Skip to content

@cgwalters cgwalters released this May 1, 2019 · 1 commit to master since this release

[This release is the same as 0.3.2 but the version number in configure.ac
was accidentally still set to 0.3.1)

This release fixes a mostly theoretical security issue in unusual/broken
setups where $XDG_RUNTIME_DIR is unset.

There are some other smaller fixes, as well as an addition to the JSON
API that allows reading the inner process exit code, separately from
the bwrap exit code.

Thanks to all contributors!

Iain Lane (1):
      tests: Handle systems without merged-/usr

Jakub Wilk (2):
      Fix typos
      Print "Out of memory" on stderr, not stdout

Richard Maw (3):
      Revert "README.md: Delete cat logo picture (not DFSG compliant)"
      bwrap: add option json-status-fd to show child exit code
      bwrap: Report COMMAND exit code in json-status-fd

Simon McVittie (3):
      man page: Describe --chdir, not nonexistent --cwd
      Don't create our own temporary mount point for pivot_root
      tests: Ensure that tmpfs with oldroot/newroot doesn't appear in container

Timothy E Baldwin (1):
      Make lockdata long enough on 32-bit with 64-bit file pointers.

Git-EVTag-v0-SHA512: 1320cc04e853be996e6fa53fb3e472f732ac02855ab05984fa3350aed1d8760fc3b9eac0e6af06843a1f6265afe424e042c937d64606ef2eb29ec53a3539c217

Assets 3
May 1, 2019
Release 0.3.2
This release fixes a mostly theoretical security issue in unusual/broken
setups where `$XDG_RUNTIME_DIR` is unset.

There are some other smaller fixes, as well as an addition to the JSON
API that allows reading the inner process exit code, separately from
the `bwrap` exit code.

Thanks to all contributors!

```
Iain Lane (1):
      tests: Handle systems without merged-/usr

Jakub Wilk (2):
      Fix typos
      Print "Out of memory" on stderr, not stdout

Richard Maw (3):
      Revert "README.md: Delete cat logo picture (not DFSG compliant)"
      bwrap: add option json-status-fd to show child exit code
      bwrap: Report COMMAND exit code in json-status-fd

Simon McVittie (3):
      man page: Describe --chdir, not nonexistent --cwd
      Don't create our own temporary mount point for pivot_root
      tests: Ensure that tmpfs with oldroot/newroot doesn't appear in container

Timothy E Baldwin (1):
      Make lockdata long enough on 32-bit with 64-bit file pointers.
```

Git-EVTag-v0-SHA512: 56fe39e400413c02d06f9ceae54718c252dcd0e79de77bf22095fc0f037aa8e4dd11a1cab0760d26e068b9d2dae041564a2c8331d56a408e6c772234cac98f3b

@alexlarsson alexlarsson released this Sep 26, 2018 · 12 commits to master since this release

New feature in this release is --bind-try (as well as --dev-bind-try
and --ro-bind-try) which works like the regular versions if the source
exists, but does nothing if it doesn't exist.

The mount type for the root tmpfs was also changed to "tmpfs" instead
of being empty, as the later could cause problems with some programs
when parsing the mountinfo files in /proc.

Alexander Larsson (1 PR, 1 commit)
  Post-release version bump to 0.3.1 (#285)

Colin Walters (1 PR, 1 commit)
  Use "tmpfs" instead of empty string for mount (#278)

Patrick Griffis (1 PR, 1 commit)
  Add --bind-try options (#283)

chocolateboy (1 PR, 1 commit)
  Fix doc typo (#280)
Assets 3

@cgwalters cgwalters released this Jul 11, 2018 · 16 commits to master since this release

The biggest feature from this release is that bwrap
now supports being invoked recursively (from other container
runtimes such as Docker/podman/runc as well as bwrap itself)
when user namespaces are enabled, and the outer container manager
allows it (Docker's default seccomp policy doesn't).

This is useful for testing scenarios; for example a project
uses Kubernetes for its CI, but inside build the project wants to run
each unit test in their own pid namespace, without going out
and creating a new pod for every single unit test.

Similarly, rpm-ostree compose tree uses bwrap internally for scripts,
and we want to support running rpm-ostree inside a container as well.

Another feature is bwrap now supports -- to terminate argument
parsing. To detect availablity of this, you could parse bwrap --version.

Thanks to all contributors!

Colin Walters (3 PRs, 3 commits)
  ci: Update to FAH27 (#262)
  Release 0.3.0 (#277)
  PR: #256
    Use pivot_root() instead of chroot() for final root
    (and 2 commits from other authors)

Giuseppe Scrivano (1 PR, 2 commits)
  PR: #256
    bwrap, pivot_root: do not require write access to the rootfs
    bwrap: do not always make /proc/{sys,sysrq-trigger,irq} ro
    (and 1 commits from other authors)

Olivier Blin (1 PR, 1 commit)
  Fix leak detected by LSan/ASan (#271)

Simon McVittie (1 PR, 1 commit)
  Add "--" pseudo-argument to end option parsing (#261)


Git-EVTag-v0-SHA512: 2acf37a4a482f4fcde5ff3ec7c0e04e7b7971d1da8c542b5b1a3284deb983ad8c879975e9e360f8da428d5f4ce0b451acdcba9d45c4c9488f6660f177eb5dd04
Assets 3

@alexlarsson alexlarsson released this Apr 6, 2018 · 23 commits to master since this release

This is a minor release with some fixes and cleanups.

We now distribute all the demos in the tarball and there was some
fixes to make them work on more distributions and with different
versions of python.

There was an issue with mkdir when running bubblewrap on an NFS
filesystem that has been fixed, so flatpak now works on NFS shares.

Some leaks have been fixed, including a file descriptor leak.

bubblewrap now builds on systems without PR_CAP_AMBIENT.

Alexander Larsson (2):
      Don't rely on mkdir returning EEXISTS (fixing NFS)
      Release 0.2.1

Marcos Paulo de Souza (2):
      Remove O_RDONLY flag when O_PATH is used
      README.md: Remove double dots

Mickaël Salaün (1):
      bubblewrap: Do not leak FDs dedicated to setup_newroot

Philip Withnall (2):
      tests: Correct number of tests in test-run.sh
      bwrap: Second attempt at fixing an argv handling leak

Simon McVittie (5):
      build: Include various interesting files in tarballs
      Skip prctl(PR_CAP_AMBIENT) if PR_CAP_AMBIENT isn't defined
      userns-block-fd: Search $PATH for python
      userns-block-fd: Search the PATH for bwrap
      userns-block-fd: Add support for Python 3
Assets 3

@cgwalters cgwalters released this Oct 9, 2017 · 35 commits to master since this release

Some new features in this release, and a variety of contributors, which is
always great to see!

On the bugfix side: bwrap now automatically detects the new
user namespace restrictions in Red Hat Enterprise Linux 7.4:
bubblewrap: check for max_user_namespaces == 0.
PR: #215

The most notable features are new arguments --as-pid1, and
--cap-add/--cap-drop. These were added for running systemd (or in general a
"full" init system) inside bubblewrap. But the capability options are also
useful for unprivileged callers to potentially retain capbilities inside the
sandbox (for example CAP_NET_ADMIN), when user namespaces are enabled.
Conversely, privileged callers (uid 0) can conversely drop capabilities (without
user namespaces). Contributed by Giuseppe Scrivano.
PR: #101

Another smaller feature is: With --dev, add /dev/fd and /dev/core symlinks
which should improve compatibility with older software.
PR: #207

Philip Withnall ran bwrap through Coverity; no critical issues
were found, but changes were made to pacify the analysis and we'll
be sure to keep the analyzer happy in the future.

Thanks in particular to Simon McVittie who contributed a lot of improvements
to the test suite, code review, as well as identified an issue with the
licensing of the logo.

Thanks to all contributors!

Alexander Larsson (1):
      Merge pull request #196 from giuseppe/no-reaper

Colin Walters (9):
      demos/shell: Use --die-with-parent
      main: Squash a -Wunused-result error, enable FORTIFY_SOURCE in CI
      tests: Import libtest-core.sh from ostree
      README.md: Delete cat logo picture (not DFSG compliant)
      Retain all caps when invoked by uid 0, work around systemd seccomp filter
      main: Fix typo, tweak command line argument descriptions
      With --dev, add /dev/fd and /dev/core symlinks
      Avoid leaking --args-fd to child process
      Release 0.2.0

Giuseppe Scrivano (8):
      bubblewrap: add --as-pid-1
      bubblewrap: add --cap-add and --cap-drop
      bubblewrap: add option --userns-block-fd
      demos: add demo userns-block-fd.py
      bubblewrap.c: fix typo
      bubblewrap: do not always leave caps in the unprivileged case
      tests: add tests for --cap-add
      README.md: add bwrap-oci to the list of users

Jonathan Lebon (1):
      ci: rename files to new name and bump to f26

Marcos Paulo de Souza (3):
      bubblewrap: Remove not needed MS_MGC_VAL mount flag
      bubblewrap.c: Fix typo secomp -> seccomp in drop_all_caps
      acquire_privs: Cosmetic change to reduce indentation

Philip Withnall (4):
      bubblewrap: Improve const-correctness of argv handling
      bubblewrap: Fix a minor memory leak in --args handling
      bubblewrap: Close FDs on exiting PID 1
      bubblewrap: Add various assertions on SetupOp handling

Simon McVittie (10):
      Distribute test helper library
      tests: Don't write to predictable filenames in /tmp
      tests: Improve diagnostics if non-root caps test fails
      tests: Send diagnostics to stderr
      tests: Interpret stdout as TAP syntax
      tests: Produce finer-grained TAP output
      tests: Ensure non-root users have access to libcap tools
      Partially revert "bubblewrap: Fix a minor memory leak in --args handling"
      tests: Add basic test coverage for --args
      tests: Fix a race condition between attempts to lock a file

Tristan Cacqueray (1):
      bubblewrap: check for max_user_namespaces == 0

Vasya Novikov (4):
      add --unshare-all completion
      bash completion: remove duplicates
      bash completion: fix code style
      bash completion: add --new-session

Vladimir Panteleev (1):
      Prefix error messages with program name

Git-EVTag-v0-SHA512: 6eafa80a60be2cd66396ab7d4a36e7c6c24ed0b0d8dc207ecee6252e7d45f04fd04e1997c60218f0bb8b90e60ee80ed46cc7d8b521b08cb1ba4450440ee646cf
Assets 3

@cgwalters cgwalters released this Mar 28, 2017 · 77 commits to master since this release

This release has a new notable feature in --die-with-parent,
which is based on the Linux prctl(PR_SET_PDEATHSIG) API.
I suspect most users of bwrap probably want to use this - if
for example if you run bwrap ... make check, this will help
ensure that no processes leak from the test suite.

Besides that, there's mostly a collection of smaller bugfixes.

Thanks to all contributors!

Aidan Hobson Sayers (2):
      Remove privileged_op flags that are never used
      Correctly validate remount-ro argument

Aleksa Sarai (1):
      README: update references to runC

Colin Walters (8):
      build: Remove unbalanced ) in help message
      tests: Use --unshare-user-try
      ci: Revamp to actually run the tests
      Be more informative if loopback setup fails
      tests: Fold test-basic.sh into test-run.sh
      ci: Disable ASAN leak checking
      main: Parse --version early before acquiring capabilities
      Release 0.1.8

Giuseppe Scrivano (1):
      test-run.sh: fix the path for the usage string

Marek Jarycki (1):
      Add --die-with-parent

Mario Sanchez Prada (1):
      Ignore EPERM when dropping caps from bounding set

Tristan Cacqueray (1):
      Ignore missing sysrq-trigger file

valoq (2):
      Add --require-userns build option for setuid mode
      Added --unshare-all to manpage


Git-EVTag-v0-SHA512: f5e3aa406f46241b83a0174a390048820d2040e35fba0b5a9d68bb634e3b6799205b9f854b99fa0cca05148752c8f4d255747023eaf4d5cd903f0da5d4905334
-----BEGIN PGP SIGNATURE-----

iQEwBAABCgAaBQJY2ntnExx3YWx0ZXJzQHZlcmJ1bS5vcmcACgkQ3EX9WSHBPws6
aAf/f18Y6e/OsIrEAKTI3ZDzI1AvgM6kZdi7xQDpuPURxmpeP6515n7LxXbsOBhX
fye4WuvNaM1YDiZVO69JR9OaYTlutqvBmJrHmw2b3WwO4jUf8IyS8VgGe+gfZL1X
/hGoh8aoAUxhIYDtOqC6Bj+fnziFdWgH3q8CsApXz32rNpANNurMQv2C/pLP+ROg
7sHwxFvcbGpjBviHjw0kmnCWKub4GGNnAPvQg/TMo4xx94mkbnUMxq27tw+k03VS
uV1O3wq8OE4bGIWXCdREdvpWaCiN8Bw1vFaLmrSLBmIXNry35k3l+bm6oAd1DRLP
lylBIhhdyV0yWIdn42besDwHsg==
=AOKE
-----END PGP SIGNATURE-----
Assets 3

@alexlarsson alexlarsson released this Jan 18, 2017 · 94 commits to master since this release

This release backs out the change in 0.1.6 which unconditionally
called setsid() in order to fix a security issue with TIOCSTI, aka
CVE-2017-522. That change caused some behavioural issues that are
hard to work with in some cases. For instance, it makes shell job
control not work for the bwrap command.

Instead there is now a new option --new-session which works like
0.1.6. It is recommended that you use this if possible, but if not we
recommended that you neutralize this some other way, for instance
using SECCOMP, which is what flatpak does:

flatpak/flatpak@902fb71

In order to make it easy to create maximally safe sandboxes we have
also added a new commandline switch called --unshare-all. It unshares
all possible namespaces and is currently equivalent with:

--unshare-user-try --unshare-ipc --unshare-pid --unshare-net
--unshare-uts --unshare-cgroup-try

However, the intent is that as new namespaces are added to the kernel they will
be added to this list. Additionally, if --share-net is specified the network
namespace is not unshared.

This release also has some bugfixes:

  • bwrap reaps (unexpected) children that are inherited from the
    parent, something which can happen if bwrap is part of a shell
    pipeline.
  • bwrap clears the capability bounding set. The permitted
    capabilities was already empty, and use of PR_NO_NEW_PRIVS should
    make it impossible to increase the capabilities, but more
    layers of protection is better.
  • The seccomp filter is now installed at the very end of bwrap, which
    means the requirement of the filter is minimal. Any bwrap seccomp
    filter must at least allow: execve, waitpid and write
Alexander Larsson (7):
      Handle inherited children dying
      Clear capability bounding set
      Make the call to setsid() optional, with --new-session
      demos/bubblewrap-shell.sh: Unshare all namespaces
      Call setsid() and setexeccon() befor forking the init monitor
      Install seccomp filter at the very end
      Bump version to 0.1.7

Colin Walters (6):
      Release 0.1.6
      man: Correct namespace user -> mount
      demo/shell: Add /var/tmp compat symlink, tweak PS1, add more docs
      Release 0.1.6
      ci: Combine ASAN and UBSAN
      Add --unshare-all and --share-net
$ sha256sum bubblewrap-0.1.7.tar.xz 
e98c1c1c0d353765e62e17b17913d21cce585eda8093cbdf17977377eee5e3de  bubblewrap-0.1.7.tar.xz
Assets 3

@cgwalters cgwalters released this Jan 10, 2017 · 106 commits to master since this release

This fixes a security issue with TIOCSTI, aka CVE-2017-522. Note bubblewrap is
far from the only program that has this issue, and I think the best fix is
probably in the kernel to support disabling this ioctl.

Programs can also work around this by calling setsid() on their own in an exec
handler before doing an exevp("bwrap").

Git-EVTag-v0-SHA512: aea2bc21fa6194f7d5c4eaf7294dd35e4434616678d2f79c1e9044aca063bf77db199b1030628ced2eb7d3a33d6a6419047e32ea7891be396d9ddb50a7b1f745
-----BEGIN PGP SIGNATURE-----

iQEwBAABCgAaBQJYdPxgExx3YWx0ZXJzQHZlcmJ1bS5vcmcACgkQ3EX9WSHBPwtv
NAgAr5CNW9ZZmYvNWGBm5W0uJuwb1rmBB5Pb2izEfBEi90MdrFg7ZQF+JJLB+EEQ
9XsKZLVd/d6drJkycf3fDq35tVzm6cEMq+pidnujGzS+skQqzmEpqISt8G2GQap0
MnnlJlLpwYwUMJvSqa4Xx/WDM/3Cf1FTI7jPwl1uBccU/4x2w0Apa0PG/pvsJ+3N
BxahkioeeMTrgd1a7BZbwUSMYnx0+4kB92v5JOnYh8wF/fCVgwlb5p0GN5Qz2jNj
YCxyeGZfGk/071/FiHDKW64cmSwEV9gPRWMeRT39n5MfRcKcP2tIEHEVxT61ErLR
OndJWLN2+hFmCxjdrOLSw9fmdw==
=OpAb
-----END PGP SIGNATURE-----
Assets 3

@alexlarsson alexlarsson released this Dec 19, 2016 · 107 commits to master since this release

This is a bugfix release, here are the major changes:

  • Running bubblewrap as root now works again
  • Various fixes for the testsuite
  • Use same default compiler warnings as ostree
  • Handle errors resolving symlinks during bind mounts
Alexander Larsson (2):
      bind-mount: Check for errors in realpath()
      Bump version to 0.1.5

Colin Walters (6):
      Don't call capset() unless we need to
      Only --unshare-user automatically if we're not root
      ci: Modernize a bit, add f25-ubsan
      README.md: Update with better one liner and more information
      utils: Add __attribute__((printf)) to die()
      build: Sync default warning -> error set from ostree

Simon McVittie (4):
      test-run: be a bash script
      test-run: don't assume we are uid 1000
      Adapt tests so they can be run against installed binaries
      Fix incorrect nesting of backticks when finding a FUSE mount

Git-EVTag-v0-SHA512: ea9673ef5b2df92a216da69ef5589dfd465175bc56feedafd126d0ab2e40f3183974de2c67c92f96470c749f91d4f9f55483cea54030cf35890ed4de18ca952f

$ sha256sum bubblewrap-0.1.5.tar.xz 
a623489a31c0bc6e32ebfef8e55cde16cc0b5d042e5e645e215fda0fb7ec4aad  bubblewrap-0.1.5.tar.xz
Assets 3
You can’t perform that action at this time.