From 694a93b7121e5c595def22cd8b1cbf6e61c7f37b Mon Sep 17 00:00:00 2001 From: Max Rees Date: Mon, 3 Jun 2019 14:53:52 -0400 Subject: system/bubblewrap: secbump to 0.3.3, add testing notes https://github.com/projectatomic/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e Note: there is no version 0.3.2. --- system/bubblewrap/APKBUILD | 36 +++++++++++++++++++++++++++--------- system/bubblewrap/tests.patch | 23 +++++++++++++++++++++++ 2 files changed, 50 insertions(+), 9 deletions(-) create mode 100644 system/bubblewrap/tests.patch (limited to 'system/bubblewrap') diff --git a/system/bubblewrap/APKBUILD b/system/bubblewrap/APKBUILD index 0147c92c6..1589504a6 100644 --- a/system/bubblewrap/APKBUILD +++ b/system/bubblewrap/APKBUILD @@ -1,26 +1,32 @@ # Contributor: Timo Teräs -# Maintainer: +# Maintainer: Max Rees pkgname=bubblewrap -pkgver=0.3.1 +pkgver=0.3.3 pkgrel=0 pkgdesc="Unprivileged sandboxing tool" url="https://github.com/projectatomic/bubblewrap" arch="all" -options="!check suid" # ? +options="!check suid" # requires suid to already be set in order to check license="LGPL-2.0+" makedepends="autoconf automake libcap-dev docbook-xsl" +checkdepends="sudo" subpackages="$pkgname-doc $pkgname-bash-completion:bashcomp:noarch" source="bubblewrap-$pkgver.tar.gz::https://github.com/projectatomic/bubblewrap/archive/v$pkgver.tar.gz - realpath-workaround.patch musl-fixes.patch" + realpath-workaround.patch + musl-fixes.patch + tests.patch" + +# secfixes: +# 0.3.3-r0: +# - CVE-2019-12439 prepare() { cd "$builddir" - NOCONFIGURE=1 ./autogen.sh + srcdir= NOCONFIGURE=1 ./autogen.sh default_prepare } build() { - cd "$builddir" ./configure \ --build=$CBUILD \ --host=$CHOST \ @@ -32,8 +38,19 @@ build() { make } +check() { + # Uses sudo to chown root and setuid $builddir/test-bwrap + # + # As of 0.3.3-r0, all tests pass on ppc64 except those relating + # to bind mounts over symlinks. Those tests fail because musl's + # realpath depends on the availability of /proc, which is not + # available in the middle of the setup procedure since pivot_root + # has been performed at least once. They have been patched to be + # skipped. + make check +} + package() { - cd "$builddir" make install DESTDIR="$pkgdir" } @@ -46,6 +63,7 @@ bashcomp() { mv "$pkgdir"/usr/share/bash-completion/ "$subpkgdir"/usr/share/ } -sha512sums="fbc44976f53fdf8913b94c57d1f26a3b87c773e86a289e58fd3d7b1c4ea7f33c862f1a38a4f791315358990928768a68334f0a171302c18a16c7e2e9f1a146dd bubblewrap-0.3.1.tar.gz +sha512sums="b1c38fad90ddaa23a5f2dd49f9ec3f9d9af7426af321ae9f7c43dd64f11a448b3502942a42112a1c6ebf8a4dea2e1196b17c31cca9c2f119dc2e0c1674c345ae bubblewrap-0.3.3.tar.gz 400a0446670ebf80f16739f1a7a2878aadc3099424f957ba09ec3df780506c23a11368f0578c9e352d7ca6473fa713df826fad7a20c50338aa5f9fa9ac6b84a4 realpath-workaround.patch -f59cda3b09dd99db9ca6d97099a15bb2523e054063d677502317ae3165ba2e32105a0ae8f877afc3827bd28d093c9d9d413270f4c87d9fe5f26f3eee670d916e musl-fixes.patch" +f59cda3b09dd99db9ca6d97099a15bb2523e054063d677502317ae3165ba2e32105a0ae8f877afc3827bd28d093c9d9d413270f4c87d9fe5f26f3eee670d916e musl-fixes.patch +d572a6296729ab192dd4f04707e0271df600d565897ce089b7f00b9ae6c62e71a087e864b4c4972e0a64aeb222a337ff4ed95560620c200cc44534db1ca79efd tests.patch" diff --git a/system/bubblewrap/tests.patch b/system/bubblewrap/tests.patch new file mode 100644 index 000000000..651d6269a --- /dev/null +++ b/system/bubblewrap/tests.patch @@ -0,0 +1,23 @@ +--- bubblewrap-0.3.3/tests/test-run.sh 2019-05-01 04:51:47.000000000 -0400 ++++ bubblewrap-0.3.3/tests/test-run.sh 2019-06-03 14:43:33.881226220 -0400 +@@ -127,8 +127,9 @@ + fi + + # bind dest in symlink (https://github.com/projectatomic/bubblewrap/pull/119) +- $RUN $ALT --dir /tmp/dir --symlink dir /tmp/link --bind /etc /tmp/link true +- echo "ok - can bind a destination over a symlink" ++ #$RUN $ALT --dir /tmp/dir --symlink dir /tmp/link --bind /etc /tmp/link true ++ #echo "ok - can bind a destination over a symlink" ++ echo "ok # SKIP musl realpath depends on /proc" + done + + # Test devices +@@ -215,7 +216,7 @@ + # Test --die-with-parent + + cat >lockf-n.py <