Skip to content

Tags: containers/bubblewrap

Tags

v0.10.0

Toggle v0.10.0's commit message 
bubblewrap 0.10.0

New features:

- Add the --[ro-]bind-fd option, which can be used to mount a filesystem
  represented by a file descriptor without time-of-check/time-of-use
  attacks. This is needed when resolving CVE-2024-42472 in Flatpak.

Other changes:

- Fix some confusing syntax in SetupOpFlag (no functional change). (#636)

Git-EVTag-v0-SHA512: de9d80e633a20683767d96924b456f06776224b733428d70038b3b7b0fc3088a1161c33425704bae76c3e75cca3a03d06e5c2d318258382c5a4c18e17ac99ed8

v0.6.3

Toggle v0.6.3's commit message 
bubblewrap 0.6.3

This release is intended to be used as part of Flatpak 1.14.x.
If possible, please upgrade to 0.10.0 or later instead.

- Backport the --[ro-]bind-fd option from 0.10.0. This can be used to
  mount a filesystem represented by a file descriptor without
  time-of-check/time-of-use attacks, and is needed when resolving
  CVE-2024-42472 in Flatpak.

Git-EVTag-v0-SHA512: a3c17c5d8d939b4e9daf0ba94049f0941e959ccc9f7711c8fb08230a22790c08d902c7846e57c1ceddb51d4afa0a179a6abb611bcd08e68fa006e798cddc8a55

v0.9.0

Toggle v0.9.0's commit message 
bubblewrap 0.9.0

* Building this version of bubblewrap with Meson is recommended. The
  source release bubblewrap-0.9.0.tar.xz no longer contains
  Autotools-generated files, although this version can still be built
  using Autotools after running `./autogen.sh`. Future versions are
  likely to remove the Autotools build system altogether.

* Add `--argv0` (#91)

* `--symlink` is now idempotent, meaning it succeeds if the
  symlink already exists and already has the desired target (#549,
  flatpak/flatpak#2387, flatpak/flatpak#3477, flatpak/flatpak#5255)
* Clarify security considerations in documentation (#555, #560, #621)
* Clarify documentation for `--cap-add` (#562)
* Report a better error message if `mount(2)` fails with `ENOSPC`
  (#615, ValveSoftware/steam-runtime#637)
* Make it easier to add new unit tests (#420)
* Drop support for ancient Python versions in demo code

* Fix a double-close on error reading from `--args`, `--seccomp` or
  `--add-seccomp-fd` argument (#558)
* Improve memory allocation behaviour (#556, #624)
* Silence various compiler warnings (#559)
* Silence an Automake warning (#622)
* Fix a test failure when running as uid 0 in a container (#488)
* Fix a test failure when `/mnt` is a symlink (#599)
* Fix a test failure on NixOS (#603)

Git-EVTag-v0-SHA512: 0e327ddf75813b60969d693ebb2fdca24355c988f86d72de666c6a47dfcd168d2fd3135f8cbd477d778faf9770eda0d7f2d3dcc536687be4903a3913fd3399c8

v0.8.0

Toggle v0.8.0's commit message 
bubblewrap v0.8.0

New features:

* Add `--disable-userns` option to prevent the sandbox from creating its own nested user namespace (#488)
* Add `--assert-userns-disabled` option to check that an existing userns was created with `--disable-userns` (#488)
* Give a clearer error message if the kernel doesn't have `CONFIG_SECCOMP` and `CONFIG_SECCOMP_FILTER` (#550)

Bug fixes:

* Fix test failure with recent versions of `capsh` (#544)
* Fix test failure since 0.7.0 when not using post-2013 GNU coreutils (#539)
* Fix test failure since 0.7.0 if bubblewrap is setuid (#539)

Git-EVTag-v0-SHA512: d01204613853596f38f2c4bc732207e47e0917b27786d27524e4d74ff692fcacdf3fc0043d2428e53003fb539c106c70de8d1ec9ed1c2999a2f9342038f91daa

v0.7.0

Toggle v0.7.0's commit message 
bubblewrap 0.7.0

New features:

* `--size` option controls the size of a subsequent `--tmpfs` (#509)
* Better error messages if a mount operation fails (#472)
* Better error message if creating the new user namespace fails with
  `ENOSPC` (#487)
* When building as a Meson subproject, a `RUNPATH` can be set on the
  executable to make it easier to bundle its `libcap` dependency

Bug fixes:

* When building with Autotools, ensure initial setup for `pkg-config`
  is not disabled by `--with-bash-completion-dir=PATH` (#316, #342, #441)
* Fix test failures when running as uid 0 but with limited capabilities
  (#510)
* Use POSIX `command -v` in preference to non-standard `which` (#527)
* Fix a copy/paste error in `--help` (#531)

Git-EVTag-v0-SHA512: f4f6e2a92493461c2c39bacc1c3003167162113c88d2142f2041dcb830f3bd3a7df541aad361d1e6ce99576d66bd7eac1065340406e294cd4769b9c4c81c2a2c

v0.6.2

Toggle v0.6.2's commit message 
bubblewrap v0.6.2

New features in Meson build:

* Auto-detect whether the man page can be generated
* `-Dbwrapdir=...` changes the installation directory (useful when being
  used as a subproject)
* `-Dtests=false` disables unit tests

Bug fixes:

* Add `--add-seccomp-fd` to shell completions
* Document `--add-seccomp-fd`, `--json-status-fd` and `--share-net`
  in the man page
* Add attributes to silence various compiler warnings
* Allow compilation of tests with musl on mips architectures
* Allow compilation with older glibc
* Disable sanitizers for a test helper whose seccomp profile breaks
  the instrumentation
* Disable AddressSanitizer leak detection where it interferes with
  unit testing

Git-EVTag-v0-SHA512: c39a93493bbb32c6e0521c62cf8f1683ad7ea71b2c11888ad40ed108b647e65b732177ec28809510e9e5253e09926ff444aada42ed6fe2ffea43608c23f43a44

v0.6.1

Toggle v0.6.1's commit message 
bubblewrap v0.6.1

* Fix `bwrap --version` when built with Meson (#477)
* Don't install zsh completion as executable when built with Meson

Git-EVTag-v0-SHA512: d70aa47bb1ebfd37dcbf63551f10f824582b7fcd5931f4568c247df5bc2707ca1ea32e6d57dbbd4d0ac08f8c78cfecdced0b24de7339af59d42933cfa7b56b02

v0.6.0

Toggle v0.6.0's commit message 
bubblewrap 0.6.0

New features:

* New `--add-seccomp` option can be used to add more than one seccomp
  program (#453)
* Add a warning when repeating options where only the last one will be
  used, in particular `--seccomp` (#454)
* Add a Meson build system. (#432)
    * This can be used as a subproject by larger Meson projects. When
      used as a subproject, the `-Dprogram_prefix` option is required:
      see `tests/use-as-subproject/` for an example.
    * There is no equivalent of the `--with-priv-mode=setuid` option
      in this build system. Distributions that still require a setuid
      bubblewrap executable will need to `chown` and `chmod` the executable
      appropriately as a separate step in their packaging.
    * The Autotools build system is still supported in this release,
      but might be removed in a future release if the Meson build system
      is sufficiently successful.

Bug fixes:

* Invoke bash via `PATH` for better compatibility with non-FHS operating
  systems
* Exit early when `argc == 0`, to harden against the equivalent of
  CVE-2021-4034 (this is not a security issue in our case)

Other changes:

* The default branch is now named `main`
* Partial REUSE support (add SPDX-License-Identifier to many source files)
* Remove old CI integration

Git-EVTag-v0-SHA512: f07c0e1b6950c698683a802077ad954bdb6a94c62c01971a5eb5b7660376ff880c79f1b65c6eab7cf176933126572cc65ac8bb095b61141c44be16a6c44209fc

v0.5.0

Toggle v0.5.0's commit message 
Release v0.5.0

New features:

* `--chmod` changes permissions
* `--clearenv` unsets every environment variable (except `PWD`)
* `--perms` sets permissions for one subsequent `--bind-data`, `--dir`,
  `--file`, `--ro-bind-data` or `--tmpfs`

Other enhancements:

* Better diagnostics when a `--bind` or other bind-mount fails
* `zsh` tab-completion
* Better test coverage

Bug fixes:

* Use Python 3 for tests and examples
* Mount points for non-directories are created with permissions
  `-r--r--r--` instead of `-rw-rw-rw-`
* Don't remount items in `/proc` read-only if already `EROFS`, required
  to run under Docker
* Allow mounting an non-directory over an existing non-directory,
  e.g. `--bind "$XDG_RUNTIME_DIR/my-log-socket" /dev/log`
* Silence kernel messages for our bind-mounts
* Make sure `pkg-config` is checked for, regardless of build options
* Improve ability to bind-mount directories on case-insensitive filesystems
* Fix `-Wshadow` warnings
* Fix deprecation warnings with newer SELinux

Git-EVTag-v0-SHA512: b91b729ca27e1ccd86bcdefbc84c25cbecaf49e84f34d2d04c884c0bfbd6c96f56cf57bed0a3127f5ec12f6ab5b4032fb56ace276f66d95bb04f4ca5742e4315

v0.4.1

Toggle v0.4.1's commit message

Verified

This tag was signed with the committer’s verified signature.
alexlarsson Alexander Larsson
GPG key ID: EB6216DDB76C70E9
Learn about vigilant mode 
Release 0.4.1

This release fixes a privilege escalation bug pointed out by Stephen Röttger, where in some setups
bubblewrap can be used to gain root permissions. Only version 0.4.0 is vulnerable, and only
if installed setuid while at the same time the kernel supports unprivileged user namespaces.
More details in the advisory here:

  GHSA-j2qp-rvxj-43vj

Additionally there are some minor changes:
 * Always clear the capability bounding set (cosmetic issue)
 * Make the tests work with libcap >= 2.29
 * Properly report child exit status in some cases

Alexander Larsson (9):
      Ensure we're always clearing the cap bounding set
      Don't rely on geteuid() to know when to switch back from setuid root
      Don't support --userns2 in setuid mode
      drop_privs: More explicit argument name

Christian Kastner (1):
      tests: Update output patterns for libcap >= 2.29

Jean-Baptiste BESNARD (1):
      retcode: fix return code with syncfd and no event_fd

TomSweeneyRedHat (1):
      Add Code of Conduct
Git-EVTag-v0-SHA512: 0483b1e73940171e16ca41ab7994ae20e7572433a8f4cef276dfdf0685993b4c3bd21a002beb16003a29cf2280aa0394c3d2adaf1255ce1bb128bb2abaa32941