Releases: containers/bubblewrap
Release 0.4.0
alexlarsson
Alexander Larsson
The biggest feature in this release is the support for joining
existing user and pid namespaces. This doesn't work in the setuid
mode (at the moment).
Other changes:
- Stores namespace info in status json
- In setuid mode pid 1 is now marked dumpable
- Now builds with musl libc
Alexander Larsson (17):
Tests: Fix test count
setuid mode: Properly drop privs in monitor and pid1
Mark init process as dumpable so we can see stuff in its /proc
Add support for --userns and --userns2
tests: test --userns
utils: Add some utility function to pass pids over a socket
utils: Add fork_intermediate_child() helper
Add support for --pidns
Add tests for --pidns
tests: Better error message if assert_files_equal fails
Fix typo in comment
Drop cap bounding set also in --userns case
Allow --uid and --gid with --userns
tests: Fix --userns tests
--userns --uid: Only swtich user if needed
Merge pull request #338 from containers/reuse-namespaces
Bump 0.4.0
Christian Kellner (3):
bwrap: set opt_unshare_cgroup when _try succeeds
bwrap: include the pid namespace id in status/json
tests: check namespace info in json
Colin Walters (1):
Post-release version bump
Jonathan Lebon (1):
ci: Bump to fedora/29/atomic
shawrkbait (1):
Add work-around for TEMP_FAILURE_RETRY to support musl
Git-EVTag-v0-SHA512: d3f07f58b50c579b27470722edfc87b741465ca37ff4d40c9f715d610a69a80a6e6035a0dee678158c1dd77edb0b06bed3ffd6393a784d4ed975c092eb151952
0.3.3
[This release is the same as 0.3.2 but the version number in configure.ac
was accidentally still set to 0.3.1)
This release fixes a mostly theoretical security issue in unusual/broken
setups where $XDG_RUNTIME_DIR is unset.
There are some other smaller fixes, as well as an addition to the JSON
API that allows reading the inner process exit code, separately from
the bwrap exit code.
Thanks to all contributors!
Iain Lane (1):
tests: Handle systems without merged-/usr
Jakub Wilk (2):
Fix typos
Print "Out of memory" on stderr, not stdout
Richard Maw (3):
Revert "README.md: Delete cat logo picture (not DFSG compliant)"
bwrap: add option json-status-fd to show child exit code
bwrap: Report COMMAND exit code in json-status-fd
Simon McVittie (3):
man page: Describe --chdir, not nonexistent --cwd
Don't create our own temporary mount point for pivot_root
tests: Ensure that tmpfs with oldroot/newroot doesn't appear in container
Timothy E Baldwin (1):
Make lockdata long enough on 32-bit with 64-bit file pointers.
Git-EVTag-v0-SHA512: 1320cc04e853be996e6fa53fb3e472f732ac02855ab05984fa3350aed1d8760fc3b9eac0e6af06843a1f6265afe424e042c937d64606ef2eb29ec53a3539c217
Release 0.3.1
alexlarsson
Alexander Larsson
New feature in this release is --bind-try (as well as --dev-bind-try
and --ro-bind-try) which works like the regular versions if the source
exists, but does nothing if it doesn't exist.
The mount type for the root tmpfs was also changed to "tmpfs" instead
of being empty, as the later could cause problems with some programs
when parsing the mountinfo files in /proc.
Alexander Larsson (1 PR, 1 commit)
Post-release version bump to 0.3.1 (#285)
Colin Walters (1 PR, 1 commit)
Use "tmpfs" instead of empty string for mount (#278)
Patrick Griffis (1 PR, 1 commit)
Add --bind-try options (#283)
chocolateboy (1 PR, 1 commit)
Fix doc typo (#280)
0.3.0
The biggest feature from this release is that bwrap
now supports being invoked recursively (from other container
runtimes such as Docker/podman/runc as well as bwrap itself)
when user namespaces are enabled, and the outer container manager
allows it (Docker's default seccomp policy doesn't).
This is useful for testing scenarios; for example a project
uses Kubernetes for its CI, but inside build the project wants to run
each unit test in their own pid namespace, without going out
and creating a new pod for every single unit test.
Similarly, rpm-ostree compose tree uses bwrap internally for scripts,
and we want to support running rpm-ostree inside a container as well.
Another feature is bwrap now supports -- to terminate argument
parsing. To detect availablity of this, you could parse bwrap --version.
Thanks to all contributors!
Colin Walters (3 PRs, 3 commits)
ci: Update to FAH27 (#262)
Release 0.3.0 (#277)
PR: #256
Use pivot_root() instead of chroot() for final root
(and 2 commits from other authors)
Giuseppe Scrivano (1 PR, 2 commits)
PR: #256
bwrap, pivot_root: do not require write access to the rootfs
bwrap: do not always make /proc/{sys,sysrq-trigger,irq} ro
(and 1 commits from other authors)
Olivier Blin (1 PR, 1 commit)
Fix leak detected by LSan/ASan (#271)
Simon McVittie (1 PR, 1 commit)
Add "--" pseudo-argument to end option parsing (#261)
Git-EVTag-v0-SHA512: 2acf37a4a482f4fcde5ff3ec7c0e04e7b7971d1da8c542b5b1a3284deb983ad8c879975e9e360f8da428d5f4ce0b451acdcba9d45c4c9488f6660f177eb5dd04
Release 0.2.1
alexlarsson
Alexander Larsson
This is a minor release with some fixes and cleanups.
We now distribute all the demos in the tarball and there was some
fixes to make them work on more distributions and with different
versions of python.
There was an issue with mkdir when running bubblewrap on an NFS
filesystem that has been fixed, so flatpak now works on NFS shares.
Some leaks have been fixed, including a file descriptor leak.
bubblewrap now builds on systems without PR_CAP_AMBIENT.
Alexander Larsson (2):
Don't rely on mkdir returning EEXISTS (fixing NFS)
Release 0.2.1
Marcos Paulo de Souza (2):
Remove O_RDONLY flag when O_PATH is used
README.md: Remove double dots
Mickaël Salaün (1):
bubblewrap: Do not leak FDs dedicated to setup_newroot
Philip Withnall (2):
tests: Correct number of tests in test-run.sh
bwrap: Second attempt at fixing an argv handling leak
Simon McVittie (5):
build: Include various interesting files in tarballs
Skip prctl(PR_CAP_AMBIENT) if PR_CAP_AMBIENT isn't defined
userns-block-fd: Search $PATH for python
userns-block-fd: Search the PATH for bwrap
userns-block-fd: Add support for Python 3
Release 0.2.0
Some new features in this release, and a variety of contributors, which is
always great to see!
On the bugfix side: bwrap now automatically detects the new
user namespace restrictions in Red Hat Enterprise Linux 7.4:
bubblewrap: check for max_user_namespaces == 0.
PR: #215
The most notable features are new arguments --as-pid1, and
--cap-add/--cap-drop. These were added for running systemd (or in general a
"full" init system) inside bubblewrap. But the capability options are also
useful for unprivileged callers to potentially retain capbilities inside the
sandbox (for example CAP_NET_ADMIN), when user namespaces are enabled.
Conversely, privileged callers (uid 0) can conversely drop capabilities (without
user namespaces). Contributed by Giuseppe Scrivano.
PR: #101
Another smaller feature is: With --dev, add /dev/fd and /dev/core symlinks
which should improve compatibility with older software.
PR: #207
Philip Withnall ran bwrap through Coverity; no critical issues
were found, but changes were made to pacify the analysis and we'll
be sure to keep the analyzer happy in the future.
Thanks in particular to Simon McVittie who contributed a lot of improvements
to the test suite, code review, as well as identified an issue with the
licensing of the logo.
Thanks to all contributors!
Alexander Larsson (1):
Merge pull request #196 from giuseppe/no-reaper
Colin Walters (9):
demos/shell: Use --die-with-parent
main: Squash a -Wunused-result error, enable FORTIFY_SOURCE in CI
tests: Import libtest-core.sh from ostree
README.md: Delete cat logo picture (not DFSG compliant)
Retain all caps when invoked by uid 0, work around systemd seccomp filter
main: Fix typo, tweak command line argument descriptions
With --dev, add /dev/fd and /dev/core symlinks
Avoid leaking --args-fd to child process
Release 0.2.0
Giuseppe Scrivano (8):
bubblewrap: add --as-pid-1
bubblewrap: add --cap-add and --cap-drop
bubblewrap: add option --userns-block-fd
demos: add demo userns-block-fd.py
bubblewrap.c: fix typo
bubblewrap: do not always leave caps in the unprivileged case
tests: add tests for --cap-add
README.md: add bwrap-oci to the list of users
Jonathan Lebon (1):
ci: rename files to new name and bump to f26
Marcos Paulo de Souza (3):
bubblewrap: Remove not needed MS_MGC_VAL mount flag
bubblewrap.c: Fix typo secomp -> seccomp in drop_all_caps
acquire_privs: Cosmetic change to reduce indentation
Philip Withnall (4):
bubblewrap: Improve const-correctness of argv handling
bubblewrap: Fix a minor memory leak in --args handling
bubblewrap: Close FDs on exiting PID 1
bubblewrap: Add various assertions on SetupOp handling
Simon McVittie (10):
Distribute test helper library
tests: Don't write to predictable filenames in /tmp
tests: Improve diagnostics if non-root caps test fails
tests: Send diagnostics to stderr
tests: Interpret stdout as TAP syntax
tests: Produce finer-grained TAP output
tests: Ensure non-root users have access to libcap tools
Partially revert "bubblewrap: Fix a minor memory leak in --args handling"
tests: Add basic test coverage for --args
tests: Fix a race condition between attempts to lock a file
Tristan Cacqueray (1):
bubblewrap: check for max_user_namespaces == 0
Vasya Novikov (4):
add --unshare-all completion
bash completion: remove duplicates
bash completion: fix code style
bash completion: add --new-session
Vladimir Panteleev (1):
Prefix error messages with program name
Git-EVTag-v0-SHA512: 6eafa80a60be2cd66396ab7d4a36e7c6c24ed0b0d8dc207ecee6252e7d45f04fd04e1997c60218f0bb8b90e60ee80ed46cc7d8b521b08cb1ba4450440ee646cf
0.1.8
This release has a new notable feature in --die-with-parent,
which is based on the Linux prctl(PR_SET_PDEATHSIG) API.
I suspect most users of bwrap probably want to use this - if
for example if you run bwrap ... make check, this will help
ensure that no processes leak from the test suite.
Besides that, there's mostly a collection of smaller bugfixes.
Thanks to all contributors!
Aidan Hobson Sayers (2):
Remove privileged_op flags that are never used
Correctly validate remount-ro argument
Aleksa Sarai (1):
README: update references to runC
Colin Walters (8):
build: Remove unbalanced ) in help message
tests: Use --unshare-user-try
ci: Revamp to actually run the tests
Be more informative if loopback setup fails
tests: Fold test-basic.sh into test-run.sh
ci: Disable ASAN leak checking
main: Parse --version early before acquiring capabilities
Release 0.1.8
Giuseppe Scrivano (1):
test-run.sh: fix the path for the usage string
Marek Jarycki (1):
Add --die-with-parent
Mario Sanchez Prada (1):
Ignore EPERM when dropping caps from bounding set
Tristan Cacqueray (1):
Ignore missing sysrq-trigger file
valoq (2):
Add --require-userns build option for setuid mode
Added --unshare-all to manpage
Git-EVTag-v0-SHA512: f5e3aa406f46241b83a0174a390048820d2040e35fba0b5a9d68bb634e3b6799205b9f854b99fa0cca05148752c8f4d255747023eaf4d5cd903f0da5d4905334
-----BEGIN PGP SIGNATURE-----
iQEwBAABCgAaBQJY2ntnExx3YWx0ZXJzQHZlcmJ1bS5vcmcACgkQ3EX9WSHBPws6
aAf/f18Y6e/OsIrEAKTI3ZDzI1AvgM6kZdi7xQDpuPURxmpeP6515n7LxXbsOBhX
fye4WuvNaM1YDiZVO69JR9OaYTlutqvBmJrHmw2b3WwO4jUf8IyS8VgGe+gfZL1X
/hGoh8aoAUxhIYDtOqC6Bj+fnziFdWgH3q8CsApXz32rNpANNurMQv2C/pLP+ROg
7sHwxFvcbGpjBviHjw0kmnCWKub4GGNnAPvQg/TMo4xx94mkbnUMxq27tw+k03VS
uV1O3wq8OE4bGIWXCdREdvpWaCiN8Bw1vFaLmrSLBmIXNry35k3l+bm6oAd1DRLP
lylBIhhdyV0yWIdn42besDwHsg==
=AOKE
-----END PGP SIGNATURE-----
Release 0.1.7 (CVE-2017-5226)
alexlarsson
Alexander Larsson
This release backs out the change in 0.1.6 which unconditionally
called setsid() in order to fix a security issue with TIOCSTI, aka
CVE-2017-522. That change caused some behavioural issues that are
hard to work with in some cases. For instance, it makes shell job
control not work for the bwrap command.
Instead there is now a new option --new-session which works like
0.1.6. It is recommended that you use this if possible, but if not we
recommended that you neutralize this some other way, for instance
using SECCOMP, which is what flatpak does:
In order to make it easy to create maximally safe sandboxes we have
also added a new commandline switch called --unshare-all. It unshares
all possible namespaces and is currently equivalent with:
--unshare-user-try --unshare-ipc --unshare-pid --unshare-net
--unshare-uts --unshare-cgroup-try
However, the intent is that as new namespaces are added to the kernel they will
be added to this list. Additionally, if --share-net is specified the network
namespace is not unshared.
This release also has some bugfixes:
- bwrap reaps (unexpected) children that are inherited from the
parent, something which can happen if bwrap is part of a shell
pipeline. - bwrap clears the capability bounding set. The permitted
capabilities was already empty, and use of PR_NO_NEW_PRIVS should
make it impossible to increase the capabilities, but more
layers of protection is better. - The seccomp filter is now installed at the very end of bwrap, which
means the requirement of the filter is minimal. Any bwrap seccomp
filter must at least allow: execve, waitpid and write
Alexander Larsson (7):
Handle inherited children dying
Clear capability bounding set
Make the call to setsid() optional, with --new-session
demos/bubblewrap-shell.sh: Unshare all namespaces
Call setsid() and setexeccon() befor forking the init monitor
Install seccomp filter at the very end
Bump version to 0.1.7
Colin Walters (6):
Release 0.1.6
man: Correct namespace user -> mount
demo/shell: Add /var/tmp compat symlink, tweak PS1, add more docs
Release 0.1.6
ci: Combine ASAN and UBSAN
Add --unshare-all and --share-net
$ sha256sum bubblewrap-0.1.7.tar.xz
e98c1c1c0d353765e62e17b17913d21cce585eda8093cbdf17977377eee5e3de bubblewrap-0.1.7.tar.xz
0.1.6
This fixes a security issue with TIOCSTI, aka CVE-2017-522. Note bubblewrap is
far from the only program that has this issue, and I think the best fix is
probably in the kernel to support disabling this ioctl.
Programs can also work around this by calling setsid() on their own in an exec
handler before doing an exevp("bwrap").
Git-EVTag-v0-SHA512: aea2bc21fa6194f7d5c4eaf7294dd35e4434616678d2f79c1e9044aca063bf77db199b1030628ced2eb7d3a33d6a6419047e32ea7891be396d9ddb50a7b1f745
-----BEGIN PGP SIGNATURE-----
iQEwBAABCgAaBQJYdPxgExx3YWx0ZXJzQHZlcmJ1bS5vcmcACgkQ3EX9WSHBPwtv
NAgAr5CNW9ZZmYvNWGBm5W0uJuwb1rmBB5Pb2izEfBEi90MdrFg7ZQF+JJLB+EEQ
9XsKZLVd/d6drJkycf3fDq35tVzm6cEMq+pidnujGzS+skQqzmEpqISt8G2GQap0
MnnlJlLpwYwUMJvSqa4Xx/WDM/3Cf1FTI7jPwl1uBccU/4x2w0Apa0PG/pvsJ+3N
BxahkioeeMTrgd1a7BZbwUSMYnx0+4kB92v5JOnYh8wF/fCVgwlb5p0GN5Qz2jNj
YCxyeGZfGk/071/FiHDKW64cmSwEV9gPRWMeRT39n5MfRcKcP2tIEHEVxT61ErLR
OndJWLN2+hFmCxjdrOLSw9fmdw==
=OpAb
-----END PGP SIGNATURE-----
Release 0.1.5
alexlarsson
Alexander Larsson
This is a bugfix release, here are the major changes:
- Running bubblewrap as root now works again
- Various fixes for the testsuite
- Use same default compiler warnings as ostree
- Handle errors resolving symlinks during bind mounts
Alexander Larsson (2):
bind-mount: Check for errors in realpath()
Bump version to 0.1.5
Colin Walters (6):
Don't call capset() unless we need to
Only --unshare-user automatically if we're not root
ci: Modernize a bit, add f25-ubsan
README.md: Update with better one liner and more information
utils: Add __attribute__((printf)) to die()
build: Sync default warning -> error set from ostree
Simon McVittie (4):
test-run: be a bash script
test-run: don't assume we are uid 1000
Adapt tests so they can be run against installed binaries
Fix incorrect nesting of backticks when finding a FUSE mount
Git-EVTag-v0-SHA512: ea9673ef5b2df92a216da69ef5589dfd465175bc56feedafd126d0ab2e40f3183974de2c67c92f96470c749f91d4f9f55483cea54030cf35890ed4de18ca952f
$ sha256sum bubblewrap-0.1.5.tar.xz
a623489a31c0bc6e32ebfef8e55cde16cc0b5d042e5e645e215fda0fb7ec4aad bubblewrap-0.1.5.tar.xz