openkylin
/
bubblewrap
mirror of https://gitee.com/openkylin/bubblewrap.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

SECURITY UPDATE

This commit is contained in:
liubo0711 2024-11-04 14:49:48 +08:00 committed by openkylin-cibot
parent 20b859454d
commit 92d580fffd
3 changed files with 75 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
debian/changelog vendored
View File

@ -1,3 +1,9 @@
bubblewrap (0.9.0-ok2) nile; urgency=medium
* SECURITY UPDATE
-- liubo01 <liubo01@kylinos.cn> Mon, 04 Nov 2024 14:49:48 +0800
bubblewrap (0.9.0-ok1) nile; urgency=medium bubblewrap (0.9.0-ok1) nile; urgency=medium
* Build for openKylin. * Build for openKylin.

68
debian/patches/SECURITY-UPDATE.patch vendored Normal file
View File

@ -0,0 +1,68 @@
From: liubo0711 <1191322237@qq.com>
Date: Mon, 4 Nov 2024 14:49:48 +0800
Subject: SECURITY UPDATE
---
bubblewrap.c | 26 ++++++++++++++++++++++++++
tests/test-run.sh | 6 ++++++
2 files changed, 32 insertions(+)
diff --git a/bubblewrap.c b/bubblewrap.c
index 1ea16c9..ee270ce 100644
--- a/bubblewrap.c
+++ b/bubblewrap.c
@@ -341,6 +341,8 @@ usage (int ecode, FILE *out)
" --dev-bind-try SRC DEST Equal to --dev-bind but ignores non-existent SRC\n"
" --ro-bind SRC DEST Bind mount the host path SRC readonly on DEST\n"
" --ro-bind-try SRC DEST Equal to --ro-bind but ignores non-existent SRC\n"
+ " --bind-fd FD DEST Bind open directory or path fd on DEST\n"
+ " --ro-bind-fd FD DEST Bind open directory or path fd read-only on DEST\n"
" --remount-ro DEST Remount DEST as readonly; does not recursively remount\n"
" --exec-label LABEL Exec label for the sandbox\n"
" --file-label LABEL File label for temporary sandbox content\n"
@@ -1874,6 +1876,30 @@ parse_args_recurse (int *argcp,
if (strcmp(arg, "--dev-bind-try") == 0)
op->flags = ALLOW_NOTEXIST;
+ argv += 2;
+ argc -= 2;
+ }
+ else if (strcmp (arg, "--bind-fd") == 0 ||
+ strcmp (arg, "--ro-bind-fd") == 0)
+ {
+ int src_fd;
+ char *endptr;
+
+ if (argc < 3)
+ die ("--bind-fd takes two arguments");
+
+ src_fd = strtol (argv[1], &endptr, 10);
+ if (argv[1][0] == 0 || endptr[0] != 0 || src_fd < 0)
+ die ("Invalid fd: %s", argv[1]);
+
+ if (strcmp(arg, "--ro-bind-fd") == 0)
+ op = setup_op_new (SETUP_RO_BIND_MOUNT);
+ else
+ op = setup_op_new (SETUP_BIND_MOUNT);
+ op->source = xasprintf ("/proc/self/fd/%d", src_fd);
+ op->fd = src_fd;
+ op->dest = argv[2];
+
argv += 2;
argc -= 2;
}
diff --git a/tests/test-run.sh b/tests/test-run.sh
index 6151f1a..82a3c9b 100755
--- a/tests/test-run.sh
+++ b/tests/test-run.sh
@@ -565,4 +565,10 @@ $RUN --argv0 right sh -c 'echo $0' > stdout
assert_file_has_content stdout right
ok "argv0 manipulation"
+
+echo "foobar" > file-data
+$RUN --proc /proc --dev /dev --bind / / --bind-fd 0 /tmp cat /tmp/file-data 0< . > stdout
+assert_file_has_content stdout foobar
+echo "ok - bind-fd"
+
done_testing

1
debian/patches/series vendored
View File

@ -1 +1,2 @@
debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch
SECURITY-UPDATE.patch