From e6bcf35c7eb11926da4e121932927bd74ef669f9 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 20 Nov 2024 13:36:53 +0000 Subject: [PATCH] import RHEL 10 Beta bubblewrap-0.9.0-1.el10 --- .bubblewrap.metadata | 1 - .gitignore | 2 +- ...ro-bind-fd-to-let-you-bind-a-O_PATH-.patch | 128 ---------- SPECS/bubblewrap.spec | 112 --------- bubblewrap.spec | 220 ++++++++++++++++++ sources | 1 + 6 files changed, 222 insertions(+), 242 deletions(-) delete mode 100644 .bubblewrap.metadata delete mode 100644 SOURCES/0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch delete mode 100644 SPECS/bubblewrap.spec create mode 100644 bubblewrap.spec create mode 100644 sources diff --git a/.bubblewrap.metadata b/.bubblewrap.metadata deleted file mode 100644 index 4687b14..0000000 --- a/.bubblewrap.metadata +++ /dev/null @@ -1 +0,0 @@ -f62f7900c32a5fec4e53a929eae5a9fd16bb3536 SOURCES/bubblewrap-0.4.0.tar.xz diff --git a/.gitignore b/.gitignore index 3954450..a3ef3d2 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/bubblewrap-0.4.0.tar.xz +bubblewrap-0.9.0.tar.xz diff --git a/SOURCES/0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch b/SOURCES/0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch deleted file mode 100644 index 979ff51..0000000 --- a/SOURCES/0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 52d5f7c3ba5c8e10b3a992304fd28cd4d18caeeb Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Tue, 18 Jun 2024 10:20:36 +0200 -Subject: [PATCH] Add --bind-fd and --ro-bind-fd to let you bind a O_PATH fd. - -This is useful for example if you for some reason don't have the real -path. It is also a way to make bind-mounts race-free (i.e. to have the -mount actually be the thing you wanted to be mounted, avoiding issues -where some other process replaces the target in parallel with the bwrap -launch. - -Unfortunately due to some technical details we can't actually directly -mount the dirfd, as they come from different user namespace which is not -permitted, but at least we can delay resolving the fd to a path as much as -possible, and then validate after mount that we actually mounted the right -thing. - -Signed-off-by: Alexander Larsson -(cherry picked from commit a253257cd298892da43e15201d83f9a02c9b58b5) -[kalev: Backport to 0.4.x] -Signed-off-by: Kalev Lember ---- - bubblewrap.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++ - tests/test-run.sh | 7 ++++++- - 2 files changed, 56 insertions(+), 1 deletion(-) - -diff --git a/bubblewrap.c b/bubblewrap.c -index b3d52bc..38b3646 100644 ---- a/bubblewrap.c -+++ b/bubblewrap.c -@@ -250,6 +250,8 @@ usage (int ecode, FILE *out) - " --dev-bind-try SRC DEST Equal to --dev-bind but ignores non-existent SRC\n" - " --ro-bind SRC DEST Bind mount the host path SRC readonly on DEST\n" - " --ro-bind-try SRC DEST Equal to --ro-bind but ignores non-existent SRC\n" -+ " --bind-fd FD DEST Bind open directory or path fd on DEST\n" -+ " --ro-bind-fd FD DEST Bind open directory or path fd read-only on DEST\n" - " --remount-ro DEST Remount DEST as readonly; does not recursively remount\n" - " --exec-label LABEL Exec label for the sandbox\n" - " --file-label LABEL File label for temporary sandbox content\n" -@@ -1111,6 +1113,30 @@ setup_newroot (bool unshare_pid, - (op->type == SETUP_RO_BIND_MOUNT ? BIND_READONLY : 0) | - (op->type == SETUP_DEV_BIND_MOUNT ? BIND_DEVICES : 0), - source, dest); -+ -+ if (op->fd >= 0) -+ { -+ struct stat fd_st, mount_st; -+ -+ /* When using bind-fd, there is a race condition between resolving the fd as a magic symlink -+ * and mounting it, where someone could replace what is at the symlink target. Ideally -+ * we would not even resolve the symlink and directly bind-mount from the fd, but unfortunately -+ * we can't do that, because its not permitted to bind mount a fd from another user namespace. -+ * So, we resolve, mount and then compare fstat+stat to detect the race. */ -+ -+ if (fstat(op->fd, &fd_st) != 0) -+ die_with_error("Can't stat fd %d", op->fd); -+ if (lstat(dest, &mount_st) != 0) -+ die_with_error("Can't stat mount at %s", dest); -+ -+ if (fd_st.st_ino != mount_st.st_ino || -+ fd_st.st_dev != mount_st.st_dev) -+ die_with_error("Race condition binding dirfd"); -+ -+ close(op->fd); -+ op->fd = -1; -+ } -+ - break; - - case SETUP_REMOUNT_RO_NO_RECURSIVE: -@@ -1648,6 +1674,30 @@ parse_args_recurse (int *argcp, - if (strcmp(arg, "--dev-bind-try") == 0) - op->flags = ALLOW_NOTEXIST; - -+ argv += 2; -+ argc -= 2; -+ } -+ else if (strcmp (arg, "--bind-fd") == 0 || -+ strcmp (arg, "--ro-bind-fd") == 0) -+ { -+ int src_fd; -+ char *endptr; -+ -+ if (argc < 3) -+ die ("--bind-fd takes two arguments"); -+ -+ src_fd = strtol (argv[1], &endptr, 10); -+ if (argv[1][0] == 0 || endptr[0] != 0 || src_fd < 0) -+ die ("Invalid fd: %s", argv[1]); -+ -+ if (strcmp(arg, "--ro-bind-fd") == 0) -+ op = setup_op_new (SETUP_RO_BIND_MOUNT); -+ else -+ op = setup_op_new (SETUP_BIND_MOUNT); -+ op->source = xasprintf ("/proc/self/fd/%d", src_fd); -+ op->fd = src_fd; -+ op->dest = argv[2]; -+ - argv += 2; - argc -= 2; - } -diff --git a/tests/test-run.sh b/tests/test-run.sh -index 702c480..ce1eaf6 100755 ---- a/tests/test-run.sh -+++ b/tests/test-run.sh -@@ -80,7 +80,7 @@ if ! $RUN true; then - skip Seems like bwrap is not working at all. Maybe setuid is not working - fi - --echo "1..49" -+echo "1..50" - - # Test help - ${BWRAP} --help > help.txt -@@ -382,5 +382,10 @@ else - echo "ok - Test --pidns" - fi - -+echo "foobar" > file-data -+$RUN --proc /proc --dev /dev --bind / / --bind-fd 100 /tmp cat /tmp/file-data 100< . > stdout -+assert_file_has_content stdout foobar -+ -+echo "ok - bind-fd" - - echo "ok - End of test" --- -2.46.0 - diff --git a/SPECS/bubblewrap.spec b/SPECS/bubblewrap.spec deleted file mode 100644 index b3c81c2..0000000 --- a/SPECS/bubblewrap.spec +++ /dev/null @@ -1,112 +0,0 @@ -Name: bubblewrap -Version: 0.4.0 -Release: 2%{?dist} -Summary: Core execution tool for unprivileged containers - -License: LGPLv2+ -#VCS: git:https://github.com/projectatomic/bubblewrap -URL: https://github.com/projectatomic/bubblewrap -Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz -Patch0: 0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch - -BuildRequires: autoconf automake libtool -BuildRequires: gcc -BuildRequires: libcap-devel -BuildRequires: pkgconfig(libselinux) -BuildRequires: libxslt -BuildRequires: docbook-style-xsl - -%description -Bubblewrap (/usr/bin/bwrap) is a core execution engine for unprivileged -containers that works as a setuid binary on kernels without -user namespaces. - -%prep -%autosetup -p1 - -%build -if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; fi -%configure --disable-silent-rules --with-priv-mode=none -%make_build - -%install -%make_install INSTALL="install -p -c" -find %{buildroot} -name '*.la' -delete -print - -%files -%license COPYING -%dir %{_datadir}/bash-completion -%dir %{_datadir}/bash-completion/completions -%{_datadir}/bash-completion/completions/bwrap -%if (0%{?rhel} != 0 && 0%{?rhel} <= 7) -%attr(0755,root,root) %caps(cap_sys_admin,cap_net_admin,cap_sys_chroot,cap_setuid,cap_setgid=ep) %{_bindir}/bwrap -%else -%{_bindir}/bwrap -%endif -%{_mandir}/man1/* - -%changelog -* Fri Aug 30 2024 Kalev Lember - 0.4.0-2 -- Backport upstream fix to help address CVE-2024-42472 in flatpak - -* Thu Jan 09 2020 David King - 0.4.0-1 -- Rebase to 0.4.0 (#1788067) - -* Wed Jul 11 2018 Colin Walters - 0.3.0-1 -- https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.0 - -* Wed May 16 2018 Kalev Lember - 0.2.1-1 -- Update to 0.2.1 - -* Wed Feb 07 2018 Fedora Release Engineering - 0.2.0-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Mon Oct 09 2017 Colin Walters - 0.2.0-2 -- New upstream version -- https://github.com/projectatomic/bubblewrap/releases/tag/v0.2.0 - -* Wed Aug 02 2017 Fedora Release Engineering - 0.1.8-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Wed Jul 26 2017 Fedora Release Engineering - 0.1.8-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Tue Mar 28 2017 Colin Walters - 0.1.8-1 -- New upstream version - https://github.com/projectatomic/bubblewrap/releases/tag/v0.1.8 - -* Fri Feb 10 2017 Fedora Release Engineering - 0.1.7-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Wed Jan 18 2017 Colin Walters - 0.1.7-1 -- New upstream version; - https://github.com/projectatomic/bubblewrap/releases/tag/v0.1.7 -- Resolves: #1411814 - -* Tue Jan 10 2017 Colin Walters - 0.1.6-1 -- New upstream version with security fix -- Resolves: #1411814 - -* Mon Dec 19 2016 Kalev Lember - 0.1.5-1 -- Update to 0.1.5 - -* Tue Dec 06 2016 walters@redhat.com - 0.1.4-4 -- Backport fix for regression in previous commit for rpm-ostree - -* Thu Dec 01 2016 walters@redhat.com - 0.1.4-3 -- Backport patch to fix running via nspawn, which should fix rpm-ostree-in-bodhi - -* Tue Nov 29 2016 Kalev Lember - 0.1.4-1 -- Update to 0.1.4 - -* Fri Oct 14 2016 Colin Walters - 0.1.3-2 -- New upstream version - -* Mon Sep 12 2016 Kalev Lember - 0.1.2-1 -- Update to 0.1.2 - -* Tue Jul 12 2016 Igor Gnatenko - 0.1.1-2 -- Trivial fixes in packaging - -* Fri Jul 08 2016 Colin Walters - 0.1.1 -- Initial package diff --git a/bubblewrap.spec b/bubblewrap.spec new file mode 100644 index 0000000..123e0d9 --- /dev/null +++ b/bubblewrap.spec @@ -0,0 +1,220 @@ +## START: Set by rpmautospec +## (rpmautospec version 0.6.1) +## RPMAUTOSPEC: autorelease, autochangelog +%define autorelease(e:s:pb:n) %{?-p:0.}%{lua: + release_number = 1; + base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); + print(release_number + base_release_number - 1); +}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} +## END: Set by rpmautospec + +Name: bubblewrap +Version: 0.9.0 +Release: %autorelease +Summary: Core execution tool for unprivileged containers + +License: LGPL-2.0-or-later +URL: https://github.com/containers/bubblewrap/ +Source0: https://github.com/containers/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz + +BuildRequires: pkgconfig(bash-completion) >= 2.0 +BuildRequires: gcc +BuildRequires: docbook-style-xsl +BuildRequires: meson +BuildRequires: pkgconfig(libcap) +BuildRequires: pkgconfig(libselinux) +BuildRequires: /usr/bin/xsltproc + +%description +Bubblewrap (/usr/bin/bwrap) is a core execution engine for unprivileged +containers that works as a setuid binary on kernels without +user namespaces. + +%prep +%autosetup + +%build +%meson -Dman=enabled -Dselinux=enabled +%meson_build + +%install +%meson_install + +%files +%license COPYING +%doc README.md +%dir %{_datadir}/bash-completion +%dir %{_datadir}/bash-completion/completions +%{_datadir}/bash-completion/completions/bwrap +%dir %{_datadir}/zsh +%dir %{_datadir}/zsh/site-functions +%{_datadir}/zsh/site-functions/_bwrap +%if (0%{?rhel} != 0 && 0%{?rhel} <= 7) +%attr(0755,root,root) %caps(cap_sys_admin,cap_net_admin,cap_sys_chroot,cap_setuid,cap_setgid=ep) %{_bindir}/bwrap +%else +%{_bindir}/bwrap +%endif +%{_mandir}/man1/bwrap.1* + +%changelog +## START: Generated by rpmautospec +* Tue May 21 2024 Joseph Marrero - 0.9.0-1 +- Rebase to 0.9.0 + +* Tue Jan 23 2024 Fedora Release Engineering - 0.8.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Jan 19 2024 Fedora Release Engineering - 0.8.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Thu Nov 16 2023 Debarshi Ray - 0.8.0-1 +- Update to 0.8.0 (#2173820) + +* Thu Nov 16 2023 Debarshi Ray - 0.7.0-4 +- Use Bash's bash-completion.pc to provide the location for completions + +* Thu Nov 16 2023 Debarshi Ray - 0.7.0-3 +- Explicitly enable SELinux to avoid accidents and misunderstanding + +* Wed Jul 19 2023 Fedora Release Engineering - 0.7.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Tue Feb 07 2023 David King - 0.7.0-1 +- Update to 0.7.0 (#2058474) + +* Wed Jan 18 2023 Fedora Release Engineering - 0.5.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Wed Jul 20 2022 Fedora Release Engineering - 0.5.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Wed Jan 19 2022 Fedora Release Engineering - 0.5.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Wed Aug 25 2021 Kalev Lember - 0.5.0-3 +- Simplify make install invocation + +* Wed Aug 25 2021 Kalev Lember - 0.5.0-2 +- Drop https://github.com/containers/bubblewrap/pull/426 patch as it breaks + tests + +* Wed Aug 25 2021 Kalev Lember - 0.5.0-1 +- Update to 0.5.0 + +* Wed Aug 25 2021 Kalev Lember - 0.4.1-8 +- Drop unused VCS tag + +* Wed Jul 21 2021 Fedora Release Engineering - 0.4.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Wed Jul 21 2021 Fedora Release Engineering - 0.4.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Thu May 27 2021 Colin Walters - 0.4.1-5 +- Backport https://github.com/containers/bubblewrap/pull/426 + +* Tue Jan 26 2021 Fedora Release Engineering - 0.4.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Dec 17 2020 Tom Stellard - 0.4.1-3 +- Add BuildRequires: make + +* Mon Jul 27 2020 Fedora Release Engineering - 0.4.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Mar 30 2020 David King - 0.4.1-1 +- Update to 0.4.1 + +* Tue Jan 28 2020 Fedora Release Engineering - 0.4.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Nov 27 2019 Kalev Lember - 0.4.0-1 +- Update to 0.4.0 + +* Wed Jul 24 2019 Fedora Release Engineering - 0.3.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed May 01 2019 Colin Walters - 0.3.3-1 +- New upstream release + +* Thu Jan 31 2019 Fedora Release Engineering - 0.3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Oct 01 2018 Kalev Lember - 0.3.1-1 +- Update to 0.3.1 + +* Thu Jul 12 2018 Fedora Release Engineering - 0.3.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jul 11 2018 Colin Walters - 0.3.0-1 +- v0.3.0 + +* Wed May 16 2018 Kalev Lember - 0.2.1-1 +- Update to 0.2.1 + +* Wed Feb 07 2018 Fedora Release Engineering - 0.2.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Oct 09 2017 Colin Walters - 0.2.0-1 +- New upstream version + +* Wed Aug 02 2017 Fedora Release Engineering - 0.1.8-4 +- Rebuilt for + https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 0.1.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue May 23 2017 David King - 0.1.8-2 +- Update sources + +* Tue Mar 28 2017 Colin Walters - 0.1.8-1 +- New upstream version + +* Fri Feb 10 2017 Fedora Release Engineering - 0.1.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Jan 18 2017 Colin Walters - 0.1.7-1 +- New upstream version; + https://github.com/projectatomic/bubblewrap/releases/tag/v0.1.7 Resolves: + #1411814 + +* Tue Jan 10 2017 Colin Walters - 0.1.6-1 +- New upstream version + +* Mon Dec 19 2016 Kalev Lember - 0.1.5-1 +- Update to 0.1.5 + +* Tue Dec 06 2016 Colin Walters - 0.1.4-4 +- Backport regression fix + +* Thu Dec 01 2016 Colin Walters - 0.1.4-3 +- Backport patch to fix runs via bodhi + +* Thu Dec 01 2016 Colin Walters - 0.1.4-2 +- Re-introduce support for builds from git + +* Tue Nov 29 2016 Kalev Lember - 0.1.4-1 +- Update to 0.1.4 and switch to upstream distributed release tarballs. + +* Fri Oct 14 2016 Colin Walters - 0.1.3-2 +- Fix sources + +* Fri Oct 14 2016 Colin Walters - 0.1.3-1 +- New upstream release + +* Sat Sep 24 2016 Colin Walters - 0.1.2-2 +- spec: Grant cap_setuid/setgid on EL7 + +* Mon Sep 12 2016 Kalev Lember - 0.1.2-1 +- Update to 0.1.2 + +* Tue Jul 12 2016 Colin Walters - 0.1.1-3 +- Fix man page glob from previous commit + +* Tue Jul 12 2016 Igor Gnatenko - 0.1.1-2 +- Trivial fixes in packaging + +* Mon Jul 11 2016 Colin Walters - 0.1.1-1 +- Initial import +## END: Generated by rpmautospec diff --git a/sources b/sources new file mode 100644 index 0000000..41c8404 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (bubblewrap-0.9.0.tar.xz) = 3a3af355e4fdb19a91c40020d68fd83f7c74ebef92d989c932933293758bc0175fa41220c47fe829b84ba29457a12f0e225c19afe674ecbf983b0826dbc1c878