Skip to content

Releases: containers/bubblewrap

Release 0.1.5

19 Dec 09:29
@alexlarsson alexlarsson
v0.1.5
This tag was signed with the committer’s verified signature.
alexlarsson Alexander Larsson
GPG key ID: EB6216DDB76C70E9
Learn about vigilant mode.
a10af85
Compare
Choose a tag to compare
Release 0.1.5

This is a bugfix release, here are the major changes:

  • Running bubblewrap as root now works again
  • Various fixes for the testsuite
  • Use same default compiler warnings as ostree
  • Handle errors resolving symlinks during bind mounts
Alexander Larsson (2):
      bind-mount: Check for errors in realpath()
      Bump version to 0.1.5

Colin Walters (6):
      Don't call capset() unless we need to
      Only --unshare-user automatically if we're not root
      ci: Modernize a bit, add f25-ubsan
      README.md: Update with better one liner and more information
      utils: Add __attribute__((printf)) to die()
      build: Sync default warning -> error set from ostree

Simon McVittie (4):
      test-run: be a bash script
      test-run: don't assume we are uid 1000
      Adapt tests so they can be run against installed binaries
      Fix incorrect nesting of backticks when finding a FUSE mount

Git-EVTag-v0-SHA512: ea9673ef5b2df92a216da69ef5589dfd465175bc56feedafd126d0ab2e40f3183974de2c67c92f96470c749f91d4f9f55483cea54030cf35890ed4de18ca952f

$ sha256sum bubblewrap-0.1.5.tar.xz 
a623489a31c0bc6e32ebfef8e55cde16cc0b5d042e5e645e215fda0fb7ec4aad  bubblewrap-0.1.5.tar.xz
Assets 3
Loading

Release 0.1.4

29 Nov 08:42
@alexlarsson alexlarsson
v0.1.4
This tag was signed with the committer’s verified signature.
alexlarsson Alexander Larsson
GPG key ID: EB6216DDB76C70E9
Learn about vigilant mode.
59f8947
Compare
Choose a tag to compare
Release 0.1.4

This release contains a workaround for the kernel allowing the user
to ptrace any process in the child user namespace. Prior to this
workaround the user could attach to the setup code in bubblewrap
and take control while the child still had full privileges in
the user namespace (it could never get more privileges in the
parent namespace though). With the workaround, we're now true
to the README in that bubblewrap only allows a subset of the
user namespace features.

In order to fix the above we had to drop the support for a set-caps
binary. We now only support setuid 0 (or unprivileged if the kernel
has such user namespace support).

Additionally this release fixes the handling of recursive bind mounts
flags where previously we sometimes failed to handle some uncommon
setups. If you were unable to start bwrap before due to mount errors
this should now be fixed.

Alexander Larsson (11):
      Don't print double errors in case privileged helper dies
      Priv-sep: Don't trust client args for REMOUNT_RO_NO_RECURSIVE
      Add test with basic running operations
      Completely drop setcaps codepaths in favour of setuid
      Work around user-namespaces allowing ptrace
      utils: Add path_equal()
      bind-mounts: Fix handling of covered mountpoints
      tests/test-run.sh: Add some more tests that now work
      bind-mount: Fix issue when destination of mount is in a symlink
      Fix make dist
      Release 0.1.4

Colin Walters (2):
      .redhat-ci.yml: New file
      build: Dist bwrap.xml in tarball

Giuseppe Scrivano (3):
      bwrap: setuid to the sandbox uid
      bwrap: fix typos
      bubblewrap: do not leave zombie process

Git-EVTag-v0-SHA512: 55e170e25eee5f3c8eb947c1532bd7d9dffe74277b9964a28b0bc184800da3d904282668ced54a2bff53c3d9811b40435d8b1db30b5eab610fa85a0954ed20bf

Assets 3
Loading

Release 0.1.3 (fixes CVE-2016-8659)

14 Oct 16:46
@cgwalters cgwalters
v0.1.3
This tag was signed with the committer’s verified signature.
cgwalters Colin Walters
GPG key ID: DC45FD5921C13F0B
Learn about vigilant mode.
0bf9fb6
Compare
Choose a tag to compare
Release 0.1.3 (fixes CVE-2016-8659)

This release fixes CVE-2016-8659: #107
which is a local privilege escalation that applies when
bubblewrap is installed with suid or file capabilities. This
vulnerability does not apply for systems/distributions which
unconditionally enable CLONE_NEWUSER access for unprivileged
users, as e.g. Fedora 24 and newer (as of this writing) do.

However, this will apply to systems such as CentOS/RHEL 7, Debian
stable, Arch, etc. that use bubblewrap as a gating mechanism for
container/app tooling like Flatpak.

The bubblewrap authors wish to thank Sebastian Krahmer, who
has found and responsibly reported many security issues over
time, including this one.

At this time, the bubblewrap authors still believe the codebase is a
sensible option for systems/distributions which don't want to enable
full CLONE_NEWUSER. However, the upstream kernel has improved, and
continues to do so. It's likely at some point in the future that
bubblewrap will evolve more flexibility around gating access to
CLONE_NEWUSER, such as only allowing it for logged in human users,
not background daemons.

Alexander Larsson (3):
      Move commandline args to top of the file
      Don't allow setting hostname if not unsharing UTS namespace
      Only set DUMPABLE when we need it (i.e. in user namespace child)

Bill Nottingham (1):
      Fix capability list in spec file.

Colin Walters (1):
      Release 0.1.3

Kenton Varda (1):
      Make notes on sandstorm.io somewhat more accurate

Git-EVTag-v0-SHA512: 47f77d675735c9ad7f134ac996843b8a6889be9a6a925d586ecc6a4138d2d8d35d1270da04198f09c69434be42a85319b4b763e45ac97e0fce9a961535567c99

Assets 3
Loading