import RHEL 10 Beta bubblewrap-0.9.0-1.el10

.bubblewrap.metadata

@@ -1 +0,0 @@
-f62f7900c32a5fec4e53a929eae5a9fd16bb3536 SOURCES/bubblewrap-0.4.0.tar.xz

.gitignore

@@ -1 +1 @@
-SOURCES/bubblewrap-0.4.0.tar.xz
+bubblewrap-0.9.0.tar.xz

SOURCES/0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch

@@ -1,128 +0,0 @@
-From 52d5f7c3ba5c8e10b3a992304fd28cd4d18caeeb Mon Sep 17 00:00:00 2001
-From: Alexander Larsson <alexl@redhat.com>
-Date: Tue, 18 Jun 2024 10:20:36 +0200
-Subject: [PATCH] Add --bind-fd and --ro-bind-fd to let you bind a O_PATH fd.
-
-This is useful for example if you for some reason don't have the real
-path. It is also a way to make bind-mounts race-free (i.e. to have the
-mount actually be the thing you wanted to be mounted, avoiding issues
-where some other process replaces the target in parallel with the bwrap
-launch.
-
-Unfortunately due to some technical details we can't actually directly
-mount the dirfd, as they come from different user namespace which is not
-permitted, but at least we can delay resolving the fd to a path as much as
-possible, and then validate after mount that we actually mounted the right
-thing.
-
-Signed-off-by: Alexander Larsson <alexl@redhat.com>
-(cherry picked from commit a253257cd298892da43e15201d83f9a02c9b58b5)
-[kalev: Backport to 0.4.x]
-Signed-off-by: Kalev Lember <klember@redhat.com>
----
- bubblewrap.c      | 50 +++++++++++++++++++++++++++++++++++++++++++++++
- tests/test-run.sh |  7 ++++++-
- 2 files changed, 56 insertions(+), 1 deletion(-)
-
-diff --git a/bubblewrap.c b/bubblewrap.c
-index b3d52bc..38b3646 100644
---- a/bubblewrap.c
-+++ b/bubblewrap.c
-@@ -250,6 +250,8 @@ usage (int ecode, FILE *out)
-            "    --dev-bind-try SRC DEST      Equal to --dev-bind but ignores non-existent SRC\n"
-            "    --ro-bind SRC DEST           Bind mount the host path SRC readonly on DEST\n"
-            "    --ro-bind-try SRC DEST       Equal to --ro-bind but ignores non-existent SRC\n"
-+           "    --bind-fd FD DEST            Bind open directory or path fd on DEST\n"
-+           "    --ro-bind-fd FD DEST         Bind open directory or path fd read-only on DEST\n"
-            "    --remount-ro DEST            Remount DEST as readonly; does not recursively remount\n"
-            "    --exec-label LABEL           Exec label for the sandbox\n"
-            "    --file-label LABEL           File label for temporary sandbox content\n"
-@@ -1111,6 +1113,30 @@ setup_newroot (bool unshare_pid,
-                          (op->type == SETUP_RO_BIND_MOUNT ? BIND_READONLY : 0) |
-                          (op->type == SETUP_DEV_BIND_MOUNT ? BIND_DEVICES : 0),
-                          source, dest);
-+
-+          if (op->fd >= 0)
-+            {
-+              struct stat fd_st, mount_st;
-+
-+              /* When using bind-fd, there is a race condition between resolving the fd as a magic symlink
-+               * and mounting it, where someone could replace what is at the symlink target. Ideally
-+               * we would not even resolve the symlink and directly bind-mount from the fd, but unfortunately
-+               * we can't do that, because its not permitted to bind mount a fd from another user namespace.
-+               * So, we resolve, mount and then compare fstat+stat to detect the race. */
-+
-+              if (fstat(op->fd, &fd_st) != 0)
-+                die_with_error("Can't stat fd %d", op->fd);
-+              if (lstat(dest, &mount_st) != 0)
-+                die_with_error("Can't stat mount at %s", dest);
-+
-+              if (fd_st.st_ino != mount_st.st_ino ||
-+                  fd_st.st_dev != mount_st.st_dev)
-+                die_with_error("Race condition binding dirfd");
-+
-+              close(op->fd);
-+              op->fd = -1;
-+            }
-+
-           break;
- 
-         case SETUP_REMOUNT_RO_NO_RECURSIVE:
-@@ -1648,6 +1674,30 @@ parse_args_recurse (int          *argcp,
-           if (strcmp(arg, "--dev-bind-try") == 0)
-             op->flags = ALLOW_NOTEXIST;
- 
-+          argv += 2;
-+          argc -= 2;
-+        }
-+      else if (strcmp (arg, "--bind-fd") == 0 ||
-+               strcmp (arg, "--ro-bind-fd") == 0)
-+        {
-+          int src_fd;
-+          char *endptr;
-+
-+          if (argc < 3)
-+            die ("--bind-fd takes two arguments");
-+
-+          src_fd = strtol (argv[1], &endptr, 10);
-+          if (argv[1][0] == 0 || endptr[0] != 0 || src_fd < 0)
-+            die ("Invalid fd: %s", argv[1]);
-+
-+          if (strcmp(arg, "--ro-bind-fd") == 0)
-+            op = setup_op_new (SETUP_RO_BIND_MOUNT);
-+          else
-+            op = setup_op_new (SETUP_BIND_MOUNT);
-+          op->source = xasprintf ("/proc/self/fd/%d", src_fd);
-+          op->fd = src_fd;
-+          op->dest = argv[2];
-+
-           argv += 2;
-           argc -= 2;
-         }
-diff --git a/tests/test-run.sh b/tests/test-run.sh
-index 702c480..ce1eaf6 100755
---- a/tests/test-run.sh
-+++ b/tests/test-run.sh
-@@ -80,7 +80,7 @@ if ! $RUN true; then
-     skip Seems like bwrap is not working at all. Maybe setuid is not working
- fi
- 
--echo "1..49"
-+echo "1..50"
- 
- # Test help
- ${BWRAP} --help > help.txt
-@@ -382,5 +382,10 @@ else
-     echo "ok - Test --pidns"
- fi
- 
-+echo "foobar" > file-data
-+$RUN --proc /proc --dev /dev --bind / / --bind-fd 100 /tmp cat /tmp/file-data 100< . > stdout
-+assert_file_has_content stdout foobar
-+
-+echo "ok - bind-fd"
- 
- echo "ok - End of test"
--- 
-2.46.0
-

SPECS/bubblewrap.spec

@@ -1,112 +0,0 @@
-Name: bubblewrap
-Version: 0.4.0
-Release: 2%{?dist}
-Summary: Core execution tool for unprivileged containers
-
-License: LGPLv2+
-#VCS: git:https://github.com/projectatomic/bubblewrap
-URL: https://github.com/projectatomic/bubblewrap
-Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz
-Patch0: 0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch
-
-BuildRequires: autoconf automake libtool
-BuildRequires: gcc
-BuildRequires: libcap-devel
-BuildRequires: pkgconfig(libselinux)
-BuildRequires: libxslt
-BuildRequires: docbook-style-xsl
-
-%description
-Bubblewrap (/usr/bin/bwrap) is a core execution engine for unprivileged
-containers that works as a setuid binary on kernels without
-user namespaces.
-
-%prep
-%autosetup -p1
-
-%build
-if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; fi
-%configure --disable-silent-rules --with-priv-mode=none
-%make_build
-
-%install
-%make_install INSTALL="install -p -c"
-find %{buildroot} -name '*.la' -delete -print
-
-%files
-%license COPYING
-%dir %{_datadir}/bash-completion
-%dir %{_datadir}/bash-completion/completions
-%{_datadir}/bash-completion/completions/bwrap
-%if (0%{?rhel} != 0 && 0%{?rhel} <= 7)
-%attr(0755,root,root) %caps(cap_sys_admin,cap_net_admin,cap_sys_chroot,cap_setuid,cap_setgid=ep) %{_bindir}/bwrap
-%else
-%{_bindir}/bwrap
-%endif
-%{_mandir}/man1/*
-
-%changelog
-* Fri Aug 30 2024 Kalev Lember <klember@redhat.com> - 0.4.0-2
-- Backport upstream fix to help address CVE-2024-42472 in flatpak
-
-* Thu Jan 09 2020 David King <dking@redhat.com> - 0.4.0-1
-- Rebase to 0.4.0 (#1788067)
-
-* Wed Jul 11 2018 Colin Walters <walters@verbum.org> - 0.3.0-1
-- https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.0
-
-* Wed May 16 2018 Kalev Lember <klember@redhat.com> - 0.2.1-1
-- Update to 0.2.1
-
-* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.0-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
-
-* Mon Oct 09 2017 Colin Walters <walters@verbum.org> - 0.2.0-2
-- New upstream version
-- https://github.com/projectatomic/bubblewrap/releases/tag/v0.2.0
-
-* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.8-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
-
-* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.8-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
-
-* Tue Mar 28 2017 Colin Walters <walters@verbum.org> - 0.1.8-1
-- New upstream version
-  https://github.com/projectatomic/bubblewrap/releases/tag/v0.1.8
-
-* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.7-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
-
-* Wed Jan 18 2017 Colin Walters <walters@verbum.org> - 0.1.7-1
-- New upstream version;
-  https://github.com/projectatomic/bubblewrap/releases/tag/v0.1.7
-- Resolves: #1411814
-
-* Tue Jan 10 2017 Colin Walters <walters@verbum.org> - 0.1.6-1
-- New upstream version with security fix
-- Resolves: #1411814
-
-* Mon Dec 19 2016 Kalev Lember <klember@redhat.com> - 0.1.5-1
-- Update to 0.1.5
-
-* Tue Dec 06 2016 walters@redhat.com - 0.1.4-4
-- Backport fix for regression in previous commit for rpm-ostree
-
-* Thu Dec 01 2016 walters@redhat.com - 0.1.4-3
-- Backport patch to fix running via nspawn, which should fix rpm-ostree-in-bodhi
-
-* Tue Nov 29 2016 Kalev Lember <klember@redhat.com> - 0.1.4-1
-- Update to 0.1.4
-
-* Fri Oct 14 2016 Colin Walters <walters@verbum.org> - 0.1.3-2
-- New upstream version
-
-* Mon Sep 12 2016 Kalev Lember <klember@redhat.com> - 0.1.2-1
-- Update to 0.1.2
-
-* Tue Jul 12 2016 Igor Gnatenko <ignatenko@redhat.com> - 0.1.1-2
-- Trivial fixes in packaging
-
-* Fri Jul 08 2016 Colin Walters <walters@verbum.org> - 0.1.1
-- Initial package

bubblewrap.spec

@@ -0,0 +1,220 @@
+## START: Set by rpmautospec
+## (rpmautospec version 0.6.1)
+## RPMAUTOSPEC: autorelease, autochangelog
+%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
+    release_number = 1;
+    base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
+    print(release_number + base_release_number - 1);
+}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
+## END: Set by rpmautospec
+
+Name:    bubblewrap
+Version: 0.9.0
+Release: %autorelease
+Summary: Core execution tool for unprivileged containers
+
+License: LGPL-2.0-or-later
+URL:     https://github.com/containers/bubblewrap/
+Source0: https://github.com/containers/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz
+
+BuildRequires: pkgconfig(bash-completion) >= 2.0
+BuildRequires: gcc
+BuildRequires: docbook-style-xsl
+BuildRequires: meson
+BuildRequires: pkgconfig(libcap)
+BuildRequires: pkgconfig(libselinux)
+BuildRequires: /usr/bin/xsltproc
+
+%description
+Bubblewrap (/usr/bin/bwrap) is a core execution engine for unprivileged
+containers that works as a setuid binary on kernels without
+user namespaces.
+
+%prep
+%autosetup
+
+%build
+%meson -Dman=enabled -Dselinux=enabled
+%meson_build
+
+%install
+%meson_install
+
+%files
+%license COPYING
+%doc README.md
+%dir %{_datadir}/bash-completion
+%dir %{_datadir}/bash-completion/completions
+%{_datadir}/bash-completion/completions/bwrap
+%dir %{_datadir}/zsh
+%dir %{_datadir}/zsh/site-functions
+%{_datadir}/zsh/site-functions/_bwrap
+%if (0%{?rhel} != 0 && 0%{?rhel} <= 7)
+%attr(0755,root,root) %caps(cap_sys_admin,cap_net_admin,cap_sys_chroot,cap_setuid,cap_setgid=ep) %{_bindir}/bwrap
+%else
+%{_bindir}/bwrap
+%endif
+%{_mandir}/man1/bwrap.1*
+
+%changelog
+## START: Generated by rpmautospec
+* Tue May 21 2024 Joseph Marrero <jmarrero@redhat.com> - 0.9.0-1
+- Rebase to 0.9.0
+
+* Tue Jan 23 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Thu Nov 16 2023 Debarshi Ray <debarshir@gnome.org> - 0.8.0-1
+- Update to 0.8.0 (#2173820)
+
+* Thu Nov 16 2023 Debarshi Ray <debarshir@gnome.org> - 0.7.0-4
+- Use Bash's bash-completion.pc to provide the location for completions
+
+* Thu Nov 16 2023 Debarshi Ray <debarshir@gnome.org> - 0.7.0-3
+- Explicitly enable SELinux to avoid accidents and misunderstanding
+
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Tue Feb 07 2023 David King <amigadave@amigadave.com> - 0.7.0-1
+- Update to 0.7.0 (#2058474)
+
+* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Wed Aug 25 2021 Kalev Lember <klember@redhat.com> - 0.5.0-3
+- Simplify make install invocation
+
+* Wed Aug 25 2021 Kalev Lember <klember@redhat.com> - 0.5.0-2
+- Drop https://github.com/containers/bubblewrap/pull/426 patch as it breaks
+  tests
+
+* Wed Aug 25 2021 Kalev Lember <klember@redhat.com> - 0.5.0-1
+- Update to 0.5.0
+
+* Wed Aug 25 2021 Kalev Lember <klember@redhat.com> - 0.4.1-8
+- Drop unused VCS tag
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.1-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.1-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Thu May 27 2021 Colin Walters <walters@verbum.org> - 0.4.1-5
+- Backport https://github.com/containers/bubblewrap/pull/426
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Thu Dec 17 2020 Tom Stellard <tstellar@redhat.com> - 0.4.1-3
+- Add BuildRequires: make
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Mar 30 2020 David King <amigadave@amigadave.com> - 0.4.1-1
+- Update to 0.4.1
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Nov 27 2019 Kalev Lember <klember@redhat.com> - 0.4.0-1
+- Update to 0.4.0
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Wed May 01 2019 Colin Walters <walters@verbum.org> - 0.3.3-1
+- New upstream release
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Oct 01 2018 Kalev Lember <klember@redhat.com> - 0.3.1-1
+- Update to 0.3.1
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Wed Jul 11 2018 Colin Walters <walters@verbum.org> - 0.3.0-1
+- v0.3.0
+
+* Wed May 16 2018 Kalev Lember <klember@redhat.com> - 0.2.1-1
+- Update to 0.2.1
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Mon Oct 09 2017 Colin Walters <walters@verbum.org> - 0.2.0-1
+- New upstream version
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.8-4
+- Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.8-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Tue May 23 2017 David King <amigadave@amigadave.com> - 0.1.8-2
+- Update sources
+
+* Tue Mar 28 2017 Colin Walters <walters@verbum.org> - 0.1.8-1
+- New upstream version
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Wed Jan 18 2017 Colin Walters <walters@verbum.org> - 0.1.7-1
+- New upstream version;
+  https://github.com/projectatomic/bubblewrap/releases/tag/v0.1.7 Resolves:
+  #1411814
+
+* Tue Jan 10 2017 Colin Walters <walters@verbum.org> - 0.1.6-1
+- New upstream version
+
+* Mon Dec 19 2016 Kalev Lember <klember@redhat.com> - 0.1.5-1
+- Update to 0.1.5
+
+* Tue Dec 06 2016 Colin Walters <walters@verbum.org> - 0.1.4-4
+- Backport regression fix
+
+* Thu Dec 01 2016 Colin Walters <walters@verbum.org> - 0.1.4-3
+- Backport patch to fix runs via bodhi
+
+* Thu Dec 01 2016 Colin Walters <walters@verbum.org> - 0.1.4-2
+- Re-introduce support for builds from git
+
+* Tue Nov 29 2016 Kalev Lember <klember@redhat.com> - 0.1.4-1
+- Update to 0.1.4 and switch to upstream distributed release tarballs.
+
+* Fri Oct 14 2016 Colin Walters <walters@verbum.org> - 0.1.3-2
+- Fix sources
+
+* Fri Oct 14 2016 Colin Walters <walters@verbum.org> - 0.1.3-1
+- New upstream release
+
+* Sat Sep 24 2016 Colin Walters <walters@verbum.org> - 0.1.2-2
+- spec: Grant cap_setuid/setgid on EL7
+
+* Mon Sep 12 2016 Kalev Lember <klember@redhat.com> - 0.1.2-1
+- Update to 0.1.2
+
+* Tue Jul 12 2016 Colin Walters <walters@verbum.org> - 0.1.1-3
+- Fix man page glob from previous commit
+
+* Tue Jul 12 2016 Igor Gnatenko <ignatenko@redhat.com> - 0.1.1-2
+- Trivial fixes in packaging
+
+* Mon Jul 11 2016 Colin Walters <walters@verbum.org> - 0.1.1-1
+- Initial import
+## END: Generated by rpmautospec

sources

@@ -0,0 +1 @@
+SHA512 (bubblewrap-0.9.0.tar.xz) = 3a3af355e4fdb19a91c40020d68fd83f7c74ebef92d989c932933293758bc0175fa41220c47fe829b84ba29457a12f0e225c19afe674ecbf983b0826dbc1c878