4 files changed, 17 insertions, 79 deletions
diff --git a/system/bubblewrap/APKBUILD b/system/bubblewrap/APKBUILD
index 8823c4db2..445c74852 100644
--- a/system/bubblewrap/APKBUILD
+++ b/system/bubblewrap/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Timo Teräs <timo.teras@iki.fi>
 # Maintainer: Max Rees <maxcrees@me.com>
 pkgname=bubblewrap
-pkgver=0.3.3
+pkgver=0.6.1
 pkgrel=0
 pkgdesc="Unprivileged sandboxing tool"
 url="https://github.com/projectatomic/bubblewrap"
@@ -9,22 +9,20 @@ arch="all"
 options="!check suid"  # requires suid to already be set in order to check
 license="LGPL-2.0+"
 makedepends="autoconf automake libcap-dev docbook-xsl"
-checkdepends="sudo"
+checkdepends="python3 sudo"
 subpackages="$pkgname-nosuid $pkgname-doc
 	$pkgname-bash-completion:bashcomp:noarch"
-source="bubblewrap-$pkgver.tar.gz::https://github.com/projectatomic/bubblewrap/archive/v$pkgver.tar.gz
-	realpath-workaround.patch
-	musl-fixes.patch
-	tests.patch"
+source="bubblewrap-$pkgver.tar.gz::https://github.com/containers/bubblewrap/archive/v$pkgver.tar.gz"
 
 # secfixes:
 #   0.3.3-r0:
-#   - CVE-2019-12439
+#     - CVE-2019-12439
+#   0.4.1-r0:
+#     - GHSA-j2qp-rvxj-43vj
 
 prepare() {
-	cd "$builddir"
-	srcdir= NOCONFIGURE=1 ./autogen.sh
 	default_prepare
+	NOCONFIGURE=1 ./autogen.sh
 }
 
 build() {
@@ -40,14 +38,16 @@ build() {
 }
 
 check() {
-	# Uses sudo to chown root and setuid $builddir/test-bwrap
+	# 1. chown root and chmod u+s $builddir/test-bwrap
+	# 2. Run abuild check (suid test)
+	# 3. Unset permissions on test-bwrap
+	# 4. Run abuild check again (nosuid test)
 	#
-	# As of 0.3.3-r0, all tests pass on ppc64 except those relating
-	# to bind mounts over symlinks. Those tests fail because musl's
-	# realpath depends on the availability of /proc, which is not
-	# available in the middle of the setup procedure since pivot_root
-	# has been performed at least once. They have been patched to be
-	# skipped.
+	# As of 0.4.1, all tests pass except those relating to bind mounts
+	# over symlinks. Those tests fail because musl's realpath depends on
+	# the availability of /proc, which is not available in the middle of
+	# the setup procedure since pivot_root has been performed at least
+	# once. They have been patched to be skipped.
 	make check
 }
 
@@ -73,7 +73,4 @@ bashcomp() {
 	mv "$pkgdir"/usr/share/bash-completion/ "$subpkgdir"/usr/share/
 }
 
-sha512sums="b1c38fad90ddaa23a5f2dd49f9ec3f9d9af7426af321ae9f7c43dd64f11a448b3502942a42112a1c6ebf8a4dea2e1196b17c31cca9c2f119dc2e0c1674c345ae  bubblewrap-0.3.3.tar.gz
-400a0446670ebf80f16739f1a7a2878aadc3099424f957ba09ec3df780506c23a11368f0578c9e352d7ca6473fa713df826fad7a20c50338aa5f9fa9ac6b84a4  realpath-workaround.patch
-f59cda3b09dd99db9ca6d97099a15bb2523e054063d677502317ae3165ba2e32105a0ae8f877afc3827bd28d093c9d9d413270f4c87d9fe5f26f3eee670d916e  musl-fixes.patch
-d572a6296729ab192dd4f04707e0271df600d565897ce089b7f00b9ae6c62e71a087e864b4c4972e0a64aeb222a337ff4ed95560620c200cc44534db1ca79efd  tests.patch"
+sha512sums="30743cadc4f536430e253e1e21af5e0e56ae5dc4a11258faa42321b04b7490b54f904e72fc0147b23b0a0524870f41b5805c1482d20a11e0c4549bf8ae1d651f  bubblewrap-0.6.1.tar.gz"
diff --git a/system/bubblewrap/musl-fixes.patch b/system/bubblewrap/musl-fixes.patch
deleted file mode 100644
index ecf626331..000000000
--- a/system/bubblewrap/musl-fixes.patch
+++ /dev/null
@@ -1,17 +0,0 @@
---- a/config.h.in
-+++ b/config.h.in
-@@ -102,3 +102,14 @@
- 
- /* Define to 1 if you need to in order for `stat' and other things to work. */
- #undef _POSIX_SOURCE
-+
-+/* taken from glibc unistd.h and fixes musl */
-+#ifndef TEMP_FAILURE_RETRY
-+#define TEMP_FAILURE_RETRY(expression) \
-+  (__extension__                                                              \
-+    ({ long int __result;                                                     \
-+       do __result = (long int) (expression);                                 \
-+       while (__result == -1L && errno == EINTR);                             \
-+       __result; }))
-+#endif
-+
diff --git a/system/bubblewrap/realpath-workaround.patch b/system/bubblewrap/realpath-workaround.patch
deleted file mode 100644
index 6f1e3b54b..000000000
--- a/system/bubblewrap/realpath-workaround.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Musl realpath() implementation currently depends on /proc which is
-not available when setting up pivot root. For the time being just
-fallback to given path if realpath() fails. If there was symlinks
-that would have required normalizing the following parse_mountinfo()
-will fail.
-
-diff --git a/bind-mount.c b/bind-mount.c
-index 7d3543f..c33b701 100644
---- a/bind-mount.c
-+++ b/bind-mount.c
-@@ -397,7 +397,7 @@ bind_mount (int           proc_fd,
-      path, so to find it in the mount table we need to do that too. */
-   resolved_dest = realpath (dest, NULL);
-   if (resolved_dest == NULL)
--    return 2;
-+    resolved_dest = strdup (dest);
- 
-   mount_tab = parse_mountinfo (proc_fd, resolved_dest);
-   if (mount_tab[0].mountpoint == NULL)
diff --git a/system/bubblewrap/tests.patch b/system/bubblewrap/tests.patch
deleted file mode 100644
index 651d6269a..000000000
--- a/system/bubblewrap/tests.patch
+++ /dev/null
@@ -1,23 +0,0 @@
---- bubblewrap-0.3.3/tests/test-run.sh	2019-05-01 04:51:47.000000000 -0400
-+++ bubblewrap-0.3.3/tests/test-run.sh	2019-06-03 14:43:33.881226220 -0400
-@@ -127,8 +127,9 @@
-     fi
- 
-     # bind dest in symlink (https://github.com/projectatomic/bubblewrap/pull/119)
--    $RUN $ALT --dir /tmp/dir --symlink dir /tmp/link --bind /etc /tmp/link true
--    echo "ok - can bind a destination over a symlink"
-+    #$RUN $ALT --dir /tmp/dir --symlink dir /tmp/link --bind /etc /tmp/link true
-+    #echo "ok - can bind a destination over a symlink"
-+    echo "ok # SKIP musl realpath depends on /proc"
- done
- 
- # Test devices
-@@ -215,7 +216,7 @@
- # Test --die-with-parent
- 
- cat >lockf-n.py <<EOF
--#!/usr/bin/env python
-+#!/usr/bin/env python3
- import struct,fcntl,sys
- path = sys.argv[1]
- if sys.argv[2] == 'wait':