diff --git a/debian/50-bubblewrap.conf b/debian/50-bubblewrap.conf new file mode 100644 index 0000000..d3a8dd0 --- /dev/null +++ b/debian/50-bubblewrap.conf @@ -0,0 +1,10 @@ +# Enable unprivileged creation of new user namespaces in older Debian +# kernels. +# +# If this is not desired, copy this file to +# /etc/sysctl.d/50-bubblewrap.conf and change the value of this parameter +# to 0, then use dpkg-statoverride to make /usr/bin/bwrap setuid root. +# +# For more details see https://deb.li/bubblewrap or +# /usr/share/doc/bubblewrap/README.Debian +kernel.unprivileged_userns_clone=1 diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..709ddac --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,172 @@ +bubblewrap kernel requirements +============================== + +bubblewrap can be used by various parts of the system to run +partially-trusted programs in a sandboxed environment where their impact +on system security is reduced. For example: + +- Flatpak uses bubblewrap to run partially-trusted, user-installable + apps in a sandboxed environment. + +- libgnome-desktop uses bubblewrap to run thumbnailers in a sandboxed + environment, so that if there are security flaws in an image decoder + used by a thumbnailer, the process of generating thumbnails for a + maliciously crafted image cannot be used to attack the rest of the + system. + +bubblewrap can also be used to run trusted programs in a different +environment, for example with different shared libraries available: + +- Flatpak uses bubblewrap to run apps with a predictable library stack + that does not match the rest of the system, even if those apps are + trusted and so do not need to be sandboxed for security. + +- Steam uses bubblewrap to run some games with a predictable library + stack that does not match the rest of the system. + +The necessary capabilities to do this can be obtained in one of two +ways: + +- On kernels where unprivileged users can create new user namespaces, + bubblewrap's bwrap executable can be an ordinary unprivileged program. + +- On kernels where this is not possible, bubblewrap will not work unless + the /usr/bin/bwrap executable is setuid root. Some bubblewrap and Flatpak + features will not work in this configuration for security reasons. + +Newer Debian kernels (Linux 5.10 and newer; Debian 11 and newer) +---------------------------------------------------------------- + +Debian kernels since 5.10 allow unprivileged users to create new user +namespaces. The bwrap executable can be made non-setuid on these kernels. + +By default, the bubblewrap package in Debian no longer installs a setuid +root /usr/bin/bwrap executable. + +Ubuntu kernels (Ubuntu 18.04 and newer) +--------------------------------------- + +Ubuntu kernels also allow unprivileged users to create new user +namespaces. The bwrap executable can be made non-setuid on these kernels, +and the Ubuntu bubblewrap package does not install a setuid executable. + +Older Debian kernels (Linux 5.9 and older; Debian 10 and older) +--------------------------------------------------------------- + +Debian kernels older than 5.10 have support for user namespaces, but +that feature is disabled by default to reduce the kernel's attack +surface. + +The bubblewrap package contains configuration in +/usr/lib/sysctl.d/50-bubblewrap.conf to enable user namespaces +(see "Enabling kernel.unprivileged_userns_clone", below). + +If this is not desired, system administrators can copy that file +to /etc/sysctl.d/50-bubblewrap.conf and modify it to disable unprivileged +creation of user namespaces, then make bubblewrap setuid root so that it +still works as intended (see "Making bubblewrap setuid root", below). + +Custom and third-party kernels +------------------------------ + +If you compile your own kernel, you will need at least +CONFIG_NAMESPACES=y and preferably CONFIG_USER_NS=y. + +If you do not have CONFIG_UTS_NS=y, CONFIG_IPC_NS=y, CONFIG_USER_NS=y, +CONFIG_PID_NS=y and CONFIG_NET_NS=y, then the corresponding bubblewrap +features will not work. + +Configuring kernel.unprivileged_userns_clone +-------------------------------------------- + +This Debian-specific sysctl parameter controls whether unprivileged +users are allowed to create new user namespaces. + +If it is set to 0, some attacks against the kernel are made more difficult, +which can increase security. However, some user-space software will not +be able to create a sandboxed environment or will have to rely on a +setuid version of bubblewrap to create a sandboxed environment, which +reduces security. The value of this sysctl parameter is a trade-off +between different security risks. + +If this parameter is set to 0, bubblewrap and Flatpak will not work unless +bwrap is made setuid root (see "Making bubblewrap setuid root" below). + +The default is 1 for Debian kernels that are version 5.10 or newer, +1 for Ubuntu kernels, or 0 for older Debian kernels. The bubblewrap +package contains configuration in /usr/lib/sysctl.d/50-bubblewrap.conf +to set this parameter to 1 during system startup. + +If this is not desired, system administrators can copy +/usr/lib/sysctl.d/50-bubblewrap.conf to /etc/sysctl.d/50-bubblewrap.conf +and modify it to disable unprivileged creation of user namespaces, then +make bubblewrap setuid root so that it still works as intended (see +"Making bubblewrap setuid root", below). + +You can view the current setting with: + + cat /proc/sys/kernel/unprivileged_userns_clone + +and temporarily set it to 1 (until the next reboot) with: + + sudo sysctl -w kernel.unprivileged_userns_clone=1 + +Configuring the maximum number of namespaces per user +----------------------------------------------------- + +The number of user namespaces per user is limited. The default limit +depends on the amount of RAM available. + +Setting this limit to 0 is the recommended way to disable user namespace +creation if this is required as a security hardening measure. bubblewrap +will not work with this limit set to 0, unless it is setuid root (see +"Configuring whether bubblewrap is setuid root" below). + +The limit is given by the user.max_user_namespaces sysctl parameter. + +You can view the current setting with: + + cat /proc/sys/user/max_user_namespaces + +and temporarily set it to a value (until the next reboot) with a +command like: + + sudo sysctl -w user.max_user_namespaces=1000 + +To set it to a value during system startup, create a file in /etc/sysctl.d +containing a line like this: + + user.max_user_namespaces=1000 + +Configuring whether bubblewrap is setuid root +--------------------------------------------- + +To use bubblewrap with kernel.unprivileged_userns_clone set to 0 +or user.max_user_namespaces set to 0, it is necessary to make the bwrap +executable setuid root. This gives it the necessary capabilities to set +up containers even when run by an otherwise unprivileged user, and is the +configuration normally used in Debian 10. + +This can be a security risk: if there are bugs in bubblewrap, it might be +possible for an unprivileged user to get root privileges by running a +setuid version of the bwrap executable. CVE-2020-5291 and CVE-2016-8659 +are examples of bugs that had this effect in the past. However, it allows +the kernel to be configured to disallow creation of user namespaces by +unprivileged users, which prevents attacks like CVE-2016-3135 from being +carried out against the kernel. This is a trade-off between different +security risks. + +To avoid other attacks, some Flatpak and bubblewrap features are not +available when bwrap is setuid root, and the absence of those features +is known to break some Flatpak apps. For example, the Flatpak app for +the Chromium web browser will not work with a setuid bwrap executable. + +To check whether the bwrap executable will be made setuid root after +the next upgrade, use this command: + + dpkg-statoverride --list /usr/bin/bwrap + +To force the bwrap executable to be setuid root, use these commands: + + sudo dpkg-statoverride --quiet --remove /usr/bin/bwrap + sudo dpkg-statoverride --update --add root root 4755 /usr/bin/bwrap diff --git a/debian/bubblewrap.bug-script b/debian/bubblewrap.bug-script new file mode 100755 index 0000000..a026cb5 --- /dev/null +++ b/debian/bubblewrap.bug-script @@ -0,0 +1,16 @@ +#!/bin/sh +set -eu +exec >&3 2>&3 + +echo "Permissions of /usr/bin/bwrap:" +ls -l /usr/bin/bwrap || : + +for f in \ + /etc/sysctl.d/*-bubblewrap.conf \ + /usr/lib/sysctl.d/*-bubblewrap.conf \ + /proc/sys/kernel/unprivileged_userns_clone \ + /proc/sys/user/max_*_namespaces \ +; do + echo "$f:" + cat "$f" || : +done diff --git a/debian/bubblewrap.examples b/debian/bubblewrap.examples new file mode 100644 index 0000000..dde105a --- /dev/null +++ b/debian/bubblewrap.examples @@ -0,0 +1 @@ +demos/* diff --git a/debian/bubblewrap.install b/debian/bubblewrap.install new file mode 100644 index 0000000..ec7b425 --- /dev/null +++ b/debian/bubblewrap.install @@ -0,0 +1 @@ +debian/50-bubblewrap.conf usr/lib/sysctl.d diff --git a/debian/bubblewrap.postinst b/debian/bubblewrap.postinst new file mode 100644 index 0000000..297f29e --- /dev/null +++ b/debian/bubblewrap.postinst @@ -0,0 +1,10 @@ +#!/bin/sh + +set -e + +#DEBHELPER# + +# Apply sysctl configuration after upgrade +if command -v sysctl > /dev/null; then + sysctl --quiet --pattern '^kernel\.unprivileged_userns_clone$' --system || : +fi diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..270eeb9 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,5 @@ +bubblewrap (0.9.0-ok1) nile; urgency=medium + + * Build for openKylin. + + -- Luoyaoming Wed, 24 Apr 2024 09:11:58 +0800 diff --git a/debian/clean b/debian/clean new file mode 100644 index 0000000..5da17f8 --- /dev/null +++ b/debian/clean @@ -0,0 +1 @@ +config.log diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..3593de0 --- /dev/null +++ b/debian/control @@ -0,0 +1,50 @@ +Source: bubblewrap +Section: admin +Priority: optional +Maintainer: openKylin Developers +XSBC-Original-Maintainer: Utopia Maintenance Team +Uploaders: + Laszlo Boszormenyi (GCS) , + Simon McVittie , +Build-Depends: + bash-completion, + debhelper-compat (= 13), + docbook-xml, + docbook-xsl, + iproute2 , + libcap-dev, + libcap2-bin , + libipc-run-perl , + libselinux1-dev, + meson, + perl:any , + pkgconf, + python3:any , + xsltproc, +Standards-Version: 4.6.2 +Homepage: https://github.com/containers/bubblewrap +Vcs-Git: https://salsa.debian.org/debian/bubblewrap.git +Vcs-Browser: https://salsa.debian.org/debian/bubblewrap +Rules-Requires-Root: no + +Package: bubblewrap +Architecture: linux-any +Multi-Arch: foreign +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + procps, +Description: utility for unprivileged chroot and namespace manipulation + bubblewrap uses Linux namespaces to launch unprivileged containers. + These containers can be used to sandbox semi-trusted applications such + as Flatpak apps, image/video thumbnailers and web browser components, + or to run programs in a different library stack such as a Flatpak runtime + or a different Debian release. + . + By default, this package relies on a kernel with user namespaces enabled. + Official Debian and Ubuntu kernels are suitable. + . + On kernels without user namespaces, system administrators can make the + bwrap executable setuid root, allowing it to create unprivileged + containers even though ordinary user processes cannot. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..74c43c0 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,89 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: bubblewrap +Source: https://github.com/containers/bubblewrap/ + +Files: * +Copyright: + 2016 Alexander Larsson + 2021 Simon McVittie + 2022 Collabora Ltd. +License: LGPL-2+ + +Files: bubblewrap.jpg +Copyright: none +License: pd-bubblewrap.jpg + Placed in the public domain by the photographer "dancing_stupidity". + +Files: debian/* +Copyright: + 2016 Laszlo Boszormenyi (GCS) + 2016-2024 Simon McVittie + 2016-2024 Collabora Ltd. +License: LGPL-2+ + +Files: + git.mk +Copyright: + 2009, Red Hat, Inc. + 2010-2013 Behdad Esfahbod +License: permissive-git.mk + Copying and distribution of this file, with or without modification, + is permitted in any medium without royalty provided the copyright + notice and this notice are preserved. + +Files: m4/attributes.m4 +Copyright: + 2006-2008 Diego Pettenò + 2006-2008 xine project + 2012 Lucas De Marchi +License: GPL-2+ with Autoconf exception + +License: LGPL-2+ + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Library General Public + License as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later version. + . + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Library General Public License for more details. + . + You should have received a copy of the GNU Library General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 + USA. + . + On Debian systems, the full text of the GNU Library General Public License + version 2 can be found in the file `/usr/share/common-licenses/LGPL-2'. + +License: GPL-2+ with Autoconf exception + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2, or (at your option) + any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + 02110-1301, USA. + . + As a special exception, the copyright owners of the + macro gives unlimited permission to copy, distribute and modify the + configure scripts that are the output of Autoconf when processing the + Macro. You need not follow the terms of the GNU General Public + License when using or distributing such scripts, even though portions + of the text of the Macro appear in them. The GNU General Public + License (GPL) does govern all other use of the material that + constitutes the Autoconf Macro. + . + This special exception to the GPL applies to versions of the + Autoconf Macro released by this project. When you make and + distribute a modified version of the Autoconf Macro, you may extend + this special exception to the GPL to apply to your modified version as + well. diff --git a/debian/docs b/debian/docs new file mode 100644 index 0000000..b43bf86 --- /dev/null +++ b/debian/docs @@ -0,0 +1 @@ +README.md diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..4b25d13 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,6 @@ +[DEFAULT] +pristine-tar = True +debian-branch = debian/latest +upstream-branch = upstream/latest +patch-numbers = False +upstream-vcs-tag = v%(version)s diff --git a/debian/patches/debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch b/debian/patches/debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch new file mode 100644 index 0000000..788d158 --- /dev/null +++ b/debian/patches/debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch @@ -0,0 +1,22 @@ +From: Simon McVittie +Date: Fri, 1 Jan 2021 15:03:27 +0000 +Subject: Change EPERM error message to show Debian-specific information + +Forwarded: not-needed +--- + bubblewrap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bubblewrap.c b/bubblewrap.c +index 9b78a9a..1ea16c9 100644 +--- a/bubblewrap.c ++++ b/bubblewrap.c +@@ -2905,7 +2905,7 @@ main (int argc, + if (errno == EINVAL) + die ("Creating new namespace failed, likely because the kernel does not support user namespaces. bwrap must be installed setuid on such systems."); + else if (errno == EPERM && !is_privileged) +- die ("No permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'."); ++ die ("No permissions to create new namespace, likely because the kernel does not allow non-privileged user namespaces. See or ."); + } + + if (errno == ENOSPC) diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..4e2353c --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..4a72dd8 --- /dev/null +++ b/debian/rules @@ -0,0 +1,27 @@ +#!/usr/bin/make -f +# -*- makefile -*- + +export DEB_BUILD_MAINT_OPTIONS = hardening=+pie,+bindnow + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +PKGDIR=$(CURDIR)/debian/bubblewrap + +%: + dh $@ --buildsystem=meson+ninja --without=autoreconf + +override_dh_auto_configure: + dh_auto_configure \ + -- \ + -Dzsh_completion_dir=/usr/share/zsh/vendor-completions \ + ${NULL} +.PHONY: override_dh_auto_configure + +override_dh_auto_test: + # Remove LD_PRELOAD so we don't run with faketime. It uses + # sem_open(), but bubblewrap runs in an environment where that + # can't work. + env -u LD_PRELOAD dh_auto_test + +.PHONY: override_dh_auto_test diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml new file mode 100644 index 0000000..0c22dc4 --- /dev/null +++ b/debian/salsa-ci.yml @@ -0,0 +1,3 @@ +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/tests/basic b/debian/tests/basic new file mode 100755 index 0000000..c8e3449 --- /dev/null +++ b/debian/tests/basic @@ -0,0 +1,21 @@ +#!/usr/bin/perl +# vim:set sw=4 sts=4 et ft=perl: + +use strict; +use warnings; +use Test::More; +use IPC::Run qw(run); + +sub run_ok { + my $argv = shift; + my $debug = join(' ', @$argv); + ok(run($argv, @_), qq{"$debug" should succeed}); +} + +my $out; +run_ok([qw(bwrap --ro-bind / / /usr/bin/id -u)], '<', \undef, '>', \$out); +is($out, `id -u`); +run_ok([qw(bwrap --ro-bind / / /usr/bin/id -g)], '<', \undef, '>', \$out); +is($out, `id -g`); + +done_testing; diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..a64434e --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,36 @@ +Tests: + basic + dev + net + upstream + userns +Restrictions: allow-stderr, isolation-machine +Depends: + bubblewrap, + iproute2:native, + libcap2-bin:native, + libipc-run-perl:native, + perl:native, + python3:native, + +Tests: upstream-usrmerge +Restrictions: allow-stderr, isolation-machine, breaks-testbed +Depends: + bubblewrap, + iproute2:native, + libcap2-bin:native, + libipc-run-perl:native, + perl:native, + python3:native, + usrmerge + +Tests: + upstream-as-root +Restrictions: allow-stderr, isolation-machine, needs-root +Depends: + bubblewrap, + iproute2:native, + libcap2-bin:native, + libipc-run-perl:native, + perl:native, + python3:native, diff --git a/debian/tests/dev b/debian/tests/dev new file mode 100755 index 0000000..ed797b1 --- /dev/null +++ b/debian/tests/dev @@ -0,0 +1,40 @@ +#!/usr/bin/perl +# vim:set sw=4 sts=4 et ft=perl: + +use strict; +use warnings; +use Test::More; +use IPC::Run qw(run); + +sub run_ok { + my $argv = shift; + my $debug = join(' ', @$argv); + ok(run($argv, @_), qq{"$debug" should succeed}); +} + +my $out; +run_ok([qw(bwrap --ro-bind / / --dev /dev //bin/sh -c), "echo /dev/*"], + '<', \undef, '>', \$out); +like($out, qr{(^| )/dev/full( |$)}); +like($out, qr{(^| )/dev/null( |$)}); +like($out, qr{(^| )/dev/pts( |$)}); +like($out, qr{(^| )/dev/random( |$)}); +like($out, qr{(^| )/dev/shm( |$)}); +like($out, qr{(^| )/dev/stderr( |$)}); +like($out, qr{(^| )/dev/stdin( |$)}); +like($out, qr{(^| )/dev/stdout( |$)}); +like($out, qr{(^| )/dev/tty( |$)}); +like($out, qr{(^| )/dev/urandom( |$)}); +like($out, qr{(^| )/dev/zero( |$)}); +unlike($out, qr{(^| )/dev/hda( |$)}); +unlike($out, qr{(^| )/dev/dsp( |$)}); +unlike($out, qr{(^| )/dev/fuse( |$)}); +unlike($out, qr{(^| )/dev/kmsg( |$)}); +unlike($out, qr{(^| )/dev/loop0( |$)}); +unlike($out, qr{(^| )/dev/mem( |$)}); +unlike($out, qr{(^| )/dev/sda( |$)}); +unlike($out, qr{(^| )/dev/snd( |$)}); +unlike($out, qr{(^| )/dev/tty1( |$)}); +unlike($out, qr{(^| )/dev/vda( |$)}); + +done_testing; diff --git a/debian/tests/net b/debian/tests/net new file mode 100755 index 0000000..c16fd78 --- /dev/null +++ b/debian/tests/net @@ -0,0 +1,24 @@ +#!/usr/bin/perl +# vim:set sw=4 sts=4 et ft=perl: + +use strict; +use warnings; +use Test::More; +use IPC::Run qw(run); + +sub run_ok { + my $argv = shift; + my $debug = join(' ', @$argv); + ok(run($argv, @_), qq{"$debug" should succeed}); +} + +my $out; +run_ok([qw(bwrap --ro-bind / / --unshare-net /bin/sh -c), "ip link ls"], + '<', \undef, '>', \$out); + +like($out, qr{^[0-9]+: lo:}); +unlike($out, qr{^[0-9]+: en[^:]*:}); +unlike($out, qr{^[0-9]+: eth[^:]*:}); +unlike($out, qr{^[0-9]+: wlan[^:]*:}); + +done_testing; diff --git a/debian/tests/upstream b/debian/tests/upstream new file mode 100755 index 0000000..1a7f399 --- /dev/null +++ b/debian/tests/upstream @@ -0,0 +1,5 @@ +#!/bin/sh + +set -e + +exec tests/test-run.sh diff --git a/debian/tests/upstream-as-root b/debian/tests/upstream-as-root new file mode 100755 index 0000000..1a7f399 --- /dev/null +++ b/debian/tests/upstream-as-root @@ -0,0 +1,5 @@ +#!/bin/sh + +set -e + +exec tests/test-run.sh diff --git a/debian/tests/upstream-usrmerge b/debian/tests/upstream-usrmerge new file mode 120000 index 0000000..2a767e2 --- /dev/null +++ b/debian/tests/upstream-usrmerge @@ -0,0 +1 @@ +upstream \ No newline at end of file diff --git a/debian/tests/userns b/debian/tests/userns new file mode 100755 index 0000000..143772a --- /dev/null +++ b/debian/tests/userns @@ -0,0 +1,42 @@ +#!/usr/bin/perl +# vim:set sw=4 sts=4 et ft=perl: + +use strict; +use warnings; +use Test::More; +use IPC::Run qw(run); + +sub run_ok { + my $argv = shift; + my $debug = join(' ', @$argv); + ok(run($argv, @_), qq{"$debug" should succeed}); +} + +my $out; + +diag("Unshare user ID"); +run_ok([qw(bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 /usr/bin/id -u)], + '<', \undef, '>', \$out); +is($out, "2\n"); +run_ok([qw(bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 /usr/bin/id -g)], + '<', \undef, '>', \$out); +is($out, "3\n"); +run_ok([qw(bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 /bin/sh -c), + 'ls -l /etc/passwd'], + '<', \undef, '>', \$out); +like($out, qr{ nobody nogroup }); + +diag("Combine new /dev with new user namespace (#71)"); +run_ok([qw(bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 --dev /dev /bin/sh -c), + 'echo /dev/*'], + '<', \undef, '>', \$out); +like($out, qr{(^| )/dev/full( |$)}); +unlike($out, qr{(^| )/dev/tty1( |$)}); +run_ok([qw(bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 --dev /dev /usr/bin/id -u)], + '<', \undef, '>', \$out); +is($out, "2\n"); +run_ok([qw(bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 --dev /dev /usr/bin/id -g)], + '<', \undef, '>', \$out); +is($out, "3\n"); + +done_testing; diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 0000000..d923f40 --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,7 @@ +--- +Repository: https://github.com/containers/bubblewrap.git +Repository-Browse: https://github.com/containers/bubblewrap +Bug-Database: https://github.com/containers/bubblewrap/issues +Bug-Submit: https://github.com/containers/bubblewrap/issues/new +... +# vim:set ft=yaml: diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..ab5fd43 --- /dev/null +++ b/debian/watch @@ -0,0 +1,9 @@ +version=4 +# Upstream releases official Autotools 'make dist' tarballs, so we use +# those in preference to git tags +opts="\ + compression=xz, \ + dversionmangle=s/\+(?:git)?[0-9]*(?:\+g[0-9a-f]*)//, \ + downloadurlmangle=s#/tag/#/download/#;s#(v?@ANY_VERSION@)$#$1/@PACKAGE@-$2.tar.xz#, \ + filenamemangle=s#v?@ANY_VERSION@#@PACKAGE@-$1.tar.xz#" \ +https://github.com/containers/@PACKAGE@/tags .*/releases/tag/v?@ANY_VERSION@