SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for bubblewrap-0.3.1-15.1.x86_64.rpm :
Thu Oct 11 14:00:00 2018 alarrosaAATTsuse.com
- update to version 0.3.1:

* New feature in this release is --bind-try (as well as --dev-bind-try
and --ro-bind-try) which works like the regular versions if the source
exists, but does nothing if it doesn\'t exist.

* The mount type for the root tmpfs was also changed to \"tmpfs\" instead
of being empty, as the later could cause problems with some programs
when parsing the mountinfo files in /proc.

Sat Jul 14 14:00:00 2018 sebix+novell.comAATTsebix.at
- update to version 0.3.0:

* The biggest feature from this release is that bwrap
now supports being invoked recursively (from other container
runtimes such as Docker/podman/runc as well as bwrap itself)
when user namespaces are enabled, and the outer container manager
allows it (Docker\'s default seccomp policy doesn\'t).

* This is useful for testing scenarios; for example a project
uses Kubernetes for its CI, but inside build the project wants to run
each unit test in their own pid namespace, without going out
and creating a new pod for every single unit test.

* Similarly, rpm-ostree compose tree uses bwrap internally for scripts,
and we want to support running rpm-ostree inside a container as well.

* Another feature is bwrap now supports -- to terminate argument
parsing. To detect availablity of this, you could parse bwrap --version.

Tue May 1 14:00:00 2018 sebix+novell.comAATTsebix.at
- update to version 0.2.1:

* All the demos are included

* bugfixes for the demo files

* There was an issue with mkdir when running bubblewrap on an NFS
filesystem that has been fixed, so flatpak now works on NFS shares.

* Some leaks have been fixed, including a file descriptor leak.

Mon Oct 9 14:00:00 2017 sebix+novell.comAATTsebix.at
- update to version 0.2.0
- bwrap now automatically detects the new
user namespace restrictions in Red Hat Enterprise Linux 7.4:
bubblewrap: check for max_user_namespaces == 0.
- The most notable features are new arguments --as-pid1, and
- -cap-add/--cap-drop. These were added for running systemd (or in general a
\"full\" init system) inside bubblewrap. But the capability options are also
useful for unprivileged callers to potentially retain capbilities inside the
sandbox (for example CAP_NET_ADMIN), when user namespaces are enabled.
Conversely, privileged callers (uid 0) can conversely drop capabilities (without
user namespaces). Contributed by Giuseppe Scrivano.
- With --dev, add /dev/fd and /dev/core symlinks
which should improve compatibility with older software.

Mon Sep 18 14:00:00 2017 sebix+novell.comAATTsebix.at
- add group

Fri Jul 7 14:00:00 2017 sebix+novell.comAATTsebix.at
- fix build macro with rpm < 4.12 (non-Factory currently)

Thu May 25 14:00:00 2017 sebix+novell.comAATTsebix.at
- update to version 0.1.8
- New --die-with-parent which is based on the Linux prctl(PR_SET_PDEATHSIG) API.
- smaller bugfixes

Thu Mar 2 13:00:00 2017 sebix+novell.comAATTsebix.at
- upgrade to upstream version 0.1.7
- note that this package was
*never
* affected by CVE-2017-5226
as it was introduced in version 0.1.6
- upstream changelog of version 0.1.7:
This release backs out the change in 0.1.6 which unconditionally
called setsid() in order to fix a security issue with TIOCSTI, aka
CVE-2017-522. That change caused some behavioural issues that are
hard to work with in some cases. For instance, it makes shell job
control not work for the bwrap command.
Instead there is now a new option --new-session which works like
0.1.6. It is recommended that you use this if possible, but if not we
recommended that you neutralize this some other way, for instance
using SECCOMP, which is what flatpak does:
https://github.com/flatpak/flatpak/commit/902fb713990a8f968ea4350c7c2a27ff46f1a6c4
In order to make it easy to create maximally safe sandboxes we have
also added a new commandline switch called --unshare-all. It unshares
all possible namespaces and is currently equivalent with:
- -unshare-user-try --unshare-ipc --unshare-pid --unshare-net
- -unshare-uts --unshare-cgroup-try
However, the intent is that as new namespaces are added to the kernel they will
be added to this list. Additionally, if --share-net is specified the network
namespace is not unshared.
This release also has some bugfixes:
bwrap reaps (unexpected) children that are inherited from the
parent, something which can happen if bwrap is part of a shell
pipeline.
bwrap clears the capability bounding set. The permitted
capabilities was already empty, and use of PR_NO_NEW_PRIVS should
make it impossible to increase the capabilities, but more
layers of protection is better.
The seccomp filter is now installed at the very end of bwrap, which
means the requirement of the filter is minimal. Any bwrap seccomp
filter must at least allow: execve, waitpid and write
Alexander Larsson (7):
Handle inherited children dying
Clear capability bounding set
Make the call to setsid() optional, with --new-session
demos/bubblewrap-shell.sh: Unshare all namespaces
Call setsid() and setexeccon() befor forking the init monitor
Install seccomp filter at the very end
Bump version to 0.1.7
Colin Walters (6):
Release 0.1.6
man: Correct namespace user -> mount
demo/shell: Add /var/tmp compat symlink, tweak PS1, add more docs
Release 0.1.6
ci: Combine ASAN and UBSAN
Add --unshare-all and --share-net
- upstream changelog for 0.1.6:
This fixes a security issue with TIOCSTI, aka CVE-2017-522. Note bubblewrap is
far from the only program that has this issue, and I think the best fix is
probably in the kernel to support disabling this ioctl.
Programs can also work around this by calling setsid() on their own in an exec
handler before doing an exevp(\"bwrap\").
- upstream changelog for 0.1.5:
This is a bugfix release, here are the major changes:
Running bubblewrap as root now works again
Various fixes for the testsuite
Use same default compiler warnings as ostree
Handle errors resolving symlinks during bind mounts
Alexander Larsson (2):
bind-mount: Check for errors in realpath()
Bump version to 0.1.5
Colin Walters (6):
Don\'t call capset() unless we need to
Only --unshare-user automatically if we\'re not root
ci: Modernize a bit, add f25-ubsan
README.md: Update with better one liner and more information
utils: Add __attribute__((printf)) to die()
build: Sync default warning -> error set from ostree
Simon McVittie (4):
test-run: be a bash script
test-run: don\'t assume we are uid 1000
Adapt tests so they can be run against installed binaries
Fix incorrect nesting of backticks when finding a FUSE mount

Fri Dec 16 13:00:00 2016 sebix+novell.comAATTsebix.at
- upgrade to upstream version 0.1.4
- Build also for Leap 42.2

Fri Oct 14 14:00:00 2016 waltersAATTverbum.org
- New upstream version

Mon Sep 12 14:00:00 2016 klemberAATTredhat.com
- Update to 0.1.2

Tue Jul 12 14:00:00 2016 ignatenkoAATTredhat.com
- Trivial fixes in packaging

Fri Jul 8 14:00:00 2016 waltersAATTverbum.org
- Initial package


  
ICM