daftaupe/opt
1
0
Fork 0
forked from ports/opt
Code Pull Requests Activity

bubblewrap: 0.8.0 -> 0.9.0

Browse Source
This commit is contained in:
Tim Biermann 2024-03-28 20:57:37 +01:00
parent 026423c7b9
commit b69184e888
Signed by untrusted user: tb
GPG Key ID: 42F8B4E30B673606
4 changed files with 17 additions and 628 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
bubblewrap/.footprint
View File

@ -1,7 +1,3 @@
drwxr-xr-x root/root usr/ drwxr-xr-x root/root usr/
drwxr-xr-x root/root usr/bin/ drwxr-xr-x root/root usr/bin/
-rwsr-xr-x root/root usr/bin/bwrap -rwsr-xr-x root/root usr/bin/bwrap
drwxr-xr-x root/root usr/share/
drwxr-xr-x root/root usr/share/man/
drwxr-xr-x root/root usr/share/man/man1/
-rw-r--r-- root/root usr/share/man/man1/bwrap.1.gz

9
bubblewrap/.signature
View File

@ -1,6 +1,5 @@
untrusted comment: verify with /etc/ports/opt.pub untrusted comment: verify with /etc/ports/opt.pub
RWSE3ohX2g5d/TYTkYdsVZaijfHVMavGZnR9FMTLthWd16zneQJrL/Avw/ZigEtpp2NhnWIdkkZ6dZ37ff7e0C3gFSbOQI8/3Q8= RWSE3ohX2g5d/aV2QJ3wOHFuXesfwlYbzTRgFG177/DIxMqG9YvVGVwwifnu8eX05vx/fYffxsJAMPp1azkgYn0S0jmW99NTtwE=
SHA256 (Pkgfile) = ca3025e1f3ccd05d8998b0f43f011d6def4b5bc71fab486dbcbafb12832013b4 SHA256 (Pkgfile) = fa10ee28766580712525c312bbca82ce66ef67ca7c10b8fb37052878456341b9
SHA256 (.footprint) = e840364f489a4c6fab62400653cbbb4e93a1f83a8350aa8b12bffcc54c047102 SHA256 (.footprint) = 78e7fd8409cfd39ad2b3a99026693f824dae8fc640bec4f4e2419fd01bf4f2a9
SHA256 (bubblewrap-0.8.0.tar.xz) = 957ad1149db9033db88e988b12bcebe349a445e1efc8a9b59ad2939a113d333a SHA256 (bubblewrap-0.9.0.tar.xz) = c6347eaced49ac0141996f46bba3b089e5e6ea4408bc1c43bab9f2d05dd094e1
SHA256 (bwrap.1) = a9724fcf70fee82f975934d8f1201f6eab24fce5193613b0f196fbf92f25b8a1

32
bubblewrap/Pkgfile
View File

@ -2,31 +2,25 @@
# URL: https://github.com/projectatomic/bubblewrap/ # URL: https://github.com/projectatomic/bubblewrap/
# Maintainer: Tim Biermann, tbier at posteo dot de # Maintainer: Tim Biermann, tbier at posteo dot de
# Depends on: libcap # Depends on: libcap
# Optional: docbook-xsl # Optional: bash-completion docbook-xsl zsh
name=bubblewrap name=bubblewrap
version=0.8.0 version=0.9.0
release=1 release=1
source=(https://github.com/projectatomic/bubblewrap/releases/download/v$version/$name-$version.tar.xz source=(https://github.com/projectatomic/bubblewrap/releases/download/v$version/$name-$version.tar.xz)
bwrap.1)
build() { build() {
cd $name-$version prt-get isinst bash-completion || PKGMK_BUBBLEWRAP+=' -D bash_completion=disabled'
prt-get isinst zsh || PKGMK_BUBBLEWRAP+=' -D zsh_completion=disabled'
if [ ! -e '/usr/share/xml/docbook/xsl-stylesheets' ]; then meson setup $name-$version build $PKGMK_BUBBLEWRAP \
# build will fail if libxslt is installed witout docbook-xsl
PKGMK_BUBBLEWRAP+=' --disable-man'
install -Dm644 $SRC/bwrap.1 $PKG/usr/share/man/man1/bwrap.1
fi
./configure ${PKGMK_BUBBLEWRAP} \
--prefix=/usr \ --prefix=/usr \
--with-priv-mode=setuid --buildtype=plain \
--wrap-mode nodownload \
-D b_lto=true \
-D b_pie=true
meson compile -C build
DESTDIR=$PKG meson install -C build
make chmod u+s $PKG/usr/bin/bwrap
make DESTDIR=$PKG install
prt-get isinst bash-completion || rm -r $PKG/usr/share/bash-completion
prt-get isinst zsh || rm -r $PKG/usr/share/zsh
} }

600
bubblewrap/bwrap.1
View File

@ -1,600 +0,0 @@
'\" t
.\" Title: bwrap
.\" Author: Alexander Larsson
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\" Date: 04/25/2020
.\" Manual: User Commands
.\" Source: Project Atomic
.\" Language: English
.\"
.TH "BWRAP" "1" "" "Project Atomic" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
bwrap \- container setup utility
.SH "SYNOPSIS"
.HP \w'\fBbwrap\fR\ 'u
\fBbwrap\fR
[\fIOPTION\fR...]
[\fICOMMAND\fR]
.SH "DESCRIPTION"
.PP
\fBbwrap\fR
is a privileged helper for container setup\&. You are unlikely to use it directly from the commandline, although that is possible\&.
.PP
It works by creating a new, completely empty, filesystem namespace where the root is on a tmpfs that is invisible from the host, and which will be automatically cleaned up when the last process exits\&. You can then use commandline options to construct the root filesystem and process environment for the command to run in the namespace\&.
.PP
By default,
\fBbwrap\fR
creates a new mount namespace for the sandbox\&. Optionally it also sets up new user, ipc, pid, network and uts namespaces (but note the user namespace is required if bwrap is not installed setuid root)\&. The application in the sandbox can be made to run with a different UID and GID\&.
.PP
If needed (e\&.g\&. when using a PID namespace)
\fBbwrap\fR
is running a minimal pid 1 process in the sandbox that is responsible for reaping zombies\&. It also detects when the initial application process (pid 2) dies and reports its exit status back to the original spawner\&. The pid 1 process exits to clean up the sandbox when there are no other processes in the sandbox left\&.
.SH "OPTIONS"
.PP
When options are used multiple times, the last option wins, unless otherwise specified\&.
.PP
General options:
.PP
\fB\-\-help\fR
.RS 4
Print help and exit
.RE
.PP
\fB\-\-version\fR
.RS 4
Print version
.RE
.PP
\fB\-\-args \fR\fBFD\fR
.RS 4
Parse nul\-separated arguments from the given file descriptor\&. This option can be used multiple times to parse options from multiple sources\&.
.RE
.PP
Options related to kernel namespaces:
.PP
\fB\-\-unshare\-user\fR
.RS 4
Create a new user namespace
.RE
.PP
\fB\-\-unshare\-user\-try\fR
.RS 4
Create a new user namespace if possible else skip it
.RE
.PP
\fB\-\-unshare\-ipc\fR
.RS 4
Create a new ipc namespace
.RE
.PP
\fB\-\-unshare\-pid\fR
.RS 4
Create a new pid namespace
.RE
.PP
\fB\-\-unshare\-net\fR
.RS 4
Create a new network namespace
.RE
.PP
\fB\-\-unshare\-uts\fR
.RS 4
Create a new uts namespace
.RE
.PP
\fB\-\-unshare\-cgroup\fR
.RS 4
Create a new cgroup namespace
.RE
.PP
\fB\-\-unshare\-cgroup\-try\fR
.RS 4
Create a new cgroup namespace if possible else skip it
.RE
.PP
\fB\-\-unshare\-all\fR
.RS 4
Unshare all possible namespaces\&. Currently equivalent with:
\fB\-\-unshare\-user\-try\fR
\fB\-\-unshare\-ipc\fR
\fB\-\-unshare\-pid\fR
\fB\-\-unshare\-net\fR
\fB\-\-unshare\-uts\fR
\fB\-\-unshare\-cgroup\-try\fR
.RE
.PP
\fB\-\-userns \fR\fBFD\fR
.RS 4
Use an existing user namespace instead of creating a new one\&. The namespace must fulfil the permission requirements for setns(), which generally means that it must be a decendant of the currently active user namespace, owned by the same user\&.
.sp
This is incompatible with \-\-unshare\-user, and doesn\*(Aqt work in the setuid version of bubblewrap\&.
.RE
.PP
\fB\-\-userns2 \fR\fBFD\fR
.RS 4
After setting up the new namespace, switch into the specified namespace\&. For this to work the specified namespace must be a decendant of the user namespace used for the setup, so this is only useful in combination with \-\-userns\&.
.sp
This is useful because sometimes bubblewrap itself creates nested user namespaces (to work around some kernel issues) and \-\-userns2 can be used to enter these\&.
.RE
.PP
\fB\-\-pidns \fR\fBFD\fR
.RS 4
Use an existing pid namespace instead of creating one\&. This is often used with \-\-userns, because the pid namespace must be owned by the same user namespace that bwrap uses\&.
.sp
Note that this can be combined with \-\-unshare\-pid, and in that case it means that the sandbox will be in its own pid namespace, which is a child of the passed in one\&.
.RE
.PP
\fB\-\-uid \fR\fBUID\fR
.RS 4
Use a custom user id in the sandbox (requires
\fB\-\-unshare\-user\fR)
.RE
.PP
\fB\-\-gid \fR\fBGID\fR
.RS 4
Use a custom group id in the sandbox (requires
\fB\-\-unshare\-user\fR)
.RE
.PP
\fB\-\-hostname \fR\fBHOSTNAME\fR
.RS 4
Use a custom hostname in the sandbox (requires
\fB\-\-unshare\-uts\fR)
.RE
.PP
Options about environment setup:
.PP
\fB\-\-chdir \fR\fBDIR\fR
.RS 4
Change directory to
DIR
.RE
.PP
\fB\-\-setenv \fR\fBVAR\fR\fB \fR\fBVALUE\fR
.RS 4
Set an environment variable
.RE
.PP
\fB\-\-unsetenv \fR\fBVAR\fR
.RS 4
Unset an environment variable
.RE
.PP
Options for monitoring the sandbox from the outside:
.PP
\fB\-\-lock\-file \fR\fBDEST\fR
.RS 4
Take a lock on
DEST
while the sandbox is running\&. This option can be used multiple times to take locks on multiple files\&.
.RE
.PP
\fB\-\-sync\-fd \fR\fBFD\fR
.RS 4
Keep this file descriptor open while the sandbox is running
.RE
.PP
Filesystem related options\&. These are all operations that modify the filesystem directly, or mounts stuff in the filesystem\&. These are applied in the order they are given as arguments\&. Any missing parent directories that are required to create a specified destination are automatically created as needed\&.
.PP
\fB\-\-bind \fR\fBSRC\fR\fB \fR\fBDEST\fR
.RS 4
Bind mount the host path
SRC
on
DEST
.RE
.PP
\fB\-\-bind\-try \fR\fBSRC\fR\fB \fR\fBDEST\fR
.RS 4
Equal to
\fB\-\-bind\fR
but ignores non\-existent
SRC
.RE
.PP
\fB\-\-dev\-bind \fR\fBSRC\fR\fB \fR\fBDEST\fR
.RS 4
Bind mount the host path
SRC
on
DEST, allowing device access
.RE
.PP
\fB\-\-dev\-bind\-try \fR\fBSRC\fR\fB \fR\fBDEST\fR
.RS 4
Equal to
\fB\-\-dev\-bind\fR
but ignores non\-existent
SRC
.RE
.PP
\fB\-\-ro\-bind \fR\fBSRC\fR\fB \fR\fBDEST\fR
.RS 4
Bind mount the host path
SRC
readonly on
DEST
.RE
.PP
\fB\-\-ro\-bind\-try \fR\fBSRC\fR\fB \fR\fBDEST\fR
.RS 4
Equal to
\fB\-\-ro\-bind\fR
but ignores non\-existent
SRC
.RE
.PP
\fB\-\-remount\-ro \fR\fBDEST\fR
.RS 4
Remount the path
DEST
as readonly\&. It works only on the specified mount point, without changing any other mount point under the specified path
.RE
.PP
\fB\-\-proc \fR\fBDEST\fR
.RS 4
Mount procfs on
DEST
.RE
.PP
\fB\-\-dev \fR\fBDEST\fR
.RS 4
Mount new devtmpfs on
DEST
.RE
.PP
\fB\-\-tmpfs \fR\fBDEST\fR
.RS 4
Mount new tmpfs on
DEST
.RE
.PP
\fB\-\-mqueue \fR\fBDEST\fR
.RS 4
Mount new mqueue on
DEST
.RE
.PP
\fB\-\-dir \fR\fBDEST\fR
.RS 4
Create a directory at
DEST
.RE
.PP
\fB\-\-file \fR\fBFD\fR\fB \fR\fBDEST\fR
.RS 4
Copy from the file descriptor
FD
to
DEST
.RE
.PP
\fB\-\-bind\-data \fR\fBFD\fR\fB \fR\fBDEST\fR
.RS 4
Copy from the file descriptor
FD
to a file which is bind\-mounted on
DEST
.RE
.PP
\fB\-\-ro\-bind\-data \fR\fBFD\fR\fB \fR\fBDEST\fR
.RS 4
Copy from the file descriptor
FD
to a file which is bind\-mounted readonly on
DEST
.RE
.PP
\fB\-\-symlink \fR\fBSRC\fR\fB \fR\fBDEST\fR
.RS 4
Create a symlink at
DEST
with target
SRC
.RE
.PP
Lockdown options:
.PP
\fB\-\-seccomp \fR\fBFD\fR
.RS 4
Load and use seccomp rules from
FD\&. The rules need to be in the form of a compiled eBPF program, as generated by seccomp_export_bpf\&.
.RE
.PP
\fB\-\-exec\-label \fR\fBLABEL\fR
.RS 4
Exec Label from the sandbox\&. On an SELinux system you can specify the SELinux context for the sandbox process(s)\&.
.RE
.PP
\fB\-\-file\-label \fR\fBLABEL\fR
.RS 4
File label for temporary sandbox content\&. On an SELinux system you can specify the SELinux context for the sandbox content\&.
.RE
.PP
\fB\-\-block\-fd \fR\fBFD\fR
.RS 4
Block the sandbox on reading from FD until some data is available\&.
.RE
.PP
\fB\-\-userns\-block\-fd \fR\fBFD\fR
.RS 4
Do not initialize the user namespace but wait on FD until it is ready\&. This allow external processes (like newuidmap/newgidmap) to setup the user namespace before it is used by the sandbox process\&.
.RE
.PP
\fB\-\-info\-fd \fR\fBFD\fR
.RS 4
Write information in JSON format about the sandbox to FD\&.
.RE
.PP
\fB\-\-new\-session\fR
.RS 4
Create a new terminal session for the sandbox (calls setsid())\&. This disconnects the sandbox from the controlling terminal which means the sandbox can\*(Aqt for instance inject input into the terminal\&.
.sp
Note: In a general sandbox, if you don\*(Aqt use \-\-new\-session, it is recommended to use seccomp to disallow the TIOCSTI ioctl, otherwise the application can feed keyboard input to the terminal\&.
.RE
.PP
\fB\-\-die\-with\-parent\fR
.RS 4
Ensures child process (COMMAND) dies when bwrap\*(Aqs parent dies\&. Kills (SIGKILL) all bwrap sandbox processes in sequence from parent to child including COMMAND process when bwrap or bwrap\*(Aqs parent dies\&. See prctl, PR_SET_PDEATHSIG\&.
.RE
.PP
\fB\-\-as\-pid\-1\fR
.RS 4
Do not create a process with PID=1 in the sandbox to reap child processes\&.
.RE
.PP
\fB\-\-cap\-add \fR\fBCAP\fR
.RS 4
Add the specified capability when running as privileged user\&. It accepts the special value ALL to add all the permitted caps\&.
.RE
.PP
\fB\-\-cap\-drop \fR\fBCAP\fR
.RS 4
Drop the specified capability when running as privileged user\&. It accepts the special value ALL to drop all the caps\&. By default no caps are left in the sandboxed process\&. The
\fB\-\-cap\-add\fR
and
\fB\-\-cap\-drop\fR
options are processed in the order they are specified on the command line\&. Please be careful to the order they are specified\&.
.RE
.SH "ENVIRONMENT"
.PP
\fBHOME\fR
.RS 4
Used as the cwd in the sandbox if
\fB\-\-chdir\fR
has not been explicitly specified and the current cwd is not present inside the sandbox\&. The
\fB\-\-setenv\fR
option can be used to override the value that is used here\&.
.RE
.SH "EXIT STATUS"
.PP
The
\fBbwrap\fR
command returns the exit status of the initial application process (pid 2 in the sandbox)\&.