From 92d580fffd6527466d60b6f8039ab65cafaac772 Mon Sep 17 00:00:00 2001
From: liubo0711 <1191322237@qq.com>
Date: Mon, 4 Nov 2024 14:49:48 +0800
Subject: [PATCH] SECURITY UPDATE

---
 debian/changelog                     |  6 +++
 debian/patches/SECURITY-UPDATE.patch | 68 ++++++++++++++++++++++++++++
 debian/patches/series                |  1 +
 3 files changed, 75 insertions(+)
 create mode 100644 debian/patches/SECURITY-UPDATE.patch

diff --git a/debian/changelog b/debian/changelog
index 270eeb9..71e5ef3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+bubblewrap (0.9.0-ok2) nile; urgency=medium
+
+  * SECURITY UPDATE
+
+ -- liubo01 <liubo01@kylinos.cn>  Mon, 04 Nov 2024 14:49:48 +0800
+
 bubblewrap (0.9.0-ok1) nile; urgency=medium
 
   * Build for openKylin.
diff --git a/debian/patches/SECURITY-UPDATE.patch b/debian/patches/SECURITY-UPDATE.patch
new file mode 100644
index 0000000..38948e4
--- /dev/null
+++ b/debian/patches/SECURITY-UPDATE.patch
@@ -0,0 +1,68 @@
+From: liubo0711 <1191322237@qq.com>
+Date: Mon, 4 Nov 2024 14:49:48 +0800
+Subject: SECURITY UPDATE
+
+---
+ bubblewrap.c      | 26 ++++++++++++++++++++++++++
+ tests/test-run.sh |  6 ++++++
+ 2 files changed, 32 insertions(+)
+
+diff --git a/bubblewrap.c b/bubblewrap.c
+index 1ea16c9..ee270ce 100644
+--- a/bubblewrap.c
++++ b/bubblewrap.c
+@@ -341,6 +341,8 @@ usage (int ecode, FILE *out)
+            "    --dev-bind-try SRC DEST      Equal to --dev-bind but ignores non-existent SRC\n"
+            "    --ro-bind SRC DEST           Bind mount the host path SRC readonly on DEST\n"
+            "    --ro-bind-try SRC DEST       Equal to --ro-bind but ignores non-existent SRC\n"
++           "    --bind-fd FD DEST            Bind open directory or path fd on DEST\n"
++           "    --ro-bind-fd FD DEST         Bind open directory or path fd read-only on DEST\n"
+            "    --remount-ro DEST            Remount DEST as readonly; does not recursively remount\n"
+            "    --exec-label LABEL           Exec label for the sandbox\n"
+            "    --file-label LABEL           File label for temporary sandbox content\n"
+@@ -1874,6 +1876,30 @@ parse_args_recurse (int          *argcp,
+           if (strcmp(arg, "--dev-bind-try") == 0)
+             op->flags = ALLOW_NOTEXIST;
+ 
++          argv += 2;
++          argc -= 2;
++        }
++      else if (strcmp (arg, "--bind-fd") == 0 ||
++               strcmp (arg, "--ro-bind-fd") == 0)
++        {
++          int src_fd;
++          char *endptr;
++
++          if (argc < 3)
++            die ("--bind-fd takes two arguments");
++
++          src_fd = strtol (argv[1], &endptr, 10);
++          if (argv[1][0] == 0 || endptr[0] != 0 || src_fd < 0)
++            die ("Invalid fd: %s", argv[1]);
++
++          if (strcmp(arg, "--ro-bind-fd") == 0)
++            op = setup_op_new (SETUP_RO_BIND_MOUNT);
++          else
++            op = setup_op_new (SETUP_BIND_MOUNT);
++          op->source = xasprintf ("/proc/self/fd/%d", src_fd);
++          op->fd = src_fd;
++          op->dest = argv[2];
++
+           argv += 2;
+           argc -= 2;
+         }
+diff --git a/tests/test-run.sh b/tests/test-run.sh
+index 6151f1a..82a3c9b 100755
+--- a/tests/test-run.sh
++++ b/tests/test-run.sh
+@@ -565,4 +565,10 @@ $RUN --argv0 right sh -c 'echo $0' > stdout
+ assert_file_has_content stdout right
+ ok "argv0 manipulation"
+ 
++
++echo "foobar" > file-data
++$RUN --proc /proc --dev /dev --bind / / --bind-fd 0 /tmp cat /tmp/file-data 0< . > stdout
++assert_file_has_content stdout foobar
++echo "ok - bind-fd"
++
+ done_testing
diff --git a/debian/patches/series b/debian/patches/series
index 4e2353c..b22156a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch
+SECURITY-UPDATE.patch