summaryrefslogtreecommitdiff
path: root/system/bubblewrap
diff options
context:
space:
mode:
Diffstat (limited to 'system/bubblewrap')
-rw-r--r--system/bubblewrap/APKBUILD37
-rw-r--r--system/bubblewrap/musl-fixes.patch17
-rw-r--r--system/bubblewrap/realpath-workaround.patch19
-rw-r--r--system/bubblewrap/tests.patch23
4 files changed, 17 insertions, 79 deletions
diff --git a/system/bubblewrap/APKBUILD b/system/bubblewrap/APKBUILD
index 8823c4db2..445c74852 100644
--- a/system/bubblewrap/APKBUILD
+++ b/system/bubblewrap/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Timo Teräs <timo.teras@iki.fi>
# Maintainer: Max Rees <maxcrees@me.com>
pkgname=bubblewrap
-pkgver=0.3.3
+pkgver=0.6.1
pkgrel=0
pkgdesc="Unprivileged sandboxing tool"
url="https://github.com/projectatomic/bubblewrap"
@@ -9,22 +9,20 @@ arch="all"
options="!check suid" # requires suid to already be set in order to check
license="LGPL-2.0+"
makedepends="autoconf automake libcap-dev docbook-xsl"
-checkdepends="sudo"
+checkdepends="python3 sudo"
subpackages="$pkgname-nosuid $pkgname-doc
$pkgname-bash-completion:bashcomp:noarch"
-source="bubblewrap-$pkgver.tar.gz::https://github.com/projectatomic/bubblewrap/archive/v$pkgver.tar.gz
- realpath-workaround.patch
- musl-fixes.patch
- tests.patch"
+source="bubblewrap-$pkgver.tar.gz::https://github.com/containers/bubblewrap/archive/v$pkgver.tar.gz"
# secfixes:
# 0.3.3-r0:
-# - CVE-2019-12439
+# - CVE-2019-12439
+# 0.4.1-r0:
+# - GHSA-j2qp-rvxj-43vj
prepare() {
- cd "$builddir"
- srcdir= NOCONFIGURE=1 ./autogen.sh
default_prepare
+ NOCONFIGURE=1 ./autogen.sh
}
build() {
@@ -40,14 +38,16 @@ build() {
}
check() {
- # Uses sudo to chown root and setuid $builddir/test-bwrap
+ # 1. chown root and chmod u+s $builddir/test-bwrap
+ # 2. Run abuild check (suid test)
+ # 3. Unset permissions on test-bwrap
+ # 4. Run abuild check again (nosuid test)
#
- # As of 0.3.3-r0, all tests pass on ppc64 except those relating
- # to bind mounts over symlinks. Those tests fail because musl's
- # realpath depends on the availability of /proc, which is not
- # available in the middle of the setup procedure since pivot_root
- # has been performed at least once. They have been patched to be
- # skipped.
+ # As of 0.4.1, all tests pass except those relating to bind mounts
+ # over symlinks. Those tests fail because musl's realpath depends on
+ # the availability of /proc, which is not available in the middle of
+ # the setup procedure since pivot_root has been performed at least
+ # once. They have been patched to be skipped.
make check
}
@@ -73,7 +73,4 @@ bashcomp() {
mv "$pkgdir"/usr/share/bash-completion/ "$subpkgdir"/usr/share/
}
-sha512sums="b1c38fad90ddaa23a5f2dd49f9ec3f9d9af7426af321ae9f7c43dd64f11a448b3502942a42112a1c6ebf8a4dea2e1196b17c31cca9c2f119dc2e0c1674c345ae bubblewrap-0.3.3.tar.gz
-400a0446670ebf80f16739f1a7a2878aadc3099424f957ba09ec3df780506c23a11368f0578c9e352d7ca6473fa713df826fad7a20c50338aa5f9fa9ac6b84a4 realpath-workaround.patch
-f59cda3b09dd99db9ca6d97099a15bb2523e054063d677502317ae3165ba2e32105a0ae8f877afc3827bd28d093c9d9d413270f4c87d9fe5f26f3eee670d916e musl-fixes.patch
-d572a6296729ab192dd4f04707e0271df600d565897ce089b7f00b9ae6c62e71a087e864b4c4972e0a64aeb222a337ff4ed95560620c200cc44534db1ca79efd tests.patch"
+sha512sums="30743cadc4f536430e253e1e21af5e0e56ae5dc4a11258faa42321b04b7490b54f904e72fc0147b23b0a0524870f41b5805c1482d20a11e0c4549bf8ae1d651f bubblewrap-0.6.1.tar.gz"
diff --git a/system/bubblewrap/musl-fixes.patch b/system/bubblewrap/musl-fixes.patch
deleted file mode 100644
index ecf626331..000000000
--- a/system/bubblewrap/musl-fixes.patch
+++ /dev/null
@@ -1,17 +0,0 @@
---- a/config.h.in
-+++ b/config.h.in
-@@ -102,3 +102,14 @@
-
- /* Define to 1 if you need to in order for `stat' and other things to work. */
- #undef _POSIX_SOURCE
-+
-+/* taken from glibc unistd.h and fixes musl */
-+#ifndef TEMP_FAILURE_RETRY
-+#define TEMP_FAILURE_RETRY(expression) \
-+ (__extension__ \
-+ ({ long int __result; \
-+ do __result = (long int) (expression); \
-+ while (__result == -1L && errno == EINTR); \
-+ __result; }))
-+#endif
-+
diff --git a/system/bubblewrap/realpath-workaround.patch b/system/bubblewrap/realpath-workaround.patch
deleted file mode 100644
index 6f1e3b54b..000000000
--- a/system/bubblewrap/realpath-workaround.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Musl realpath() implementation currently depends on /proc which is
-not available when setting up pivot root. For the time being just
-fallback to given path if realpath() fails. If there was symlinks
-that would have required normalizing the following parse_mountinfo()
-will fail.
-
-diff --git a/bind-mount.c b/bind-mount.c
-index 7d3543f..c33b701 100644
---- a/bind-mount.c
-+++ b/bind-mount.c
-@@ -397,7 +397,7 @@ bind_mount (int proc_fd,
- path, so to find it in the mount table we need to do that too. */
- resolved_dest = realpath (dest, NULL);
- if (resolved_dest == NULL)
-- return 2;
-+ resolved_dest = strdup (dest);
-
- mount_tab = parse_mountinfo (proc_fd, resolved_dest);
- if (mount_tab[0].mountpoint == NULL)
diff --git a/system/bubblewrap/tests.patch b/system/bubblewrap/tests.patch
deleted file mode 100644
index 651d6269a..000000000
--- a/system/bubblewrap/tests.patch
+++ /dev/null
@@ -1,23 +0,0 @@
---- bubblewrap-0.3.3/tests/test-run.sh 2019-05-01 04:51:47.000000000 -0400
-+++ bubblewrap-0.3.3/tests/test-run.sh 2019-06-03 14:43:33.881226220 -0400
-@@ -127,8 +127,9 @@
- fi
-
- # bind dest in symlink (https://github.com/projectatomic/bubblewrap/pull/119)
-- $RUN $ALT --dir /tmp/dir --symlink dir /tmp/link --bind /etc /tmp/link true
-- echo "ok - can bind a destination over a symlink"
-+ #$RUN $ALT --dir /tmp/dir --symlink dir /tmp/link --bind /etc /tmp/link true
-+ #echo "ok - can bind a destination over a symlink"
-+ echo "ok # SKIP musl realpath depends on /proc"
- done
-
- # Test devices
-@@ -215,7 +216,7 @@
- # Test --die-with-parent
-
- cat >lockf-n.py <<EOF
--#!/usr/bin/env python
-+#!/usr/bin/env python3
- import struct,fcntl,sys
- path = sys.argv[1]
- if sys.argv[2] == 'wait':