Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

bubblewrap-0.11.0-1.1 RPM for s390x

From OpenSuSE Ports Tumbleweed for s390x

Name: bubblewrap Distribution: openSUSE:Factory:zSystems
Version: 0.11.0 Vendor: openSUSE
Release: 1.1 Build date: Fri Nov 1 19:56:54 2024
Group: Productivity/Security Build host: reproducible
Size: 125644 Source RPM: bubblewrap-0.11.0-1.1.src.rpm
Packager: https://bugs.opensuse.org
Url: https://github.com/containers/bubblewrap
Summary: Core execution tool for unprivileged containers
Bubblewrap (/usr/bin/bwrap) is a core execution engine for unprivileged
containers that works as a setuid binary on kernels without
user namespaces.

Provides

Requires

License

LGPL-2.0-or-later

Changelog

* Fri Nov 01 2024 Andreas Stieger <andreas.stieger@gmx.de>
  - update to 0.11.0:
    * New --overlay, --tmp-overlay, --ro-overlay and --overlay-src
      options allow creation of overlay mounts. This feature is not
      available when bubblewrap is installed setuid.
    * New --level-prefix option produces output that can be parsed
      by tools like logger --prio-prefix and
      systemd-cat --level-prefix=1
    * bug fixes and developer visible changes
  - add upstream signing key and validate source signature
* Wed Aug 14 2024 Bjørn Lie <bjorn.lie@gmail.com>
  - Update to version v0.10.0:
    * New features: Add the --[ro-]bind-fd option, which can be used
      to mount a filesystem represented by a file descriptor without
      time-of-check/time-of-use attacks. This is needed when
      resolving security issue in Flatpak.
      (CVE-2024-42472, bsc#1229157)
    * Other changes: Fix some confusing syntax in SetupOpFlag (no
      functional change).
* Tue Apr 02 2024 Wolfgang Frisch <wolfgang.frisch@suse.com>
  - update to v0.9.0:
    * Build system changed to Meson from Autotools
    * Add --argv0
      https://github.com/containers/bubblewrap/issues/91
    * --symlink is now idempotent, meaning it succeeds if the symlink already
      exists and already has the desired target
    * Clarify security considerations in documentation
    * Clarify documentation for --cap-add
    * Report a better error message if mount(2) fails with ENOSPC
    * Fix a double-close on error reading from --args, --seccomp or
    - -add-seccomp-fd argument
    * Improve memory allocation behaviour
* Mon Mar 27 2023 Andreas Stieger <andreas.stieger@gmx.de>
  - update to v0.8.0:
    * Add --disable-userns option to prevent the sandbox from
      creating its own nested user namespace
    * Add --assert-userns-disabled option to check that an existing
      userns was created with --disable-userns
    * Give a clearer error message if the kernel doesn't have
      CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER
* Wed Dec 07 2022 Dirk Müller <dmueller@suse.com>
  - update to v0.7.0:
    * --size option controls the size of a subsequent --tmpfs (#509)
    * Better error messages if a mount operation fails (#472)
    * Better error message if creating the new user namespace fails with
      ENOSPC (#487)
    * When building as a Meson subproject, a RUNPATH can be set on the
      executable to make it easier to bundle its libcap dependency
    * Fix test failures when running as uid 0 but with limited capabilities
      (#510)
    * Use POSIX command -v in preference to non-standard which (#527)
    * Fix a copy/paste error in --help (#531)
* Wed May 18 2022 Dominique Leuenberger <dimstar@opensuse.org>
  - Update to version 0.6.2:
    + New features in Meson build:
    - Auto-detect whether the man page can be generated.
    - -Dbwrapdir=... changes the installation directory (useful
      when being used as a subproject).
    - -Dtests=false disables unit tests.
    + Bug fixes:
    - Add --add-seccomp-fd to shell completions
    - Document --add-seccomp-fd, --json-status-fd and --share-net
      in the man page
    - Add attributes to silence various compiler warnings
    - Allow compilation of tests with musl on mips architectures
    - Allow compilation with older glibc
    - Disable sanitizers for a test helper whose seccomp profile
      breaks the instrumentation
    - Disable AddressSanitizer leak detection where it interferes
      with unit testing
* Fri Mar 04 2022 Sebastian Wagner <sebix+novell.com@sebix.at>
  - Update to 0.6.1:
    - Add a release checklist
    - completions: Make zsh completion non-executable
    The Autotools build system installed it with 0644 permissions because
    it's listed as DATA, but the Meson build system installs executable
    files as executable by default.
    zsh completions don't need to be executable to work, and this one doesn't
    have the `#!` marker that should start an executable script.
  - update to 0.6.0:
    - meson: Improve compatibility with Meson 0.49
    That version doesn't allow more than two arguments for define_variable.
    - Disable test-specifying-pidns.sh under 'meson dist' while I investigate
    This test is hanging when run under 'meson dist' for some reason, but
    not when run under 'meson test', and not locally, only in the Github
    Workflow-based CI. Disable it for now.
    - meson: Actually build and run the tests
    - tests: Fix compiler warnings for unused arguments
    - meson: Run test scripts from $srcdir
    - meson: Make G_TEST_SRCDIR, G_TEST_BUILDDIR match Autotools
    - meson: Run the Python test script with Python, not bash
    The python build option can be used to swap to a different interpreter,
    for environments like the Steam Runtime where the python3 executable in
    the PATH is extremely old but there is a better interpreter available.
    This is treated as non-optional, because Meson is written in Python,
    so the situation where there is no Python interpreter at build-time
    shouldn't arise.
    - meson: Build the try-syscall helper
    - meson: Build tests with equivalent of -I$(top_srcdir) -I$(top_builddir)
    - meson.build: Remove unnecessary check for sh
    - Add a Meson build system
    This allows bwrap to be built as a subproject in larger Meson projects.
    When built as a subproject, we install into the --libexecdir and
    require a program prefix to be specified: for example, Flatpak would use
    program_prefix=flatpak- to get /usr/libexec/flatpak-bwrap. Verified to
    be backwards-compatible as far as Meson 0.49.0 (Debian 9 backports).
    Loosely based on previous work by Jussi Pakkanen (see #133).
    Differences between the Autotools and Meson builds:
    The Meson build requires a version of libcap that has pkg-config
    metadata (introduced in libcap 2.23, in 2013).
    The Meson build has no equivalent of --with-priv-mode=setuid. On
    distributions like Debian <= 10 and RHEL <= 7 that require a setuid bwrap
    executable, the sysadmin or distribution packaging will need to set the
    correct permissions on the bwrap executable; Debian already did this via
    packaging rather than the upstream build system.
    The Meson build supports being used as a subproject, and there is CI
    for this. It automatically disables shell completions and man pages,
    moves the bubblewrap executable to ${libexecdir}, and renames the
    bubblewrap executable according to a program_prefix option that the
    caller must specify (for example, Flatpak would use
    - Dprogram_prefix=flatpak- to get /usr/libexec/flatpak-bwrap). See the
    tests/use-as-subproject/ directory for an example.
    - Use HEAD to refer to other projects' default branches in documentation
    This makes the URL independent of the name they have chosen for their
    default branches.
    - workflows: Update for rename of default branch to main
    - tests: Exercise seccomp filters
    - Allow loading more than one seccomp program
    This will allow Flatpak to combine an allow-list (default-deny) of
    known system calls with a deny-list (default-allow) of system calls
    that are undesired.
    Resolves: https://github.com/containers/bubblewrap/issues/453
    - Generalize linked lists of LockFile and SetupOp
    I'm about to add a third linked list, for seccomp programs, which would
    seem like too much duplication.
    - Handle argc == 0 better
    Unfortunately it's possible for argc to be 0, so error out pretty early
    on in that case. I don't think this is a security issue in this case.
    - Fix typo
    - Remove trailing whitespace
    - Fix spelling
    - bash: Fix shellcheck warnings
    - bash: Invoke bash using /usr/bin/env
    - bubblewrap: Avoid a -Wjump-misses-init false-positive
    When building with -Wjump-misses-init as part of a larger project, gcc
    reports that we jump past initialization of cover_proc_dirs. This is
    technically true, but we only use this variable in the case where it's
    initialized, so that's harmless.
    However, we can avoid this altogether by making the array static and
    constant, which allows it to be moved from initialized data to read-only
    data.
    - bind-mount: Be more const-correct
    When compiled with -Wwrite-strings as part of a larger project, gcc and
    clang both warn that we're assigning a string constant to a mutable
    struct member. There's actually no reason why it should be mutable, so
    make it const.
    - die_with_error: Save errno sooner
    We need to save errno immediately, otherwise it could be overwritten
    by a failing library call somewhere in the implementation of fprintf.
    - main: Warn when non-repeatable options are repeated
    A user might reasonably expect that `bwrap --seccomp 3 --seccomp 4 ...`
    would load seccomp programs from both fds 3 and 4, but in fact it only
    loads the program from fd 4.
    Helps: https://github.com/containers/bubblewrap/issues/453
    Resolves: https://github.com/containers/bubblewrap/issues/454
    - utils: Add warn()
    - Add SPDX-License-Identifier for files that already specify license
    This is a step towards REUSE compliance. Third-party files that we do
    not otherwise edit (git.mk, m4/attributes.m4) are excluded here.
    - tests: Use preferred spelling for SPDX license identifiers
    - Remove obsolete .travis.yml
    We no longer use Travis-CI.
    - Remove obsolete papr CI
    We no longer use this.
* Mon Sep 20 2021 Bjørn Lie <bjorn.lie@gmail.com>
  - Update to version 0.5.0:
    + New features:
    - --chmod changes permissions
    - --clearenv unsets every environment variable (except PWD)
    - --perms sets permissions for one subsequent --bind-data,
    - -dir, --file, --ro-bind-data or --tmpfs
    + Other enhancements:
    - Better diagnostics when a --bind or other bind-mount fails
    - zsh tab-completion
    - Better test coverage
    + Bug fixes:
    - Use Python 3 for tests and examples
    - Mount points for non-directories are created with permissions
    - r--r--r-- instead of -rw-rw-rw-
    - Don't remount items in /proc read-only if already EROFS,
      required to run under Docker
    - Allow mounting an non-directory over an existing
      non-directory, e.g. --bind "$XDG_RUNTIME_DIR/my-log-socket"
      /dev/log
    - Silence kernel messages for our bind-mounts
    - Make sure pkg-config is checked for, regardless of build
      options
    - Improve ability to bind-mount directories on case-insensitive
      filesystems
    - Fix -Wshadow warnings
    - Fix deprecation warnings with newer SELinux
  - Add new subpackage bubblewrap-zsh-completion
* Wed Apr 01 2020 Sebastian Wagner <sebix+novell.com@sebix.at>
  - Update to version 0.4.1:
    * retcode: fix return code with syncfd and no event_fd
    * Ensure we're always clearing the cap bounding set
    * tests: Update output patterns for libcap >= 2.29
    * Don't rely on geteuid() to know when to switch back from setuid root
    * Don't support --userns2 in setuid mode
    * fixes CVE-2020-5291
    * fixes bsc#1168291
* Fri Dec 20 2019 Bjørn Lie <bjorn.lie@gmail.com>
  - Update to version 0.4.0:
    + The biggest feature in this release is the support for joining
      existing user and pid namespaces. This doesn't work in the
      setuid mode (at the moment).
    + Other changes:
    - Stores namespace info in status json.
    - In setuid mode pid 1 is now marked dumpable.
    - Now builds with musl libc.

Files

/usr/bin/bwrap
/usr/share/bash-completion
/usr/share/bash-completion/completions
/usr/share/bash-completion/completions/bwrap
/usr/share/doc/packages/bubblewrap
/usr/share/doc/packages/bubblewrap/README.md
/usr/share/doc/packages/bubblewrap/demos
/usr/share/doc/packages/bubblewrap/demos/bubblewrap-shell.sh
/usr/share/doc/packages/bubblewrap/demos/flatpak-run.sh
/usr/share/doc/packages/bubblewrap/demos/flatpak.bpf
/usr/share/doc/packages/bubblewrap/demos/userns-block-fd.py
/usr/share/licenses/bubblewrap
/usr/share/licenses/bubblewrap/COPYING
/usr/share/man/man1/bwrap.1.gz


Generated by rpm2html 1.8.1

Fabrice Bellet, Thu Nov 7 00:51:36 2024