From b69184e8883c15aa228494071596e830cd55b2b4 Mon Sep 17 00:00:00 2001 From: Tim Biermann Date: Thu, 28 Mar 2024 20:57:37 +0100 Subject: [PATCH] bubblewrap: 0.8.0 -> 0.9.0 --- bubblewrap/.footprint | 4 - bubblewrap/.signature | 9 +- bubblewrap/Pkgfile | 32 +-- bubblewrap/bwrap.1 | 600 ------------------------------------------ 4 files changed, 17 insertions(+), 628 deletions(-) delete mode 100644 bubblewrap/bwrap.1 diff --git a/bubblewrap/.footprint b/bubblewrap/.footprint index 8bb1f1b56..c6c1e9c10 100644 --- a/bubblewrap/.footprint +++ b/bubblewrap/.footprint @@ -1,7 +1,3 @@ drwxr-xr-x root/root usr/ drwxr-xr-x root/root usr/bin/ -rwsr-xr-x root/root usr/bin/bwrap -drwxr-xr-x root/root usr/share/ -drwxr-xr-x root/root usr/share/man/ -drwxr-xr-x root/root usr/share/man/man1/ --rw-r--r-- root/root usr/share/man/man1/bwrap.1.gz diff --git a/bubblewrap/.signature b/bubblewrap/.signature index 9e4c2a0e2..1782f6067 100644 --- a/bubblewrap/.signature +++ b/bubblewrap/.signature @@ -1,6 +1,5 @@ untrusted comment: verify with /etc/ports/opt.pub -RWSE3ohX2g5d/TYTkYdsVZaijfHVMavGZnR9FMTLthWd16zneQJrL/Avw/ZigEtpp2NhnWIdkkZ6dZ37ff7e0C3gFSbOQI8/3Q8= -SHA256 (Pkgfile) = ca3025e1f3ccd05d8998b0f43f011d6def4b5bc71fab486dbcbafb12832013b4 -SHA256 (.footprint) = e840364f489a4c6fab62400653cbbb4e93a1f83a8350aa8b12bffcc54c047102 -SHA256 (bubblewrap-0.8.0.tar.xz) = 957ad1149db9033db88e988b12bcebe349a445e1efc8a9b59ad2939a113d333a -SHA256 (bwrap.1) = a9724fcf70fee82f975934d8f1201f6eab24fce5193613b0f196fbf92f25b8a1 +RWSE3ohX2g5d/aV2QJ3wOHFuXesfwlYbzTRgFG177/DIxMqG9YvVGVwwifnu8eX05vx/fYffxsJAMPp1azkgYn0S0jmW99NTtwE= +SHA256 (Pkgfile) = fa10ee28766580712525c312bbca82ce66ef67ca7c10b8fb37052878456341b9 +SHA256 (.footprint) = 78e7fd8409cfd39ad2b3a99026693f824dae8fc640bec4f4e2419fd01bf4f2a9 +SHA256 (bubblewrap-0.9.0.tar.xz) = c6347eaced49ac0141996f46bba3b089e5e6ea4408bc1c43bab9f2d05dd094e1 diff --git a/bubblewrap/Pkgfile b/bubblewrap/Pkgfile index 3166b1070..7d9ebc46c 100644 --- a/bubblewrap/Pkgfile +++ b/bubblewrap/Pkgfile @@ -2,31 +2,25 @@ # URL: https://github.com/projectatomic/bubblewrap/ # Maintainer: Tim Biermann, tbier at posteo dot de # Depends on: libcap -# Optional: docbook-xsl +# Optional: bash-completion docbook-xsl zsh name=bubblewrap -version=0.8.0 +version=0.9.0 release=1 -source=(https://github.com/projectatomic/bubblewrap/releases/download/v$version/$name-$version.tar.xz - bwrap.1) +source=(https://github.com/projectatomic/bubblewrap/releases/download/v$version/$name-$version.tar.xz) build() { - cd $name-$version + prt-get isinst bash-completion || PKGMK_BUBBLEWRAP+=' -D bash_completion=disabled' + prt-get isinst zsh || PKGMK_BUBBLEWRAP+=' -D zsh_completion=disabled' - if [ ! -e '/usr/share/xml/docbook/xsl-stylesheets' ]; then - # build will fail if libxslt is installed witout docbook-xsl - PKGMK_BUBBLEWRAP+=' --disable-man' - - install -Dm644 $SRC/bwrap.1 $PKG/usr/share/man/man1/bwrap.1 - fi - - ./configure ${PKGMK_BUBBLEWRAP} \ + meson setup $name-$version build $PKGMK_BUBBLEWRAP \ --prefix=/usr \ - --with-priv-mode=setuid + --buildtype=plain \ + --wrap-mode nodownload \ + -D b_lto=true \ + -D b_pie=true + meson compile -C build + DESTDIR=$PKG meson install -C build - make - make DESTDIR=$PKG install - - prt-get isinst bash-completion || rm -r $PKG/usr/share/bash-completion - prt-get isinst zsh || rm -r $PKG/usr/share/zsh + chmod u+s $PKG/usr/bin/bwrap } diff --git a/bubblewrap/bwrap.1 b/bubblewrap/bwrap.1 deleted file mode 100644 index d88e4afd3..000000000 --- a/bubblewrap/bwrap.1 +++ /dev/null @@ -1,600 +0,0 @@ -'\" t -.\" Title: bwrap -.\" Author: Alexander Larsson -.\" Generator: DocBook XSL Stylesheets vsnapshot -.\" Date: 04/25/2020 -.\" Manual: User Commands -.\" Source: Project Atomic -.\" Language: English -.\" -.TH "BWRAP" "1" "" "Project Atomic" "User Commands" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- - - - - - -.SH "NAME" -bwrap \- container setup utility - -.SH "SYNOPSIS" -.HP \w'\fBbwrap\fR\ 'u - -\fBbwrap\fR - [\fIOPTION\fR...] - [\fICOMMAND\fR] - - - -.SH "DESCRIPTION" -.PP -\fBbwrap\fR -is a privileged helper for container setup\&. You are unlikely to use it directly from the commandline, although that is possible\&. -.PP -It works by creating a new, completely empty, filesystem namespace where the root is on a tmpfs that is invisible from the host, and which will be automatically cleaned up when the last process exits\&. You can then use commandline options to construct the root filesystem and process environment for the command to run in the namespace\&. -.PP -By default, -\fBbwrap\fR -creates a new mount namespace for the sandbox\&. Optionally it also sets up new user, ipc, pid, network and uts namespaces (but note the user namespace is required if bwrap is not installed setuid root)\&. The application in the sandbox can be made to run with a different UID and GID\&. -.PP -If needed (e\&.g\&. when using a PID namespace) -\fBbwrap\fR -is running a minimal pid 1 process in the sandbox that is responsible for reaping zombies\&. It also detects when the initial application process (pid 2) dies and reports its exit status back to the original spawner\&. The pid 1 process exits to clean up the sandbox when there are no other processes in the sandbox left\&. - - -.SH "OPTIONS" - - .PP -When options are used multiple times, the last option wins, unless otherwise specified\&. - - .PP -General options: - - - - .PP -\fB\-\-help\fR -.RS 4 - - - Print help and exit - - .RE - .PP -\fB\-\-version\fR -.RS 4 - - - Print version - - .RE - .PP -\fB\-\-args \fR\fBFD\fR -.RS 4 - - - Parse nul\-separated arguments from the given file descriptor\&. This option can be used multiple times to parse options from multiple sources\&. - - .RE - - .PP -Options related to kernel namespaces: - - - - .PP -\fB\-\-unshare\-user\fR -.RS 4 - - - Create a new user namespace - - .RE - .PP -\fB\-\-unshare\-user\-try\fR -.RS 4 - - - Create a new user namespace if possible else skip it - - .RE - .PP -\fB\-\-unshare\-ipc\fR -.RS 4 - - - Create a new ipc namespace - - .RE - .PP -\fB\-\-unshare\-pid\fR -.RS 4 - - - Create a new pid namespace - - .RE - .PP -\fB\-\-unshare\-net\fR -.RS 4 - - - Create a new network namespace - - .RE - .PP -\fB\-\-unshare\-uts\fR -.RS 4 - - - Create a new uts namespace - - .RE - .PP -\fB\-\-unshare\-cgroup\fR -.RS 4 - - - Create a new cgroup namespace - - .RE - .PP -\fB\-\-unshare\-cgroup\-try\fR -.RS 4 - - - Create a new cgroup namespace if possible else skip it - - .RE - .PP -\fB\-\-unshare\-all\fR -.RS 4 - - - Unshare all possible namespaces\&. Currently equivalent with: -\fB\-\-unshare\-user\-try\fR -\fB\-\-unshare\-ipc\fR -\fB\-\-unshare\-pid\fR -\fB\-\-unshare\-net\fR -\fB\-\-unshare\-uts\fR -\fB\-\-unshare\-cgroup\-try\fR - - .RE - .PP -\fB\-\-userns \fR\fBFD\fR -.RS 4 - - - Use an existing user namespace instead of creating a new one\&. The namespace must fulfil the permission requirements for setns(), which generally means that it must be a decendant of the currently active user namespace, owned by the same user\&. -.sp - - This is incompatible with \-\-unshare\-user, and doesn\*(Aqt work in the setuid version of bubblewrap\&. - - .RE - .PP -\fB\-\-userns2 \fR\fBFD\fR -.RS 4 - - - After setting up the new namespace, switch into the specified namespace\&. For this to work the specified namespace must be a decendant of the user namespace used for the setup, so this is only useful in combination with \-\-userns\&. -.sp - - This is useful because sometimes bubblewrap itself creates nested user namespaces (to work around some kernel issues) and \-\-userns2 can be used to enter these\&. - - .RE - .PP -\fB\-\-pidns \fR\fBFD\fR -.RS 4 - - - Use an existing pid namespace instead of creating one\&. This is often used with \-\-userns, because the pid namespace must be owned by the same user namespace that bwrap uses\&. -.sp - - Note that this can be combined with \-\-unshare\-pid, and in that case it means that the sandbox will be in its own pid namespace, which is a child of the passed in one\&. - - .RE - .PP -\fB\-\-uid \fR\fBUID\fR -.RS 4 - - - Use a custom user id in the sandbox (requires -\fB\-\-unshare\-user\fR) - - .RE - .PP -\fB\-\-gid \fR\fBGID\fR -.RS 4 - - - Use a custom group id in the sandbox (requires -\fB\-\-unshare\-user\fR) - - .RE - .PP -\fB\-\-hostname \fR\fBHOSTNAME\fR -.RS 4 - - - Use a custom hostname in the sandbox (requires -\fB\-\-unshare\-uts\fR) - - .RE - - .PP -Options about environment setup: - - - - .PP -\fB\-\-chdir \fR\fBDIR\fR -.RS 4 - - - Change directory to -DIR - - .RE - .PP -\fB\-\-setenv \fR\fBVAR\fR\fB \fR\fBVALUE\fR -.RS 4 - - - Set an environment variable - - .RE - .PP -\fB\-\-unsetenv \fR\fBVAR\fR -.RS 4 - - - Unset an environment variable - - .RE - - .PP -Options for monitoring the sandbox from the outside: - - - - .PP -\fB\-\-lock\-file \fR\fBDEST\fR -.RS 4 - - - Take a lock on -DEST -while the sandbox is running\&. This option can be used multiple times to take locks on multiple files\&. - - .RE - .PP -\fB\-\-sync\-fd \fR\fBFD\fR -.RS 4 - - - Keep this file descriptor open while the sandbox is running - - .RE - - .PP -Filesystem related options\&. These are all operations that modify the filesystem directly, or mounts stuff in the filesystem\&. These are applied in the order they are given as arguments\&. Any missing parent directories that are required to create a specified destination are automatically created as needed\&. - - - - .PP -\fB\-\-bind \fR\fBSRC\fR\fB \fR\fBDEST\fR -.RS 4 - - - Bind mount the host path -SRC -on -DEST - - .RE - .PP -\fB\-\-bind\-try \fR\fBSRC\fR\fB \fR\fBDEST\fR -.RS 4 - - - Equal to -\fB\-\-bind\fR -but ignores non\-existent -SRC - - .RE - .PP -\fB\-\-dev\-bind \fR\fBSRC\fR\fB \fR\fBDEST\fR -.RS 4 - - - Bind mount the host path -SRC -on -DEST, allowing device access - - .RE - .PP -\fB\-\-dev\-bind\-try \fR\fBSRC\fR\fB \fR\fBDEST\fR -.RS 4 - - - Equal to -\fB\-\-dev\-bind\fR -but ignores non\-existent -SRC - - .RE - .PP -\fB\-\-ro\-bind \fR\fBSRC\fR\fB \fR\fBDEST\fR -.RS 4 - - - Bind mount the host path -SRC -readonly on -DEST - - .RE - .PP -\fB\-\-ro\-bind\-try \fR\fBSRC\fR\fB \fR\fBDEST\fR -.RS 4 - - - Equal to -\fB\-\-ro\-bind\fR -but ignores non\-existent -SRC - - .RE - .PP -\fB\-\-remount\-ro \fR\fBDEST\fR -.RS 4 - - - Remount the path -DEST -as readonly\&. It works only on the specified mount point, without changing any other mount point under the specified path - - .RE - .PP -\fB\-\-proc \fR\fBDEST\fR -.RS 4 - - - Mount procfs on -DEST - - .RE - .PP -\fB\-\-dev \fR\fBDEST\fR -.RS 4 - - - Mount new devtmpfs on -DEST - - .RE - .PP -\fB\-\-tmpfs \fR\fBDEST\fR -.RS 4 - - - Mount new tmpfs on -DEST - - .RE - .PP -\fB\-\-mqueue \fR\fBDEST\fR -.RS 4 - - - Mount new mqueue on -DEST - - .RE - .PP -\fB\-\-dir \fR\fBDEST\fR -.RS 4 - - - Create a directory at -DEST - - .RE - .PP -\fB\-\-file \fR\fBFD\fR\fB \fR\fBDEST\fR -.RS 4 - - - Copy from the file descriptor -FD -to -DEST - - .RE - .PP -\fB\-\-bind\-data \fR\fBFD\fR\fB \fR\fBDEST\fR -.RS 4 - - - Copy from the file descriptor -FD -to a file which is bind\-mounted on -DEST - - .RE - .PP -\fB\-\-ro\-bind\-data \fR\fBFD\fR\fB \fR\fBDEST\fR -.RS 4 - - - Copy from the file descriptor -FD -to a file which is bind\-mounted readonly on -DEST - - .RE - .PP -\fB\-\-symlink \fR\fBSRC\fR\fB \fR\fBDEST\fR -.RS 4 - - - Create a symlink at -DEST -with target -SRC - - .RE - - .PP -Lockdown options: - - - - .PP -\fB\-\-seccomp \fR\fBFD\fR -.RS 4 - - - Load and use seccomp rules from -FD\&. The rules need to be in the form of a compiled eBPF program, as generated by seccomp_export_bpf\&. - - .RE - .PP -\fB\-\-exec\-label \fR\fBLABEL\fR -.RS 4 - - - Exec Label from the sandbox\&. On an SELinux system you can specify the SELinux context for the sandbox process(s)\&. - - .RE - .PP -\fB\-\-file\-label \fR\fBLABEL\fR -.RS 4 - - - File label for temporary sandbox content\&. On an SELinux system you can specify the SELinux context for the sandbox content\&. - - .RE - .PP -\fB\-\-block\-fd \fR\fBFD\fR -.RS 4 - - - Block the sandbox on reading from FD until some data is available\&. - - .RE - .PP -\fB\-\-userns\-block\-fd \fR\fBFD\fR -.RS 4 - - - Do not initialize the user namespace but wait on FD until it is ready\&. This allow external processes (like newuidmap/newgidmap) to setup the user namespace before it is used by the sandbox process\&. - - .RE - .PP -\fB\-\-info\-fd \fR\fBFD\fR -.RS 4 - - - Write information in JSON format about the sandbox to FD\&. - - .RE - .PP -\fB\-\-new\-session\fR -.RS 4 - - - Create a new terminal session for the sandbox (calls setsid())\&. This disconnects the sandbox from the controlling terminal which means the sandbox can\*(Aqt for instance inject input into the terminal\&. -.sp -Note: In a general sandbox, if you don\*(Aqt use \-\-new\-session, it is recommended to use seccomp to disallow the TIOCSTI ioctl, otherwise the application can feed keyboard input to the terminal\&. - - .RE - .PP -\fB\-\-die\-with\-parent\fR -.RS 4 - - - Ensures child process (COMMAND) dies when bwrap\*(Aqs parent dies\&. Kills (SIGKILL) all bwrap sandbox processes in sequence from parent to child including COMMAND process when bwrap or bwrap\*(Aqs parent dies\&. See prctl, PR_SET_PDEATHSIG\&. - - .RE - .PP -\fB\-\-as\-pid\-1\fR -.RS 4 - - - Do not create a process with PID=1 in the sandbox to reap child processes\&. - - .RE - .PP -\fB\-\-cap\-add \fR\fBCAP\fR -.RS 4 - - - Add the specified capability when running as privileged user\&. It accepts the special value ALL to add all the permitted caps\&. - - .RE - .PP -\fB\-\-cap\-drop \fR\fBCAP\fR -.RS 4 - - - Drop the specified capability when running as privileged user\&. It accepts the special value ALL to drop all the caps\&. By default no caps are left in the sandboxed process\&. The -\fB\-\-cap\-add\fR -and -\fB\-\-cap\-drop\fR -options are processed in the order they are specified on the command line\&. Please be careful to the order they are specified\&. - - .RE - - -.SH "ENVIRONMENT" - - - - - - .PP -\fBHOME\fR -.RS 4 - - - Used as the cwd in the sandbox if -\fB\-\-chdir\fR -has not been explicitly specified and the current cwd is not present inside the sandbox\&. The -\fB\-\-setenv\fR -option can be used to override the value that is used here\&. - - .RE - - -.SH "EXIT STATUS" - - - - .PP -The -\fBbwrap\fR -command returns the exit status of the initial application process (pid 2 in the sandbox)\&. - - -