Update to 0.1.5

2016-12-19 11:02:20 +01:00 · 2016-12-19 11:02:20 +01:00 · f09033f170
commit f09033f170
parent 0ba92b6b26
5 changed files with 7 additions and 105 deletions
--- a/.gitignore
+++ b/.gitignore
@ -4,3 +4,4 @@
 /bubblewrap-0.1.3.tar.xz
 /bubblewrap-0.1.3.tar.gz
 /bubblewrap-0.1.4.tar.xz
 /bubblewrap-0.1.5.tar.xz
--- a/0001-Don-t-call-capset-unless-we-need-to.patch
+++ b/0001-Don-t-call-capset-unless-we-need-to.patch
@ -1,55 +0,0 @@
 From 0b66e9fc314b4ce0ccf6192fb2f4c72fc1f1c843 Mon Sep 17 00:00:00 2001
 From: Colin Walters <walters@verbum.org>
 Date: Thu, 1 Dec 2016 12:45:29 -0500
 Subject: [PATCH] Don't call capset() unless we need to
 Fedora runs rpm-ostree (which uses bwrap) in systemd-nspawn (in mock via
 `--new-chroot`).  nspawn by default installs a seccomp policy that
 denies `capset()`.
 This started failing with bubblewrap-0.1.4:
 https://pagure.io/releng/issue/6550
 The process currently runs as *real* uid 0, outside of a user namespace.
 (It's honestly a bit nonsensical for nspawn to give a process `CAP_SYS_ADMIN`
 outside of a userns, but use seccomp to deny `capset()`, but let's leave
 that aside for now.)
 Due to the way this code was structured, we set `is_privileged = TRUE`
 simply because we have uid 0, even in the Fedora case where we *aren't*
 privileged.
 Fix this so we only set is_privileged if `uid != euid`, hence we
 won't try to gain/drop any capabilities, which fixes compatibility
 with what nspawn is doing.
 In theory of course we *could* drop privileges in a userns scenario,
 but we'd only be dropping privs in our userns...eh.
 ---
 bubblewrap.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
 diff --git a/bubblewrap.c b/bubblewrap.c
 index 9e470d3..10e520b 100644
 --- a/bubblewrap.c
 +++ b/bubblewrap.c
@@ -459,12 +459,13 @@ acquire_privs (void)
   uid_t euid, new_fsuid;
   euid = geteuid ();
 -  if (euid == 0)
 -    is_privileged = TRUE;
 +  /* Are we setuid ? */
   if (real_uid != euid)
     {
 -      if (euid != 0)
 +      if (euid == 0)
 +        is_privileged = TRUE;
 +      else
         die ("Unexpected setuid user %d, should be 0", euid);
       /* We want to keep running as euid=0 until at the clone()
 -- 
 2.9.3
--- a/0001-Only-unshare-user-automatically-if-we-re-not-root.patch
+++ b/0001-Only-unshare-user-automatically-if-we-re-not-root.patch
@ -1,45 +0,0 @@
 From 2a408e8cc696651b74038de2ff2f3fe136dfe46d Mon Sep 17 00:00:00 2001
 From: Colin Walters <walters@verbum.org>
 Date: Mon, 5 Dec 2016 15:38:22 -0500
 Subject: [PATCH] Only --unshare-user automatically if we're not root
 https://github.com/projectatomic/bubblewrap/pull/122 introduced a
 regression for the case of rpm-ostree running bubblewrap on CentOS 7.
 Previously the `is_privileged` variable captured whether or not
 our uid was 0, now it captures whether we're setuid.
 This bit of code enabled `--unshare-user` automatically if we're not
 privileged, but we suddenly started doing that for running as real uid
 0 (CAP_SYS_ADMIN), which we don't want, since on CentOS/RHEL 7 today
 userns isn't even available to root without a module parameter and
 reboot.
 So, let's just do this only if not setuid *and* we're not uid 0
 (really we should check "have CAP_SYS_ADMIN" but eh).
 Closes: #123
 Approved by: alexlarsson
 ---
 bubblewrap.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/bubblewrap.c b/bubblewrap.c
 index 10e520b..6e04459 100644
 --- a/bubblewrap.c
 +++ b/bubblewrap.c
@@ -1631,8 +1631,9 @@ main (int    argc,
   parse_args (&argc, &argv);
 -  /* We have to do this if we weren't installed setuid, so let's just DWIM */
 -  if (!is_privileged)
 +  /* We have to do this if we weren't installed setuid (and we're not
 +   * root), so let's just DWIM */
 +  if (!is_privileged && getuid () != 0)
     opt_unshare_user = TRUE;
   if (opt_unshare_user_try &&
 -- 
 2.9.3
--- a/bubblewrap.spec
+++ b/bubblewrap.spec
@ -1,14 +1,12 @@
 Name: bubblewrap
-Version: 0.1.4
+Version: 0.1.5
-Release: 5%{?dist}
+Release: 1%{?dist}
 Summary: Core execution tool for unprivileged containers
 License: LGPLv2+
 #VCS: git:https://github.com/projectatomic/bubblewrap
 URL: https://github.com/projectatomic/bubblewrap
 Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz
 Patch0: 0001-Don-t-call-capset-unless-we-need-to.patch
 Patch1: 0001-Only-unshare-user-automatically-if-we-re-not-root.patch
 BuildRequires: autoconf automake libtool
 BuildRequires: gcc
@ -47,6 +45,9 @@ find %{buildroot} -name '*.la' -delete -print
 %{_mandir}/man1/*
 %changelog
 * Mon Dec 19 2016 Kalev Lember <klember@redhat.com> - 0.1.5-1
 - Update to 0.1.5
 * Tue Dec 06 2016 walters@redhat.com - 0.1.4-4
 - Backport fix for regression in previous commit for rpm-ostree
--- a/2
+++ b/2
@ -1 +1 @@
-6b5766be4532204760c1c762ef120d1d  bubblewrap-0.1.4.tar.xz
+SHA512 (bubblewrap-0.1.5.tar.xz) = 21323a9b9f15c90f9d44d011f378335a934a4e5fef7d7d6b3edc7fbb8742e6dca6154ab88bf34eec91932ae46de995cf5bd70aab1625c6f0b95b0b244f8d8b37
`@ -1 +1 @@`
	`6b5766be4532204760c1c762ef120d1d bubblewrap-0.1.4.tar.xz`	`SHA512 (bubblewrap-0.1.5.tar.xz) = 21323a9b9f15c90f9d44d011f378335a934a4e5fef7d7d6b3edc7fbb8742e6dca6154ab88bf34eec91932ae46de995cf5bd70aab1625c6f0b95b0b244f8d8b37`