summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorA. Wilcox <awilcox@wilcox-tech.com>2019-06-13 19:01:49 +0000
committerA. Wilcox <awilcox@wilcox-tech.com>2019-06-13 19:01:49 +0000
commit17c03ea9c1f43a09bca16fefc01e912cdae6b4e0 (patch)
tree889f6b44491cf6e85fb3b79a9f3edf4744f75fe9
parent168b4574bffac2fa0066269f193237dd01e81199 (diff)
parent694a93b7121e5c595def22cd8b1cbf6e61c7f37b (diff)
downloadpackages-17c03ea9c1f43a09bca16fefc01e912cdae6b4e0.tar.gz
packages-17c03ea9c1f43a09bca16fefc01e912cdae6b4e0.tar.bz2
packages-17c03ea9c1f43a09bca16fefc01e912cdae6b4e0.tar.xz
packages-17c03ea9c1f43a09bca16fefc01e912cdae6b4e0.zip
Merge branch 'bwrap-secfix' into 'master'
system/bubblewrap: secbump to 0.3.3, add testing notes https://github.com/projectatomic/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e Note: there is no version 0.3.2. See merge request !236
-rw-r--r--system/bubblewrap/APKBUILD36
-rw-r--r--system/bubblewrap/tests.patch23
2 files changed, 50 insertions, 9 deletions
diff --git a/system/bubblewrap/APKBUILD b/system/bubblewrap/APKBUILD
index 0147c92c6..1589504a6 100644
--- a/system/bubblewrap/APKBUILD
+++ b/system/bubblewrap/APKBUILD
@@ -1,26 +1,32 @@
# Contributor: Timo Teräs <timo.teras@iki.fi>
-# Maintainer:
+# Maintainer: Max Rees <maxcrees@me.com>
pkgname=bubblewrap
-pkgver=0.3.1
+pkgver=0.3.3
pkgrel=0
pkgdesc="Unprivileged sandboxing tool"
url="https://github.com/projectatomic/bubblewrap"
arch="all"
-options="!check suid" # ?
+options="!check suid" # requires suid to already be set in order to check
license="LGPL-2.0+"
makedepends="autoconf automake libcap-dev docbook-xsl"
+checkdepends="sudo"
subpackages="$pkgname-doc $pkgname-bash-completion:bashcomp:noarch"
source="bubblewrap-$pkgver.tar.gz::https://github.com/projectatomic/bubblewrap/archive/v$pkgver.tar.gz
- realpath-workaround.patch musl-fixes.patch"
+ realpath-workaround.patch
+ musl-fixes.patch
+ tests.patch"
+
+# secfixes:
+# 0.3.3-r0:
+# - CVE-2019-12439
prepare() {
cd "$builddir"
- NOCONFIGURE=1 ./autogen.sh
+ srcdir= NOCONFIGURE=1 ./autogen.sh
default_prepare
}
build() {
- cd "$builddir"
./configure \
--build=$CBUILD \
--host=$CHOST \
@@ -32,8 +38,19 @@ build() {
make
}
+check() {
+ # Uses sudo to chown root and setuid $builddir/test-bwrap
+ #
+ # As of 0.3.3-r0, all tests pass on ppc64 except those relating
+ # to bind mounts over symlinks. Those tests fail because musl's
+ # realpath depends on the availability of /proc, which is not
+ # available in the middle of the setup procedure since pivot_root
+ # has been performed at least once. They have been patched to be
+ # skipped.
+ make check
+}
+
package() {
- cd "$builddir"
make install DESTDIR="$pkgdir"
}
@@ -46,6 +63,7 @@ bashcomp() {
mv "$pkgdir"/usr/share/bash-completion/ "$subpkgdir"/usr/share/
}
-sha512sums="fbc44976f53fdf8913b94c57d1f26a3b87c773e86a289e58fd3d7b1c4ea7f33c862f1a38a4f791315358990928768a68334f0a171302c18a16c7e2e9f1a146dd bubblewrap-0.3.1.tar.gz
+sha512sums="b1c38fad90ddaa23a5f2dd49f9ec3f9d9af7426af321ae9f7c43dd64f11a448b3502942a42112a1c6ebf8a4dea2e1196b17c31cca9c2f119dc2e0c1674c345ae bubblewrap-0.3.3.tar.gz
400a0446670ebf80f16739f1a7a2878aadc3099424f957ba09ec3df780506c23a11368f0578c9e352d7ca6473fa713df826fad7a20c50338aa5f9fa9ac6b84a4 realpath-workaround.patch
-f59cda3b09dd99db9ca6d97099a15bb2523e054063d677502317ae3165ba2e32105a0ae8f877afc3827bd28d093c9d9d413270f4c87d9fe5f26f3eee670d916e musl-fixes.patch"
+f59cda3b09dd99db9ca6d97099a15bb2523e054063d677502317ae3165ba2e32105a0ae8f877afc3827bd28d093c9d9d413270f4c87d9fe5f26f3eee670d916e musl-fixes.patch
+d572a6296729ab192dd4f04707e0271df600d565897ce089b7f00b9ae6c62e71a087e864b4c4972e0a64aeb222a337ff4ed95560620c200cc44534db1ca79efd tests.patch"
diff --git a/system/bubblewrap/tests.patch b/system/bubblewrap/tests.patch
new file mode 100644
index 000000000..651d6269a
--- /dev/null
+++ b/system/bubblewrap/tests.patch
@@ -0,0 +1,23 @@
+--- bubblewrap-0.3.3/tests/test-run.sh 2019-05-01 04:51:47.000000000 -0400
++++ bubblewrap-0.3.3/tests/test-run.sh 2019-06-03 14:43:33.881226220 -0400
+@@ -127,8 +127,9 @@
+ fi
+
+ # bind dest in symlink (https://github.com/projectatomic/bubblewrap/pull/119)
+- $RUN $ALT --dir /tmp/dir --symlink dir /tmp/link --bind /etc /tmp/link true
+- echo "ok - can bind a destination over a symlink"
++ #$RUN $ALT --dir /tmp/dir --symlink dir /tmp/link --bind /etc /tmp/link true
++ #echo "ok - can bind a destination over a symlink"
++ echo "ok # SKIP musl realpath depends on /proc"
+ done
+
+ # Test devices
+@@ -215,7 +216,7 @@
+ # Test --die-with-parent
+
+ cat >lockf-n.py <<EOF
+-#!/usr/bin/env python
++#!/usr/bin/env python3
+ import struct,fcntl,sys
+ path = sys.argv[1]
+ if sys.argv[2] == 'wait':