Low-level unprivileged sandboxing tool used by Flatpak and similar projects
bubblewrap-0.9.0.tar.xz
no longer contains Autotools-generated files, although this version can still be built using Autotools after running ./autogen.sh
. Future versions are likely to remove the Autotools build system altogether.--argv0
(#91)--symlink
is now idempotent, meaning it succeeds if the symlink already exists and already has the desired target (#549, flatpak/flatpak#2387, flatpak/flatpak#3477, flatpak/flatpak#5255)--cap-add
(#562)mount(2)
fails with ENOSPC
(#615, ValveSoftware/steam-runtime#637)--args
, --seccomp
or --add-seccomp-fd
argument (#558)/mnt
is a symlink (#599)c6347eaced49ac0141996f46bba3b089e5e6ea4408bc1c43bab9f2d05dd094e1 *bubblewrap-0.9.0.tar.xz
New features:
--disable-userns
option to prevent the sandbox from creating its own nested user namespace (#488)--assert-userns-disabled
option to check that an existing userns was created with --disable-userns
(#488)CONFIG_SECCOMP
and CONFIG_SECCOMP_FILTER
(#550)Bug fixes:
capsh
(#544)Known issues:
$ sha256sum -b bubblewrap-0.8.0.tar.xz
957ad1149db9033db88e988b12bcebe349a445e1efc8a9b59ad2939a113d333a *bubblewrap-0.8.0.tar.xz
New features:
--size
option controls the size of a subsequent --tmpfs
(#509)ENOSPC
(#487)RUNPATH
can be set on the executable to make it easier to bundle its libcap
dependencyBug fixes:
pkg-config
is not disabled by --with-bash-completion-dir=PATH
(#316, #342, #441)command -v
in preference to non-standard which
(#527)--help
(#531)$ sha256sum -b bubblewrap-0.7.0.tar.xz
764ab7100bd037ea53d440d362e099d7a425966bc62d1f00ab26b8fbb882a9dc *bubblewrap-0.7.0.tar.xz
New features in Meson build:
-Dbwrapdir=...
changes the installation directory (useful when being used as a subproject)-Dtests=false
disables unit testsBug fixes:
--add-seccomp-fd
to shell completions--add-seccomp-fd
, --json-status-fd
and --share-net
in the man page$ sha256sum -b bubblewrap-0.6.2.tar.xz
8a0ec802d1b3e956c5bb0a40a81c9ce0b055a31bf30a8efa547433603b8af20b *bubblewrap-0.6.2.tar.xz
bwrap --version
when built with Meson (#477)$ sha256sum -b bubblewrap-0.6.1.tar.xz
9609c7dc162bc68abc29abfab566934fdca37520a15ed01b675adcf3a4303282 *bubblewrap-0.6.1.tar.xz
New features:
--add-seccomp
option can be used to add more than one seccomp program (#453)--seccomp
(#454)-Dprogram_prefix
option is required: see tests/use-as-subproject/
for an example.--with-priv-mode=setuid
option in this build system. Distributions that still require a setuid bubblewrap executable will need to chown
and chmod
the executable appropriately as a separate step in their packaging.Bug fixes:
PATH
for better compatibility with non-FHS operating systemsargc == 0
, to harden against the equivalent of CVE-2021-4034 (this is not a security issue in our case)Other changes:
main
$ sha256sum -b bubblewrap-0.6.0.tar.xz
11393cf2058f22e6a6c6e9cca3c85ff4c4239806cb28fee657c62a544df35693 *bubblewrap-0.6.0.tar.xz
New features:
--chmod
changes permissions--clearenv
unsets every environment variable (except PWD
)--perms
sets permissions for one subsequent --bind-data
, --dir
, --file
, --ro-bind-data
or --tmpfs
Other enhancements:
--bind
or other bind-mount failszsh
tab-completionBug fixes:
-r--r--r--
instead of -rw-rw-rw-
/proc
read-only if already EROFS
, required to run under Docker--bind "$XDG_RUNTIME_DIR/my-log-socket" /dev/log
pkg-config
is checked for, regardless of build options-Wshadow
warnings$ sha256sum -b bubblewrap-0.5.0.tar.xz
16fdaf33799d63104e347e0133f909196fe90d0c50515d010bcb422eb5a00818 *bubblewrap-0.5.0.tar.xz
This release fixes a privilege escalation bug pointed out by Stephen Röttger, where in some setups bubblewrap can be used to gain root permissions. Only version 0.4.0 is vulnerable, and only if installed setuid while at the same time the kernel supports unprivileged user namespaces. More details in the advisory here:
https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj
Additionally there are some minor changes:
Alexander Larsson (9): Ensure we're always clearing the cap bounding set Don't rely on geteuid() to know when to switch back from setuid root Don't support --userns2 in setuid mode drop_privs: More explicit argument name
Christian Kastner (1): tests: Update output patterns for libcap >= 2.29
Jean-Baptiste BESNARD (1): retcode: fix return code with syncfd and no event_fd
TomSweeneyRedHat (1): Add Code of Conduct
The biggest feature in this release is the support for joining existing user and pid namespaces. This doesn't work in the setuid mode (at the moment).
Other changes:
Alexander Larsson (17):
Tests: Fix test count
setuid mode: Properly drop privs in monitor and pid1
Mark init process as dumpable so we can see stuff in its /proc
Add support for --userns and --userns2
tests: test --userns
utils: Add some utility function to pass pids over a socket
utils: Add fork_intermediate_child() helper
Add support for --pidns
Add tests for --pidns
tests: Better error message if assert_files_equal fails
Fix typo in comment
Drop cap bounding set also in --userns case
Allow --uid and --gid with --userns
tests: Fix --userns tests
--userns --uid: Only swtich user if needed
Merge pull request #338 from containers/reuse-namespaces
Bump 0.4.0
Christian Kellner (3):
bwrap: set opt_unshare_cgroup when _try succeeds
bwrap: include the pid namespace id in status/json
tests: check namespace info in json
Colin Walters (1):
Post-release version bump
Jonathan Lebon (1):
ci: Bump to fedora/29/atomic
shawrkbait (1):
Add work-around for TEMP_FAILURE_RETRY to support musl
Git-EVTag-v0-SHA512: d3f07f58b50c579b27470722edfc87b741465ca37ff4d40c9f715d610a69a80a6e6035a0dee678158c1dd77edb0b06bed3ffd6393a784d4ed975c092eb151952
[This release is the same as 0.3.2
but the version number in configure.ac
was accidentally still set to 0.3.1
)
This release fixes a mostly theoretical security issue in unusual/broken
setups where $XDG_RUNTIME_DIR
is unset.
There are some other smaller fixes, as well as an addition to the JSON
API that allows reading the inner process exit code, separately from
the bwrap
exit code.
Thanks to all contributors!
Iain Lane (1):
tests: Handle systems without merged-/usr
Jakub Wilk (2):
Fix typos
Print "Out of memory" on stderr, not stdout
Richard Maw (3):
Revert "README.md: Delete cat logo picture (not DFSG compliant)"
bwrap: add option json-status-fd to show child exit code
bwrap: Report COMMAND exit code in json-status-fd
Simon McVittie (3):
man page: Describe --chdir, not nonexistent --cwd
Don't create our own temporary mount point for pivot_root
tests: Ensure that tmpfs with oldroot/newroot doesn't appear in container
Timothy E Baldwin (1):
Make lockdata long enough on 32-bit with 64-bit file pointers.
Git-EVTag-v0-SHA512: 1320cc04e853be996e6fa53fb3e472f732ac02855ab05984fa3350aed1d8760fc3b9eac0e6af06843a1f6265afe424e042c937d64606ef2eb29ec53a3539c217