Low-level unprivileged sandboxing tool used by Flatpak and similar projects
OTHER License
Bot releases are hidden (Show)
bubblewrap-0.9.0.tar.xz
no longer contains Autotools-generated files, although this version can still be built using Autotools after running ./autogen.sh
. Future versions are likely to remove the Autotools build system altogether.--argv0
(#91)--symlink
is now idempotent, meaning it succeeds if the symlink already exists and already has the desired target (#549, flatpak/flatpak#2387, flatpak/flatpak#3477, flatpak/flatpak#5255)--cap-add
(#562)mount(2)
fails with ENOSPC
(#615, ValveSoftware/steam-runtime#637)--args
, --seccomp
or --add-seccomp-fd
argument (#558)/mnt
is a symlink (#599)c6347eaced49ac0141996f46bba3b089e5e6ea4408bc1c43bab9f2d05dd094e1 *bubblewrap-0.9.0.tar.xz
Published by smcv over 1 year ago
New features:
--disable-userns
option to prevent the sandbox from creating its own nested user namespace (#488)--assert-userns-disabled
option to check that an existing userns was created with --disable-userns
(#488)CONFIG_SECCOMP
and CONFIG_SECCOMP_FILTER
(#550)Bug fixes:
capsh
(#544)Known issues:
$ sha256sum -b bubblewrap-0.8.0.tar.xz
957ad1149db9033db88e988b12bcebe349a445e1efc8a9b59ad2939a113d333a *bubblewrap-0.8.0.tar.xz
Published by smcv almost 2 years ago
New features:
--size
option controls the size of a subsequent --tmpfs
(#509)ENOSPC
(#487)RUNPATH
can be set on the executable to make it easier to bundle its libcap
dependencyBug fixes:
pkg-config
is not disabled by --with-bash-completion-dir=PATH
(#316, #342, #441)command -v
in preference to non-standard which
(#527)--help
(#531)$ sha256sum -b bubblewrap-0.7.0.tar.xz
764ab7100bd037ea53d440d362e099d7a425966bc62d1f00ab26b8fbb882a9dc *bubblewrap-0.7.0.tar.xz
Published by smcv over 2 years ago
New features in Meson build:
-Dbwrapdir=...
changes the installation directory (useful when being used as a subproject)-Dtests=false
disables unit testsBug fixes:
--add-seccomp-fd
to shell completions--add-seccomp-fd
, --json-status-fd
and --share-net
in the man page$ sha256sum -b bubblewrap-0.6.2.tar.xz
8a0ec802d1b3e956c5bb0a40a81c9ce0b055a31bf30a8efa547433603b8af20b *bubblewrap-0.6.2.tar.xz
Published by smcv over 2 years ago
bwrap --version
when built with Meson (#477)$ sha256sum -b bubblewrap-0.6.1.tar.xz
9609c7dc162bc68abc29abfab566934fdca37520a15ed01b675adcf3a4303282 *bubblewrap-0.6.1.tar.xz
Published by smcv over 2 years ago
New features:
--add-seccomp
option can be used to add more than one seccomp program (#453)--seccomp
(#454)-Dprogram_prefix
option is required: see tests/use-as-subproject/
for an example.--with-priv-mode=setuid
option in this build system. Distributions that still require a setuid bubblewrap executable will need to chown
and chmod
the executable appropriately as a separate step in their packaging.Bug fixes:
PATH
for better compatibility with non-FHS operating systemsargc == 0
, to harden against the equivalent of CVE-2021-4034 (this is not a security issue in our case)Other changes:
main
$ sha256sum -b bubblewrap-0.6.0.tar.xz
11393cf2058f22e6a6c6e9cca3c85ff4c4239806cb28fee657c62a544df35693 *bubblewrap-0.6.0.tar.xz
Published by smcv about 3 years ago
New features:
--chmod
changes permissions--clearenv
unsets every environment variable (except PWD
)--perms
sets permissions for one subsequent --bind-data
, --dir
, --file
, --ro-bind-data
or --tmpfs
Other enhancements:
--bind
or other bind-mount failszsh
tab-completionBug fixes:
-r--r--r--
instead of -rw-rw-rw-
/proc
read-only if already EROFS
, required to run under Docker--bind "$XDG_RUNTIME_DIR/my-log-socket" /dev/log
pkg-config
is checked for, regardless of build options-Wshadow
warnings$ sha256sum -b bubblewrap-0.5.0.tar.xz
16fdaf33799d63104e347e0133f909196fe90d0c50515d010bcb422eb5a00818 *bubblewrap-0.5.0.tar.xz
Published by alexlarsson over 4 years ago
This release fixes a privilege escalation bug pointed out by Stephen Röttger, where in some setups
bubblewrap can be used to gain root permissions. Only version 0.4.0 is vulnerable, and only
if installed setuid while at the same time the kernel supports unprivileged user namespaces.
More details in the advisory here:
https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj
Additionally there are some minor changes:
Alexander Larsson (9):
Ensure we're always clearing the cap bounding set
Don't rely on geteuid() to know when to switch back from setuid root
Don't support --userns2 in setuid mode
drop_privs: More explicit argument name
Christian Kastner (1):
tests: Update output patterns for libcap >= 2.29
Jean-Baptiste BESNARD (1):
retcode: fix return code with syncfd and no event_fd
TomSweeneyRedHat (1):
Add Code of Conduct
Published by alexlarsson almost 5 years ago
The biggest feature in this release is the support for joining
existing user and pid namespaces. This doesn't work in the setuid
mode (at the moment).
Other changes:
Alexander Larsson (17):
Tests: Fix test count
setuid mode: Properly drop privs in monitor and pid1
Mark init process as dumpable so we can see stuff in its /proc
Add support for --userns and --userns2
tests: test --userns
utils: Add some utility function to pass pids over a socket
utils: Add fork_intermediate_child() helper
Add support for --pidns
Add tests for --pidns
tests: Better error message if assert_files_equal fails
Fix typo in comment
Drop cap bounding set also in --userns case
Allow --uid and --gid with --userns
tests: Fix --userns tests
--userns --uid: Only swtich user if needed
Merge pull request #338 from containers/reuse-namespaces
Bump 0.4.0
Christian Kellner (3):
bwrap: set opt_unshare_cgroup when _try succeeds
bwrap: include the pid namespace id in status/json
tests: check namespace info in json
Colin Walters (1):
Post-release version bump
Jonathan Lebon (1):
ci: Bump to fedora/29/atomic
shawrkbait (1):
Add work-around for TEMP_FAILURE_RETRY to support musl
Git-EVTag-v0-SHA512: d3f07f58b50c579b27470722edfc87b741465ca37ff4d40c9f715d610a69a80a6e6035a0dee678158c1dd77edb0b06bed3ffd6393a784d4ed975c092eb151952
Published by cgwalters over 5 years ago
[This release is the same as 0.3.2
but the version number in configure.ac
was accidentally still set to 0.3.1
)
This release fixes a mostly theoretical security issue in unusual/broken
setups where $XDG_RUNTIME_DIR
is unset.
There are some other smaller fixes, as well as an addition to the JSON
API that allows reading the inner process exit code, separately from
the bwrap
exit code.
Thanks to all contributors!
Iain Lane (1):
tests: Handle systems without merged-/usr
Jakub Wilk (2):
Fix typos
Print "Out of memory" on stderr, not stdout
Richard Maw (3):
Revert "README.md: Delete cat logo picture (not DFSG compliant)"
bwrap: add option json-status-fd to show child exit code
bwrap: Report COMMAND exit code in json-status-fd
Simon McVittie (3):
man page: Describe --chdir, not nonexistent --cwd
Don't create our own temporary mount point for pivot_root
tests: Ensure that tmpfs with oldroot/newroot doesn't appear in container
Timothy E Baldwin (1):
Make lockdata long enough on 32-bit with 64-bit file pointers.
Git-EVTag-v0-SHA512: 1320cc04e853be996e6fa53fb3e472f732ac02855ab05984fa3350aed1d8760fc3b9eac0e6af06843a1f6265afe424e042c937d64606ef2eb29ec53a3539c217
Published by alexlarsson about 6 years ago
New feature in this release is --bind-try (as well as --dev-bind-try
and --ro-bind-try) which works like the regular versions if the source
exists, but does nothing if it doesn't exist.
The mount type for the root tmpfs was also changed to "tmpfs" instead
of being empty, as the later could cause problems with some programs
when parsing the mountinfo files in /proc.
Alexander Larsson (1 PR, 1 commit)
Post-release version bump to 0.3.1 (#285)
Colin Walters (1 PR, 1 commit)
Use "tmpfs" instead of empty string for mount (#278)
Patrick Griffis (1 PR, 1 commit)
Add --bind-try options (#283)
chocolateboy (1 PR, 1 commit)
Fix doc typo (#280)
Published by cgwalters over 6 years ago
The biggest feature from this release is that bwrap
now supports being invoked recursively (from other container
runtimes such as Docker/podman/runc as well as bwrap itself)
when user namespaces are enabled, and the outer container manager
allows it (Docker's default seccomp policy doesn't).
This is useful for testing scenarios; for example a project
uses Kubernetes for its CI, but inside build the project wants to run
each unit test in their own pid namespace, without going out
and creating a new pod for every single unit test.
Similarly, rpm-ostree compose tree
uses bwrap internally for scripts,
and we want to support running rpm-ostree inside a container as well.
Another feature is bwrap now supports --
to terminate argument
parsing. To detect availablity of this, you could parse bwrap --version
.
Thanks to all contributors!
Colin Walters (3 PRs, 3 commits)
ci: Update to FAH27 (#262)
Release 0.3.0 (#277)
PR: #256
Use pivot_root() instead of chroot() for final root
(and 2 commits from other authors)
Giuseppe Scrivano (1 PR, 2 commits)
PR: #256
bwrap, pivot_root: do not require write access to the rootfs
bwrap: do not always make /proc/{sys,sysrq-trigger,irq} ro
(and 1 commits from other authors)
Olivier Blin (1 PR, 1 commit)
Fix leak detected by LSan/ASan (#271)
Simon McVittie (1 PR, 1 commit)
Add "--" pseudo-argument to end option parsing (#261)
Git-EVTag-v0-SHA512: 2acf37a4a482f4fcde5ff3ec7c0e04e7b7971d1da8c542b5b1a3284deb983ad8c879975e9e360f8da428d5f4ce0b451acdcba9d45c4c9488f6660f177eb5dd04
Published by alexlarsson over 6 years ago
This is a minor release with some fixes and cleanups.
We now distribute all the demos in the tarball and there was some
fixes to make them work on more distributions and with different
versions of python.
There was an issue with mkdir when running bubblewrap on an NFS
filesystem that has been fixed, so flatpak now works on NFS shares.
Some leaks have been fixed, including a file descriptor leak.
bubblewrap now builds on systems without PR_CAP_AMBIENT.
Alexander Larsson (2):
Don't rely on mkdir returning EEXISTS (fixing NFS)
Release 0.2.1
Marcos Paulo de Souza (2):
Remove O_RDONLY flag when O_PATH is used
README.md: Remove double dots
Mickaël Salaün (1):
bubblewrap: Do not leak FDs dedicated to setup_newroot
Philip Withnall (2):
tests: Correct number of tests in test-run.sh
bwrap: Second attempt at fixing an argv handling leak
Simon McVittie (5):
build: Include various interesting files in tarballs
Skip prctl(PR_CAP_AMBIENT) if PR_CAP_AMBIENT isn't defined
userns-block-fd: Search $PATH for python
userns-block-fd: Search the PATH for bwrap
userns-block-fd: Add support for Python 3
Published by cgwalters about 7 years ago
Some new features in this release, and a variety of contributors, which is
always great to see!
On the bugfix side: bwrap now automatically detects the new
user namespace restrictions in Red Hat Enterprise Linux 7.4:
bubblewrap: check for max_user_namespaces == 0
.
PR: https://github.com/projectatomic/bubblewrap/pull/215
The most notable features are new arguments --as-pid1
, and
--cap-add
/--cap-drop
. These were added for running systemd (or in general a
"full" init system) inside bubblewrap. But the capability options are also
useful for unprivileged callers to potentially retain capbilities inside the
sandbox (for example CAP_NET_ADMIN
), when user namespaces are enabled.
Conversely, privileged callers (uid 0) can conversely drop capabilities (without
user namespaces). Contributed by Giuseppe Scrivano.
PR: https://github.com/projectatomic/bubblewrap/pull/101
Another smaller feature is: With --dev, add /dev/fd and /dev/core symlinks
which should improve compatibility with older software.
PR: https://github.com/projectatomic/bubblewrap/pull/207
Philip Withnall ran bwrap through Coverity; no critical issues
were found, but changes were made to pacify the analysis and we'll
be sure to keep the analyzer happy in the future.
Thanks in particular to Simon McVittie who contributed a lot of improvements
to the test suite, code review, as well as identified an issue with the
licensing of the logo.
Thanks to all contributors!
Alexander Larsson (1):
Merge pull request #196 from giuseppe/no-reaper
Colin Walters (9):
demos/shell: Use --die-with-parent
main: Squash a -Wunused-result error, enable FORTIFY_SOURCE in CI
tests: Import libtest-core.sh from ostree
README.md: Delete cat logo picture (not DFSG compliant)
Retain all caps when invoked by uid 0, work around systemd seccomp filter
main: Fix typo, tweak command line argument descriptions
With --dev, add /dev/fd and /dev/core symlinks
Avoid leaking --args-fd to child process
Release 0.2.0
Giuseppe Scrivano (8):
bubblewrap: add --as-pid-1
bubblewrap: add --cap-add and --cap-drop
bubblewrap: add option --userns-block-fd
demos: add demo userns-block-fd.py
bubblewrap.c: fix typo
bubblewrap: do not always leave caps in the unprivileged case
tests: add tests for --cap-add
README.md: add bwrap-oci to the list of users
Jonathan Lebon (1):
ci: rename files to new name and bump to f26
Marcos Paulo de Souza (3):
bubblewrap: Remove not needed MS_MGC_VAL mount flag
bubblewrap.c: Fix typo secomp -> seccomp in drop_all_caps
acquire_privs: Cosmetic change to reduce indentation
Philip Withnall (4):
bubblewrap: Improve const-correctness of argv handling
bubblewrap: Fix a minor memory leak in --args handling
bubblewrap: Close FDs on exiting PID 1
bubblewrap: Add various assertions on SetupOp handling
Simon McVittie (10):
Distribute test helper library
tests: Don't write to predictable filenames in /tmp
tests: Improve diagnostics if non-root caps test fails
tests: Send diagnostics to stderr
tests: Interpret stdout as TAP syntax
tests: Produce finer-grained TAP output
tests: Ensure non-root users have access to libcap tools
Partially revert "bubblewrap: Fix a minor memory leak in --args handling"
tests: Add basic test coverage for --args
tests: Fix a race condition between attempts to lock a file
Tristan Cacqueray (1):
bubblewrap: check for max_user_namespaces == 0
Vasya Novikov (4):
add --unshare-all completion
bash completion: remove duplicates
bash completion: fix code style
bash completion: add --new-session
Vladimir Panteleev (1):
Prefix error messages with program name
Git-EVTag-v0-SHA512: 6eafa80a60be2cd66396ab7d4a36e7c6c24ed0b0d8dc207ecee6252e7d45f04fd04e1997c60218f0bb8b90e60ee80ed46cc7d8b521b08cb1ba4450440ee646cf
Published by cgwalters over 7 years ago
This release has a new notable feature in --die-with-parent
,
which is based on the Linux prctl(PR_SET_PDEATHSIG)
API.
I suspect most users of bwrap probably want to use this - if
for example if you run bwrap ... make check
, this will help
ensure that no processes leak from the test suite.
Besides that, there's mostly a collection of smaller bugfixes.
Thanks to all contributors!
Aidan Hobson Sayers (2):
Remove privileged_op flags that are never used
Correctly validate remount-ro argument
Aleksa Sarai (1):
README: update references to runC
Colin Walters (8):
build: Remove unbalanced ) in help message
tests: Use --unshare-user-try
ci: Revamp to actually run the tests
Be more informative if loopback setup fails
tests: Fold test-basic.sh into test-run.sh
ci: Disable ASAN leak checking
main: Parse --version early before acquiring capabilities
Release 0.1.8
Giuseppe Scrivano (1):
test-run.sh: fix the path for the usage string
Marek Jarycki (1):
Add --die-with-parent
Mario Sanchez Prada (1):
Ignore EPERM when dropping caps from bounding set
Tristan Cacqueray (1):
Ignore missing sysrq-trigger file
valoq (2):
Add --require-userns build option for setuid mode
Added --unshare-all to manpage
Git-EVTag-v0-SHA512: f5e3aa406f46241b83a0174a390048820d2040e35fba0b5a9d68bb634e3b6799205b9f854b99fa0cca05148752c8f4d255747023eaf4d5cd903f0da5d4905334
-----BEGIN PGP SIGNATURE-----
iQEwBAABCgAaBQJY2ntnExx3YWx0ZXJzQHZlcmJ1bS5vcmcACgkQ3EX9WSHBPws6
aAf/f18Y6e/OsIrEAKTI3ZDzI1AvgM6kZdi7xQDpuPURxmpeP6515n7LxXbsOBhX
fye4WuvNaM1YDiZVO69JR9OaYTlutqvBmJrHmw2b3WwO4jUf8IyS8VgGe+gfZL1X
/hGoh8aoAUxhIYDtOqC6Bj+fnziFdWgH3q8CsApXz32rNpANNurMQv2C/pLP+ROg
7sHwxFvcbGpjBviHjw0kmnCWKub4GGNnAPvQg/TMo4xx94mkbnUMxq27tw+k03VS
uV1O3wq8OE4bGIWXCdREdvpWaCiN8Bw1vFaLmrSLBmIXNry35k3l+bm6oAd1DRLP
lylBIhhdyV0yWIdn42besDwHsg==
=AOKE
-----END PGP SIGNATURE-----
Published by alexlarsson almost 8 years ago
This release backs out the change in 0.1.6 which unconditionally
called setsid() in order to fix a security issue with TIOCSTI
, aka
CVE-2017-522. That change caused some behavioural issues that are
hard to work with in some cases. For instance, it makes shell job
control not work for the bwrap command.
Instead there is now a new option --new-session which works like
0.1.6. It is recommended that you use this if possible, but if not we
recommended that you neutralize this some other way, for instance
using SECCOMP, which is what flatpak does:
https://github.com/flatpak/flatpak/commit/902fb713990a8f968ea4350c7c2a27ff46f1a6c4
In order to make it easy to create maximally safe sandboxes we have
also added a new commandline switch called --unshare-all. It unshares
all possible namespaces and is currently equivalent with:
--unshare-user-try --unshare-ipc --unshare-pid --unshare-net
--unshare-uts --unshare-cgroup-try
However, the intent is that as new namespaces are added to the kernel they will
be added to this list. Additionally, if --share-net is specified the network
namespace is not unshared.
This release also has some bugfixes:
Alexander Larsson (7):
Handle inherited children dying
Clear capability bounding set
Make the call to setsid() optional, with --new-session
demos/bubblewrap-shell.sh: Unshare all namespaces
Call setsid() and setexeccon() befor forking the init monitor
Install seccomp filter at the very end
Bump version to 0.1.7
Colin Walters (6):
Release 0.1.6
man: Correct namespace user -> mount
demo/shell: Add /var/tmp compat symlink, tweak PS1, add more docs
Release 0.1.6
ci: Combine ASAN and UBSAN
Add --unshare-all and --share-net
$ sha256sum bubblewrap-0.1.7.tar.xz
e98c1c1c0d353765e62e17b17913d21cce585eda8093cbdf17977377eee5e3de bubblewrap-0.1.7.tar.xz
Published by cgwalters almost 8 years ago
This fixes a security issue with TIOCSTI
, aka CVE-2017-522. Note bubblewrap is
far from the only program that has this issue, and I think the best fix is
probably in the kernel to support disabling this ioctl.
Programs can also work around this by calling setsid()
on their own in an exec
handler before doing an exevp("bwrap")
.
Git-EVTag-v0-SHA512: aea2bc21fa6194f7d5c4eaf7294dd35e4434616678d2f79c1e9044aca063bf77db199b1030628ced2eb7d3a33d6a6419047e32ea7891be396d9ddb50a7b1f745
-----BEGIN PGP SIGNATURE-----
iQEwBAABCgAaBQJYdPxgExx3YWx0ZXJzQHZlcmJ1bS5vcmcACgkQ3EX9WSHBPwtv
NAgAr5CNW9ZZmYvNWGBm5W0uJuwb1rmBB5Pb2izEfBEi90MdrFg7ZQF+JJLB+EEQ
9XsKZLVd/d6drJkycf3fDq35tVzm6cEMq+pidnujGzS+skQqzmEpqISt8G2GQap0
MnnlJlLpwYwUMJvSqa4Xx/WDM/3Cf1FTI7jPwl1uBccU/4x2w0Apa0PG/pvsJ+3N
BxahkioeeMTrgd1a7BZbwUSMYnx0+4kB92v5JOnYh8wF/fCVgwlb5p0GN5Qz2jNj
YCxyeGZfGk/071/FiHDKW64cmSwEV9gPRWMeRT39n5MfRcKcP2tIEHEVxT61ErLR
OndJWLN2+hFmCxjdrOLSw9fmdw==
=OpAb
-----END PGP SIGNATURE-----
Published by alexlarsson almost 8 years ago
This is a bugfix release, here are the major changes:
Alexander Larsson (2):
bind-mount: Check for errors in realpath()
Bump version to 0.1.5
Colin Walters (6):
Don't call capset() unless we need to
Only --unshare-user automatically if we're not root
ci: Modernize a bit, add f25-ubsan
README.md: Update with better one liner and more information
utils: Add __attribute__((printf)) to die()
build: Sync default warning -> error set from ostree
Simon McVittie (4):
test-run: be a bash script
test-run: don't assume we are uid 1000
Adapt tests so they can be run against installed binaries
Fix incorrect nesting of backticks when finding a FUSE mount
Git-EVTag-v0-SHA512: ea9673ef5b2df92a216da69ef5589dfd465175bc56feedafd126d0ab2e40f3183974de2c67c92f96470c749f91d4f9f55483cea54030cf35890ed4de18ca952f
$ sha256sum bubblewrap-0.1.5.tar.xz
a623489a31c0bc6e32ebfef8e55cde16cc0b5d042e5e645e215fda0fb7ec4aad bubblewrap-0.1.5.tar.xz
Published by alexlarsson almost 8 years ago
This release contains a workaround for the kernel allowing the user
to ptrace any process in the child user namespace. Prior to this
workaround the user could attach to the setup code in bubblewrap
and take control while the child still had full privileges in
the user namespace (it could never get more privileges in the
parent namespace though). With the workaround, we're now true
to the README in that bubblewrap only allows a subset of the
user namespace features.
In order to fix the above we had to drop the support for a set-caps
binary. We now only support setuid 0 (or unprivileged if the kernel
has such user namespace support).
Additionally this release fixes the handling of recursive bind mounts
flags where previously we sometimes failed to handle some uncommon
setups. If you were unable to start bwrap before due to mount errors
this should now be fixed.
Alexander Larsson (11):
Don't print double errors in case privileged helper dies
Priv-sep: Don't trust client args for REMOUNT_RO_NO_RECURSIVE
Add test with basic running operations
Completely drop setcaps codepaths in favour of setuid
Work around user-namespaces allowing ptrace
utils: Add path_equal()
bind-mounts: Fix handling of covered mountpoints
tests/test-run.sh: Add some more tests that now work
bind-mount: Fix issue when destination of mount is in a symlink
Fix make dist
Release 0.1.4
Colin Walters (2):
.redhat-ci.yml: New file
build: Dist bwrap.xml in tarball
Giuseppe Scrivano (3):
bwrap: setuid to the sandbox uid
bwrap: fix typos
bubblewrap: do not leave zombie process
Git-EVTag-v0-SHA512: 55e170e25eee5f3c8eb947c1532bd7d9dffe74277b9964a28b0bc184800da3d904282668ced54a2bff53c3d9811b40435d8b1db30b5eab610fa85a0954ed20bf
Published by cgwalters about 8 years ago
This release fixes CVE-2016-8659: https://github.com/projectatomic/bubblewrap/issues/107
which is a local privilege escalation that applies when
bubblewrap is installed with suid or file capabilities. This
vulnerability does not apply for systems/distributions which
unconditionally enable CLONE_NEWUSER
access for unprivileged
users, as e.g. Fedora 24 and newer (as of this writing) do.
However, this will apply to systems such as CentOS/RHEL 7, Debian
stable, Arch, etc. that use bubblewrap as a gating mechanism for
container/app tooling like Flatpak.
The bubblewrap authors wish to thank Sebastian Krahmer, who
has found and responsibly reported many security issues over
time, including this one.
At this time, the bubblewrap authors still believe the codebase is a
sensible option for systems/distributions which don't want to enable
full CLONE_NEWUSER
. However, the upstream kernel has improved, and
continues to do so. It's likely at some point in the future that
bubblewrap will evolve more flexibility around gating access to
CLONE_NEWUSER
, such as only allowing it for logged in human users,
not background daemons.
Alexander Larsson (3):
Move commandline args to top of the file
Don't allow setting hostname if not unsharing UTS namespace
Only set DUMPABLE when we need it (i.e. in user namespace child)
Bill Nottingham (1):
Fix capability list in spec file.
Colin Walters (1):
Release 0.1.3
Kenton Varda (1):
Make notes on sandstorm.io somewhat more accurate
Git-EVTag-v0-SHA512: 47f77d675735c9ad7f134ac996843b8a6889be9a6a925d586ecc6a4138d2d8d35d1270da04198f09c69434be42a85319b4b763e45ac97e0fce9a961535567c99