From f09033f1707f643901d1b2f613f27007a549fd5b Mon Sep 17 00:00:00 2001 From: Kalev Lember Date: Mon, 19 Dec 2016 11:02:20 +0100 Subject: [PATCH] Update to 0.1.5 --- .gitignore | 1 + ...-Don-t-call-capset-unless-we-need-to.patch | 55 ------------------- ...user-automatically-if-we-re-not-root.patch | 45 --------------- bubblewrap.spec | 9 +-- sources | 2 +- 5 files changed, 7 insertions(+), 105 deletions(-) delete mode 100644 0001-Don-t-call-capset-unless-we-need-to.patch delete mode 100644 0001-Only-unshare-user-automatically-if-we-re-not-root.patch diff --git a/.gitignore b/.gitignore index 030dea4..bf8d13b 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ /bubblewrap-0.1.3.tar.xz /bubblewrap-0.1.3.tar.gz /bubblewrap-0.1.4.tar.xz +/bubblewrap-0.1.5.tar.xz diff --git a/0001-Don-t-call-capset-unless-we-need-to.patch b/0001-Don-t-call-capset-unless-we-need-to.patch deleted file mode 100644 index bf50398..0000000 --- a/0001-Don-t-call-capset-unless-we-need-to.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 0b66e9fc314b4ce0ccf6192fb2f4c72fc1f1c843 Mon Sep 17 00:00:00 2001 -From: Colin Walters -Date: Thu, 1 Dec 2016 12:45:29 -0500 -Subject: [PATCH] Don't call capset() unless we need to - -Fedora runs rpm-ostree (which uses bwrap) in systemd-nspawn (in mock via -`--new-chroot`). nspawn by default installs a seccomp policy that -denies `capset()`. - -This started failing with bubblewrap-0.1.4: -https://pagure.io/releng/issue/6550 - -The process currently runs as *real* uid 0, outside of a user namespace. -(It's honestly a bit nonsensical for nspawn to give a process `CAP_SYS_ADMIN` - outside of a userns, but use seccomp to deny `capset()`, but let's leave - that aside for now.) - -Due to the way this code was structured, we set `is_privileged = TRUE` -simply because we have uid 0, even in the Fedora case where we *aren't* -privileged. - -Fix this so we only set is_privileged if `uid != euid`, hence we -won't try to gain/drop any capabilities, which fixes compatibility -with what nspawn is doing. - -In theory of course we *could* drop privileges in a userns scenario, -but we'd only be dropping privs in our userns...eh. ---- - bubblewrap.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/bubblewrap.c b/bubblewrap.c -index 9e470d3..10e520b 100644 ---- a/bubblewrap.c -+++ b/bubblewrap.c -@@ -459,12 +459,13 @@ acquire_privs (void) - uid_t euid, new_fsuid; - - euid = geteuid (); -- if (euid == 0) -- is_privileged = TRUE; - -+ /* Are we setuid ? */ - if (real_uid != euid) - { -- if (euid != 0) -+ if (euid == 0) -+ is_privileged = TRUE; -+ else - die ("Unexpected setuid user %d, should be 0", euid); - - /* We want to keep running as euid=0 until at the clone() --- -2.9.3 - diff --git a/0001-Only-unshare-user-automatically-if-we-re-not-root.patch b/0001-Only-unshare-user-automatically-if-we-re-not-root.patch deleted file mode 100644 index 60f7f1d..0000000 --- a/0001-Only-unshare-user-automatically-if-we-re-not-root.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 2a408e8cc696651b74038de2ff2f3fe136dfe46d Mon Sep 17 00:00:00 2001 -From: Colin Walters -Date: Mon, 5 Dec 2016 15:38:22 -0500 -Subject: [PATCH] Only --unshare-user automatically if we're not root - -https://github.com/projectatomic/bubblewrap/pull/122 introduced a -regression for the case of rpm-ostree running bubblewrap on CentOS 7. - -Previously the `is_privileged` variable captured whether or not -our uid was 0, now it captures whether we're setuid. - -This bit of code enabled `--unshare-user` automatically if we're not -privileged, but we suddenly started doing that for running as real uid -0 (CAP_SYS_ADMIN), which we don't want, since on CentOS/RHEL 7 today -userns isn't even available to root without a module parameter and -reboot. - -So, let's just do this only if not setuid *and* we're not uid 0 -(really we should check "have CAP_SYS_ADMIN" but eh). - -Closes: #123 -Approved by: alexlarsson ---- - bubblewrap.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/bubblewrap.c b/bubblewrap.c -index 10e520b..6e04459 100644 ---- a/bubblewrap.c -+++ b/bubblewrap.c -@@ -1631,8 +1631,9 @@ main (int argc, - - parse_args (&argc, &argv); - -- /* We have to do this if we weren't installed setuid, so let's just DWIM */ -- if (!is_privileged) -+ /* We have to do this if we weren't installed setuid (and we're not -+ * root), so let's just DWIM */ -+ if (!is_privileged && getuid () != 0) - opt_unshare_user = TRUE; - - if (opt_unshare_user_try && --- -2.9.3 - diff --git a/bubblewrap.spec b/bubblewrap.spec index 5026a7a..c5dd913 100644 --- a/bubblewrap.spec +++ b/bubblewrap.spec @@ -1,14 +1,12 @@ Name: bubblewrap -Version: 0.1.4 -Release: 5%{?dist} +Version: 0.1.5 +Release: 1%{?dist} Summary: Core execution tool for unprivileged containers License: LGPLv2+ #VCS: git:https://github.com/projectatomic/bubblewrap URL: https://github.com/projectatomic/bubblewrap Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz -Patch0: 0001-Don-t-call-capset-unless-we-need-to.patch -Patch1: 0001-Only-unshare-user-automatically-if-we-re-not-root.patch BuildRequires: autoconf automake libtool BuildRequires: gcc @@ -47,6 +45,9 @@ find %{buildroot} -name '*.la' -delete -print %{_mandir}/man1/* %changelog +* Mon Dec 19 2016 Kalev Lember - 0.1.5-1 +- Update to 0.1.5 + * Tue Dec 06 2016 walters@redhat.com - 0.1.4-4 - Backport fix for regression in previous commit for rpm-ostree diff --git a/sources b/sources index 1fb484e..6a07a05 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -6b5766be4532204760c1c762ef120d1d bubblewrap-0.1.4.tar.xz +SHA512 (bubblewrap-0.1.5.tar.xz) = 21323a9b9f15c90f9d44d011f378335a934a4e5fef7d7d6b3edc7fbb8742e6dca6154ab88bf34eec91932ae46de995cf5bd70aab1625c6f0b95b0b244f8d8b37