (#539)
- Fix test failure since 0.7.0 if bubblewrap is setuid (#539)
Known issues:
- Tests fail if run as root (#554)
$ sha256sum -b bubblewrap-0.8.0.tar.xz
957ad1149db9033db88e988b12bcebe349a445e1efc8a9b59ad2939a113d333a *bubblewrap-0.8.0.tar.xz
v0.7.0
New features:
--size
option controls the size of a subsequent--tmpfs
(#509)- Better error messages if a mount operation fails (#472)
- Better error message if creating the new user namespace fails with
ENOSPC
(#487) - When building as a Meson subproject, a
RUNPATH
can be set on the executable to make it easier to bundle itslibcap
dependency
Bug fixes:
- When building with Autotools, ensure initial setup for
pkg-config
is not disabled by--with-bash-completion-dir=PATH
(#316, #342, #441) - Fix test failures when running as uid 0 but with limited capabilities (#510)
- Use POSIX
command -v
in preference to non-standardwhich
(#527) - Fix a copy/paste error in
--help
(#531)
$ sha256sum -b bubblewrap-0.7.0.tar.xz
764ab7100bd037ea53d440d362e099d7a425966bc62d1f00ab26b8fbb882a9dc *bubblewrap-0.7.0.tar.xz
0.6.2
New features in Meson build:
- Auto-detect whether the man page can be generated
-Dbwrapdir=...
changes the installation directory (useful when being used as a subproject)-Dtests=false
disables unit tests
Bug fixes:
- Add
--add-seccomp-fd
to shell completions - Document
--add-seccomp-fd
,--json-status-fd
and--share-net
in the man page - Add attributes to silence various compiler warnings
- Allow compilation of tests with musl on mips architectures
- Allow compilation with older glibc
- Disable sanitizers for a test helper whose seccomp profile breaks the instrumentation
- Disable AddressSanitizer leak detection where it interferes with unit testing
$ sha256sum -b bubblewrap-0.6.2.tar.xz
8a0ec802d1b3e956c5bb0a40a81c9ce0b055a31bf30a8efa547433603b8af20b *bubblewrap-0.6.2.tar.xz
0.6.1
0.6.0
New features:
- New
--add-seccomp
option can be used to add more than one seccomp program (#453) - Add a warning when repeating options where only the last one will be used, in particular
--seccomp
(#454) - Add a Meson build system. (#432)
- This can be used as a subproject by larger Meson projects. When used as a subproject, the
-Dprogram_prefix
option is required: seetests/use-as-subproject/
for an example. - There is no equivalent of the
--with-priv-mode=setuid
option in this build system. Distributions that still require a setuid bubblewrap executable will need tochown
andchmod
the executable appropriately as a separate step in their packaging. - The Autotools build system is still supported in this release, but might be removed in a future release if the Meson build system is sufficiently successful.
- This can be used as a subproject by larger Meson projects. When used as a subproject, the
Bug fixes:
- Invoke bash via
PATH
for better compatibility with non-FHS operating systems - Exit early when
argc == 0
, to harden against the equivalent of CVE-2021-4034 (this is not a security issue in our case)
Other changes:
- The default branch is now named
main
- Partial REUSE support (add SPDX-License-Identifier to many source files)
- Remove old CI integration
$ sha256sum -b bubblewrap-0.6.0.tar.xz
11393cf2058f22e6a6c6e9cca3c85ff4c4239806cb28fee657c62a544df35693 *bubblewrap-0.6.0.tar.xz
Release 0.5.0
New features:
--chmod
changes permissions--clearenv
unsets every environment variable (exceptPWD
)--perms
sets permissions for one subsequent--bind-data
,--dir
,--file
,--ro-bind-data
or--tmpfs
Other enhancements:
- Better diagnostics when a
--bind
or other bind-mount fails zsh
tab-completion- Better test coverage
Bug fixes:
- Use Python 3 for tests and examples
- Mount points for non-directories are created with permissions
-r--r--r--
instead of-rw-rw-rw-
- Don't remount items in
/proc
read-only if alreadyEROFS
, required to run under Docker - Allow mounting an non-directory over an existing non-directory, e.g.
--bind "$XDG_RUNTIME_DIR/my-log-socket" /dev/log
- Silence kernel messages for our bind-mounts
- Make sure
pkg-config
is checked for, regardless of build options - Improve ability to bind-mount directories on case-insensitive filesystems
- Fix
-Wshadow
warnings - Fix deprecation warnings with newer SELinux
$ sha256sum -b bubblewrap-0.5.0.tar.xz
16fdaf33799d63104e347e0133f909196fe90d0c50515d010bcb422eb5a00818 *bubblewrap-0.5.0.tar.xz
Release 0.4.1
This release fixes a privilege escalation bug pointed out by Stephen Röttger, where in some setups
bubblewrap can be used to gain root permissions. Only version 0.4.0 is vulnerable, and only
if installed setuid while at the same time the kernel supports unprivileged user namespaces.
More details in the advisory here:
Additionally there are some minor changes:
- Always clear the capability bounding set (cosmetic issue)
- Make the tests work with libcap >= 2.29
- Properly report child exit status in some cases
Alexander Larsson (9):
Ensure we're always clearing the cap bounding set
Don't rely on geteuid() to know when to switch back from setuid root
Don't support --userns2 in setuid mode
drop_privs: More explicit argument name
Christian Kastner (1):
tests: Update output patterns for libcap >= 2.29
Jean-Baptiste BESNARD (1):
retcode: fix return code with syncfd and no event_fd
TomSweeneyRedHat (1):
Add Code of Conduct