Commit Graph

17 Commits

Author SHA1 Message Date
liubo0711 34b563a116 SECURITY UPDATE 2024-11-04 14:49:48 +08:00
luoyaoming 84e93c9e23 changed debian/source/format to native 2024-04-24 09:12:02 +08:00
Simon McVittie 8b1ff8adce Change EPERM error message to show Debian-specific information
Forwarded: not-needed

Gbp-Pq: Topic debian
Gbp-Pq: Name Change-EPERM-error-message-to-show-Debian-specific-inform.patch
2024-04-24 09:12:02 +08:00
Luoyaoming 20b859454d Import Debian changes 0.9.0-ok1
bubblewrap (0.9.0-ok1) nile; urgency=medium

  * Build for openKylin.
2024-04-24 09:12:01 +08:00
luoyaoming 015eefdf88 Import Upstream version 0.9.0 2024-04-24 09:12:01 +08:00
luoyaoming c8f7fdb963 delete debian/gbp.conf 2024-04-24 09:12:01 +08:00
luzhiping 0e0ee84fe1 update info 2022-08-22 16:33:42 +08:00
luoyaoming 368759cce7 fix debian/rules 2022-06-04 13:00:42 +08:00
luoyaoming 0417200973 debian/rules: fix openkylin vendor 2022-06-03 14:20:39 +08:00
openKylinBot f28d963d73 changed debian/source/format to native 2022-05-13 20:02:30 +08:00
openKylinBot 2ac0563dcb apply patches 2022-05-13 20:02:30 +08:00
openKylinBot 469ef14e05 format patches 2022-05-13 20:02:30 +08:00
Alexander Larsson 31bfd4b130 [PATCH 1/3] Don't rely on geteuid() to know when to switch back from setuid root
As pointed out by Stephen Röttger <sroettger@google.com>, in
drop_privs() we only drop root in the setuid case if geteuid() is
0. Typically geteuid() == 0 means we were setuid root and have not yet
switched away from it.

However, it is possible to make the geteuid call fail by passing a
--userns2 namespace which doesn't have 0 mapped (i.e. where geteuid()
will return the owerflow uid instead).

If you do this, the pid 1 process in the sandbox will continue running
as host uid 0, while dropping the dumpable flag, and at this point the
user can ptrace attach the process and have root permissions.

We fix this by not relying on the geteuid() call to know when we need
to drop root uid, but rather keep track of whether we already switched
from it.

Gbp-Pq: Name CVE-2020-5291.patch
2022-05-13 20:02:30 +08:00
Christian Kastner 28861b915c [PATCH] tests: Update output patterns for libcap >= 2.29
Gbp-Pq: Name update-output-patterns-libcap-2.29.patch
2022-05-13 20:02:30 +08:00
Simon McVittie 3d0ae98292 Use Python 3 for test/demo code
Forwarded: not-needed

Gbp-Pq: Topic debian
Gbp-Pq: Name Use-Python-3-for-test-demo-code.patch
2022-05-13 20:02:30 +08:00
openKylinBot aac4840653 Import Debian changes 0.4.0-ok1
bubblewrap (0.4.0-ok1) yangtze; urgency=medium

  * Build for openKylin.
2022-05-13 20:02:29 +08:00
openKylinBot 5686b945c0 Import Upstream version 0.4.0 2022-05-13 20:02:29 +08:00