Import Debian changes 0.4.0-ok1

bubblewrap (0.4.0-ok1) yangtze; urgency=medium

  * Build for openKylin.

debian/bubblewrap.examples

@@ -0,0 +1 @@
+demos/*

debian/changelog

@@ -0,0 +1,5 @@
+bubblewrap (0.4.0-ok1) yangtze; urgency=medium
+
+  * Build for openKylin.
+
+ -- openKylinBot <openKylinBot@openkylin.com>  Mon, 25 Apr 2022 22:03:04 +0800

debian/clean

@@ -0,0 +1 @@
+config.log

debian/control

@@ -0,0 +1,36 @@
+Source: bubblewrap
+Section: admin
+Priority: optional
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
+Uploaders: 
+ Laszlo Boszormenyi (GCS) <gcs@debian.org>,
+ Simon McVittie <smcv@debian.org>,
+Build-Depends: 
+ automake (>= 1.14.1),
+ bash-completion,
+ debhelper-compat (= 12),
+ docbook-xml,
+ docbook-xsl,
+ libcap-dev,
+ libselinux1-dev (>= 2.1.9),
+ pkg-config,
+ python3 <!nocheck>,
+ xsltproc,
+Standards-Version: 4.4.1
+Homepage: https://github.com/projectatomic/bubblewrap
+Vcs-Git: https://salsa.debian.org/debian/bubblewrap.git
+Vcs-Browser: https://salsa.debian.org/debian/bubblewrap
+Rules-Requires-Root: no
+
+Package: bubblewrap
+Architecture: linux-any
+Multi-arch: foreign
+Depends: 
+ ${misc:Depends},
+ ${shlibs:Depends},
+Breaks: 
+ flatpak (<< 0.8.0-0),
+Description: setuid wrapper for unprivileged chroot and namespace manipulation
+ Core execution engine for unprivileged containers that works as a setuid
+ binary on kernels without user namespaces.

debian/copyright

@@ -0,0 +1,68 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: bubblewrap
+Source: https://github.com/projectatomic/bubblewrap/
+
+Files: *
+Copyright: 2016 Alexander Larsson
+License: LGPL-2+
+
+Files: debian/*
+Copyright: 2016 Laszlo Boszormenyi (GCS) <gcs@debian.org>
+License: LGPL-2+
+
+Files: m4/attributes.m4
+Copyright:
+ 2006-2008 Diego Pettenò <flameeyes@gmail.com>
+ 2006-2008 xine project
+ 2012 Lucas De Marchi <lucas.de.marchi@gmail.com>
+License: GPL-2+ with Autoconf exception
+
+License: LGPL-2+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Library General Public
+ License as published by the Free Software Foundation; either
+ version 2 of the License, or (at your option) any later version.
+ .
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Library General Public License for more details.
+ .
+ You should have received a copy of the GNU Library General Public
+ License along with this library; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
+ USA.
+ .
+ On Debian systems, the full text of the GNU Library General Public License
+ version 2 can be found in the file `/usr/share/common-licenses/LGPL-2'.
+
+License: GPL-2+ with Autoconf exception
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2, or (at your option)
+ any later version.
+ .
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ 02110-1301, USA.
+ .
+ As a special exception, the copyright owners of the
+ macro gives unlimited permission to copy, distribute and modify the
+ configure scripts that are the output of Autoconf when processing the
+ Macro. You need not follow the terms of the GNU General Public
+ License when using or distributing such scripts, even though portions
+ of the text of the Macro appear in them. The GNU General Public
+ License (GPL) does govern all other use of the material that
+ constitutes the Autoconf Macro.
+ .
+ This special exception to the GPL applies to versions of the
+ Autoconf Macro released by this project. When you make and
+ distribute a modified version of the Autoconf Macro, you may extend
+ this special exception to the GPL to apply to your modified version as
+ well.

debian/docs

@@ -0,0 +1 @@
+README.md

debian/gbp.conf

@@ -0,0 +1,6 @@
+[DEFAULT]
+pristine-tar = True
+debian-branch = debian/master
+upstream-branch = upstream/latest
+patch-numbers = False
+upstream-vcs-tag = v%(version)s

debian/lintian-overrides

@@ -0,0 +1,2 @@
+# this is known and intentional
+bubblewrap: setuid-binary usr/bin/bwrap 4755 root/root

debian/patches/CVE-2020-5291.patch

@@ -0,0 +1,84 @@
+From 5404a15d34301a5a0dd5930203e03c76b80ebf21 Mon Sep 17 00:00:00 2001
+From: Alexander Larsson <alexl@redhat.com>
+Date: Thu, 26 Mar 2020 15:36:44 +0100
+Subject: [PATCH 1/3] Don't rely on geteuid() to know when to switch back from
+ setuid root
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+As pointed out by Stephen Röttger <sroettger@google.com>, in
+drop_privs() we only drop root in the setuid case if geteuid() is
+0. Typically geteuid() == 0 means we were setuid root and have not yet
+switched away from it.
+
+However, it is possible to make the geteuid call fail by passing a
+--userns2 namespace which doesn't have 0 mapped (i.e. where geteuid()
+will return the owerflow uid instead).
+
+If you do this, the pid 1 process in the sandbox will continue running
+as host uid 0, while dropping the dumpable flag, and at this point the
+user can ptrace attach the process and have root permissions.
+
+We fix this by not relying on the geteuid() call to know when we need
+to drop root uid, but rather keep track of whether we already switched
+from it.
+---
+ bubblewrap.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/bubblewrap.c
++++ b/bubblewrap.c
+@@ -834,11 +834,13 @@ switch_to_user_with_privs (void)
+ 
+ /* Call setuid() and use capset() to adjust capabilities */
+ static void
+-drop_privs (bool keep_requested_caps)
++drop_privs (bool keep_requested_caps,
++            bool already_changed_uid)
+ {
+   assert (!keep_requested_caps || !is_privileged);
+   /* Drop root uid */
+-  if (geteuid () == 0 && setuid (opt_sandbox_uid) < 0)
++  if (is_privileged && !already_changed_uid &&
++      setuid (opt_sandbox_uid) < 0)
+     die_with_error ("unable to drop root uid");
+ 
+   drop_all_caps (keep_requested_caps);
+@@ -2296,6 +2298,9 @@ main (int    argc,
+   if (opt_userns_fd != -1 && is_privileged)
+     die ("--userns doesn't work in setuid mode");
+ 
++  if (opt_userns2_fd != -1 && is_privileged)
++    die ("--userns2 doesn't work in setuid mode");
++
+   /* We have to do this if we weren't installed setuid (and we're not
+    * root), so let's just DWIM */
+   if (!is_privileged && getuid () != 0 && opt_userns_fd == -1)
+@@ -2499,7 +2504,7 @@ main (int    argc,
+         die_with_error ("Setting userns2 failed");
+ 
+       /* We don't need any privileges in the launcher, drop them immediately. */
+-      drop_privs (FALSE);
++      drop_privs (FALSE, FALSE);
+ 
+       /* Optionally bind our lifecycle to that of the parent */
+       handle_die_with_parent ();
+@@ -2674,7 +2679,7 @@ main (int    argc,
+       if (child == 0)
+         {
+           /* Unprivileged setup process */
+-          drop_privs (FALSE);
++          drop_privs (FALSE, TRUE);
+           close (privsep_sockets[0]);
+           setup_newroot (opt_unshare_pid, privsep_sockets[1]);
+           exit (0);
+@@ -2769,7 +2774,7 @@ main (int    argc,
+     }
+ 
+   /* All privileged ops are done now, so drop caps we don't need */
+-  drop_privs (!is_privileged);
++  drop_privs (!is_privileged, TRUE);
+ 
+   if (opt_block_fd != -1)
+     {

debian/patches/debian/Use-Python-3-for-test-demo-code.patch

@@ -0,0 +1,33 @@
+From: Simon McVittie <smcv@debian.org>
+Date: Wed, 17 Jan 2018 14:10:40 +0000
+Subject: Use Python 3 for test/demo code
+
+Forwarded: not-needed
+---
+ demos/userns-block-fd.py | 2 +-
+ tests/test-run.sh        | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/demos/userns-block-fd.py b/demos/userns-block-fd.py
+index 4c68242..2ef2fd6 100755
+--- a/demos/userns-block-fd.py
++++ b/demos/userns-block-fd.py
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env python
++#!/usr/bin/env python3
+ 
+ import os, select, subprocess, sys, json
+ 
+diff --git a/tests/test-run.sh b/tests/test-run.sh
+index a404c4e..1d2ffbc 100755
+--- a/tests/test-run.sh
++++ b/tests/test-run.sh
+@@ -215,7 +215,7 @@ fi
+ # Test --die-with-parent
+ 
+ cat >lockf-n.py <<EOF
+-#!/usr/bin/env python
++#!/usr/bin/env python3
+ import struct,fcntl,sys
+ path = sys.argv[1]
+ if sys.argv[2] == 'wait':

debian/patches/series

@@ -0,0 +1,4 @@
+debian/Use-Python-3-for-test-demo-code.patch
+# Temporary before this gets applied upstream
+update-output-patterns-libcap-2.29.patch
+CVE-2020-5291.patch

debian/patches/update-output-patterns-libcap-2.29.patch

@@ -0,0 +1,36 @@
+From 8b170a9a91ffaa0611f68b1fef64f881f2dadf8d Mon Sep 17 00:00:00 2001
+From: Christian Kastner <ckk@kvr.at>
+Date: Wed, 19 Feb 2020 10:03:05 +0100
+Subject: [PATCH] tests: Update output patterns for libcap >= 2.29
+
+---
+ tests/test-run.sh | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/tests/test-run.sh b/tests/test-run.sh
+index a01f41c..702c480 100755
+--- a/tests/test-run.sh
++++ b/tests/test-run.sh
+@@ -215,11 +215,18 @@ else
+     $RUN $OPT --cap-drop ALL --unshare-pid capsh --print >caps.test
+     assert_file_has_content caps.test 'Current: =$'
+     # Check for dropping kill/fowner (we assume all uid 0 callers have this)
+-    $RUN $OPT --cap-drop CAP_KILL --cap-drop CAP_FOWNER --unshare-pid capsh --print >caps.test
+-    assert_not_file_has_content caps.test '^Current: =.*cap_kill'
+-    assert_not_file_has_content caps.test '^Current: =.*cap_fowner'
+     # But we should still have net_bind_service for example
+-    assert_file_has_content caps.test '^Current: =.*cap_net_bind_service'
++    $RUN $OPT --cap-drop CAP_KILL --cap-drop CAP_FOWNER --unshare-pid capsh --print >caps.test
++	# capsh's output format changed from v2.29 -> drops are now indicated with -eip
++	if grep 'Current: =.*+eip$' caps.test; then
++        assert_not_file_has_content caps.test '^Current: =.*cap_kill.*+eip$'
++        assert_not_file_has_content caps.test '^Current: =.*cap_fowner.*+eip$'
++        assert_file_has_content caps.test '^Current: =.*cap_net_bind_service.*+eip$'
++	else
++        assert_file_has_content caps.test '^Current: =eip.*cap_kill.*-eip$'
++        assert_file_has_content caps.test '^Current: =eip.*cap_fowner.*-eip$'
++        assert_not_file_has_content caps.test '^Current: =.*cap_net_bind_service.*-eip$'
++    fi
+     echo "ok - we have the expected caps as uid 0"
+ fi
+ 

debian/rules

@@ -0,0 +1,35 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+
+export DEB_BUILD_MAINT_OPTIONS = hardening=+pie,+bindnow
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+PKGDIR=$(CURDIR)/debian/bubblewrap
+
+%:
+	dh $@
+
+override_dh_fixperms:
+	chmod a+x $(PKGDIR)/usr/share/bash-completion/completions/bwrap
+# Ubuntu enables unprivileged user namespaces; no need for bwrap to be suid
+# there.
+ifneq (yes,$(shell dpkg-vendor --derives-from Ubuntu && echo yes))
+	chmod 04755 $(PKGDIR)/usr/bin/bwrap
+	dh_fixperms -Xbin/bwrap
+else
+	dh_fixperms
+endif
+
+.PHONY: override_dh_fixperms
+
+override_dh_auto_test:
+ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
+	# Remove LD_PRELOAD so we don't run with faketime. It uses
+	# sem_open(), but bubblewrap runs in an environment where that
+	# can't work.
+	env -u LD_PRELOAD dh_auto_test
+endif
+
+.PHONY: override_dh_auto_test

debian/salsa-ci.yml

@@ -0,0 +1,3 @@
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml

debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

debian/tests/basic

@@ -0,0 +1,21 @@
+#!/usr/bin/perl
+# vim:set sw=4 sts=4 et ft=perl:
+
+use strict;
+use warnings;
+use Test::More;
+use IPC::Run qw(run);
+
+sub run_ok {
+    my $argv = shift;
+    my $debug = join(' ', @$argv);
+    ok(run($argv, @_), qq{"$debug" should succeed});
+}
+
+my $out;
+run_ok([qw(bwrap --ro-bind / / /usr/bin/id -u)], '<', \undef, '>', \$out);
+is($out, `id -u`);
+run_ok([qw(bwrap --ro-bind / / /usr/bin/id -g)], '<', \undef, '>', \$out);
+is($out, `id -g`);
+
+done_testing;

debian/tests/control

@@ -0,0 +1,36 @@
+Tests:
+ basic
+ dev
+ net
+ upstream
+ userns
+Restrictions: allow-stderr, isolation-machine
+Depends:
+ bubblewrap,
+ iproute2:native,
+ libcap2-bin:native,
+ libipc-run-perl:native,
+ perl:native,
+ python3:native,
+
+Tests: upstream-usrmerge
+Restrictions: allow-stderr, isolation-machine, breaks-testbed
+Depends:
+ bubblewrap,
+ iproute2:native,
+ libcap2-bin:native,
+ libipc-run-perl:native,
+ perl:native,
+ python3:native,
+ usrmerge
+
+Tests:
+ upstream-as-root
+Restrictions: allow-stderr, isolation-machine, needs-root
+Depends:
+ bubblewrap,
+ iproute2:native,
+ libcap2-bin:native,
+ libipc-run-perl:native,
+ perl:native,
+ python3:native,

debian/tests/dev

@@ -0,0 +1,40 @@
+#!/usr/bin/perl
+# vim:set sw=4 sts=4 et ft=perl:
+
+use strict;
+use warnings;
+use Test::More;
+use IPC::Run qw(run);
+
+sub run_ok {
+    my $argv = shift;
+    my $debug = join(' ', @$argv);
+    ok(run($argv, @_), qq{"$debug" should succeed});
+}
+
+my $out;
+run_ok([qw(bwrap --ro-bind / / --dev /dev //bin/sh -c), "echo /dev/*"],
+    '<', \undef, '>', \$out);
+like($out, qr{(^| )/dev/full( |$)});
+like($out, qr{(^| )/dev/null( |$)});
+like($out, qr{(^| )/dev/pts( |$)});
+like($out, qr{(^| )/dev/random( |$)});
+like($out, qr{(^| )/dev/shm( |$)});
+like($out, qr{(^| )/dev/stderr( |$)});
+like($out, qr{(^| )/dev/stdin( |$)});
+like($out, qr{(^| )/dev/stdout( |$)});
+like($out, qr{(^| )/dev/tty( |$)});
+like($out, qr{(^| )/dev/urandom( |$)});
+like($out, qr{(^| )/dev/zero( |$)});
+unlike($out, qr{(^| )/dev/hda( |$)});
+unlike($out, qr{(^| )/dev/dsp( |$)});
+unlike($out, qr{(^| )/dev/fuse( |$)});
+unlike($out, qr{(^| )/dev/kmsg( |$)});
+unlike($out, qr{(^| )/dev/loop0( |$)});
+unlike($out, qr{(^| )/dev/mem( |$)});
+unlike($out, qr{(^| )/dev/sda( |$)});
+unlike($out, qr{(^| )/dev/snd( |$)});
+unlike($out, qr{(^| )/dev/tty1( |$)});
+unlike($out, qr{(^| )/dev/vda( |$)});
+
+done_testing;

debian/tests/net

@@ -0,0 +1,24 @@
+#!/usr/bin/perl
+# vim:set sw=4 sts=4 et ft=perl:
+
+use strict;
+use warnings;
+use Test::More;
+use IPC::Run qw(run);
+
+sub run_ok {
+    my $argv = shift;
+    my $debug = join(' ', @$argv);
+    ok(run($argv, @_), qq{"$debug" should succeed});
+}
+
+my $out;
+run_ok([qw(bwrap --ro-bind / / --unshare-net /bin/sh -c), "ip link ls"],
+    '<', \undef, '>', \$out);
+
+like($out, qr{^[0-9]+: lo:});
+unlike($out, qr{^[0-9]+: en[^:]*:});
+unlike($out, qr{^[0-9]+: eth[^:]*:});
+unlike($out, qr{^[0-9]+: wlan[^:]*:});
+
+done_testing;

debian/tests/upstream

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -e
+
+exec tests/test-run.sh

debian/tests/upstream-as-root

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -e
+
+exec tests/test-run.sh

debian/tests/upstream-usrmerge

@@ -0,0 +1 @@
+upstream

debian/tests/userns

@@ -0,0 +1,42 @@
+#!/usr/bin/perl
+# vim:set sw=4 sts=4 et ft=perl:
+
+use strict;
+use warnings;
+use Test::More;
+use IPC::Run qw(run);
+
+sub run_ok {
+    my $argv = shift;
+    my $debug = join(' ', @$argv);
+    ok(run($argv, @_), qq{"$debug" should succeed});
+}
+
+my $out;
+
+diag("Unshare user ID");
+run_ok([qw(bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 /usr/bin/id -u)],
+    '<', \undef, '>', \$out);
+is($out, "2\n");
+run_ok([qw(bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 /usr/bin/id -g)],
+    '<', \undef, '>', \$out);
+is($out, "3\n");
+run_ok([qw(bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 /bin/sh -c),
+        'ls -l /etc/passwd'],
+    '<', \undef, '>', \$out);
+like($out, qr{ nobody nogroup });
+
+diag("Combine new /dev with new user namespace (#71)");
+run_ok([qw(bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 --dev /dev /bin/sh -c),
+        'echo /dev/*'],
+    '<', \undef, '>', \$out);
+like($out, qr{(^| )/dev/full( |$)});
+unlike($out, qr{(^| )/dev/tty1( |$)});
+run_ok([qw(bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 --dev /dev /usr/bin/id -u)],
+    '<', \undef, '>', \$out);
+is($out, "2\n");
+run_ok([qw(bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 --dev /dev /usr/bin/id -g)],
+    '<', \undef, '>', \$out);
+is($out, "3\n");
+
+done_testing;

debian/upstream/metadata

@@ -0,0 +1,8 @@
+---
+Name: Bubblewrap
+Repository: https://github.com/projectatomic/bubblewrap
+Repository-Browse: https://github.com/projectatomic/bubblewrap
+Bug-Database: https://github.com/projectatomic/bubblewrap/issues
+Bug-Submit: https://github.com/projectatomic/bubblewrap/issues/new
+...
+# vim:set ft=yaml:

debian/watch

@@ -0,0 +1,3 @@
+version=4
+opts="compression=xz,dversionmangle=s/\+(?:git)?[0-9]*\+g[0-9a-f]*//" \
+https://github.com/projectatomic/@PACKAGE@/releases .*/@PACKAGE@-@ANY_VERSION@@ARCHIVE_EXT@