SECURITY UPDATE

This commit is contained in:
liubo0711 2024-11-04 14:49:48 +08:00
parent 84e93c9e23
commit 34b563a116
3 changed files with 38 additions and 0 deletions

View File

@ -341,6 +341,8 @@ usage (int ecode, FILE *out)
" --dev-bind-try SRC DEST Equal to --dev-bind but ignores non-existent SRC\n" " --dev-bind-try SRC DEST Equal to --dev-bind but ignores non-existent SRC\n"
" --ro-bind SRC DEST Bind mount the host path SRC readonly on DEST\n" " --ro-bind SRC DEST Bind mount the host path SRC readonly on DEST\n"
" --ro-bind-try SRC DEST Equal to --ro-bind but ignores non-existent SRC\n" " --ro-bind-try SRC DEST Equal to --ro-bind but ignores non-existent SRC\n"
" --bind-fd FD DEST Bind open directory or path fd on DEST\n"
" --ro-bind-fd FD DEST Bind open directory or path fd read-only on DEST\n"
" --remount-ro DEST Remount DEST as readonly; does not recursively remount\n" " --remount-ro DEST Remount DEST as readonly; does not recursively remount\n"
" --exec-label LABEL Exec label for the sandbox\n" " --exec-label LABEL Exec label for the sandbox\n"
" --file-label LABEL File label for temporary sandbox content\n" " --file-label LABEL File label for temporary sandbox content\n"
@ -1874,6 +1876,30 @@ parse_args_recurse (int *argcp,
if (strcmp(arg, "--dev-bind-try") == 0) if (strcmp(arg, "--dev-bind-try") == 0)
op->flags = ALLOW_NOTEXIST; op->flags = ALLOW_NOTEXIST;
argv += 2;
argc -= 2;
}
else if (strcmp (arg, "--bind-fd") == 0 ||
strcmp (arg, "--ro-bind-fd") == 0)
{
int src_fd;
char *endptr;
if (argc < 3)
die ("--bind-fd takes two arguments");
src_fd = strtol (argv[1], &endptr, 10);
if (argv[1][0] == 0 || endptr[0] != 0 || src_fd < 0)
die ("Invalid fd: %s", argv[1]);
if (strcmp(arg, "--ro-bind-fd") == 0)
op = setup_op_new (SETUP_RO_BIND_MOUNT);
else
op = setup_op_new (SETUP_BIND_MOUNT);
op->source = xasprintf ("/proc/self/fd/%d", src_fd);
op->fd = src_fd;
op->dest = argv[2];
argv += 2; argv += 2;
argc -= 2; argc -= 2;
} }

6
debian/changelog vendored
View File

@ -1,3 +1,9 @@
bubblewrap (0.9.0-ok2) nile; urgency=medium
* SECURITY UPDATE
-- liubo01 <liubo01@kylinos.cn> Mon, 04 Nov 2024 14:49:48 +0800
bubblewrap (0.9.0-ok1) nile; urgency=medium bubblewrap (0.9.0-ok1) nile; urgency=medium
* Build for openKylin. * Build for openKylin.

View File

@ -565,4 +565,10 @@ $RUN --argv0 right sh -c 'echo $0' > stdout
assert_file_has_content stdout right assert_file_has_content stdout right
ok "argv0 manipulation" ok "argv0 manipulation"
echo "foobar" > file-data
$RUN --proc /proc --dev /dev --bind / / --bind-fd 0 /tmp cat /tmp/file-data 0< . > stdout
assert_file_has_content stdout foobar
echo "ok - bind-fd"
done_testing done_testing