Release 0.4.1

This release fixes a privilege escalation bug pointed out by Stephen Röttger, where in some setups
bubblewrap can be used to gain root permissions. Only version 0.4.0 is vulnerable, and only
if installed setuid while at the same time the kernel supports unprivileged user namespaces.
More details in the advisory here:

GHSA-j2qp-rvxj-43vj

Additionally there are some minor changes:

• Always clear the capability bounding set (cosmetic issue)
• Make the tests work with libcap >= 2.29
• Properly report child exit status in some cases

Alexander Larsson (9):
Ensure we're always clearing the cap bounding set
Don't rely on geteuid() to know when to switch back from setuid root
Don't support --userns2 in setuid mode
drop_privs: More explicit argument name

Christian Kastner (1):
tests: Update output patterns for libcap >= 2.29

Jean-Baptiste BESNARD (1):
retcode: fix return code with syncfd and no event_fd

TomSweeneyRedHat (1):
Add Code of Conduct

Release 0.4.0

The biggest feature in this release is the support for joining
existing user and pid namespaces. This doesn't work in the setuid
mode (at the moment).

Other changes:

• Stores namespace info in status json
• In setuid mode pid 1 is now marked dumpable
• Now builds with musl libc

Alexander Larsson (17):
      Tests: Fix test count
      setuid mode: Properly drop privs in monitor and pid1
      Mark init process as dumpable so we can see stuff in its /proc
      Add support for --userns and --userns2
      tests: test --userns
      utils: Add some utility function to pass pids over a socket
      utils: Add fork_intermediate_child() helper
      Add support for --pidns
      Add tests for --pidns
      tests: Better error message if assert_files_equal fails
      Fix typo in comment
      Drop cap bounding set also in --userns case
      Allow --uid and --gid with --userns
      tests: Fix --userns tests
      --userns --uid: Only swtich user if needed
      Merge pull request #338 from containers/reuse-namespaces
      Bump 0.4.0

Christian Kellner (3):
      bwrap: set opt_unshare_cgroup when _try succeeds
      bwrap: include the pid namespace id in status/json
      tests: check namespace info in json

Colin Walters (1):
      Post-release version bump

Jonathan Lebon (1):
      ci: Bump to fedora/29/atomic

shawrkbait (1):
      Add work-around for TEMP_FAILURE_RETRY to support musl

Git-EVTag-v0-SHA512: d3f07f58b50c579b27470722edfc87b741465ca37ff4d40c9f715d610a69a80a6e6035a0dee678158c1dd77edb0b06bed3ffd6393a784d4ed975c092eb151952

0.3.3

[This release is the same as 0.3.2 but the version number in configure.ac
was accidentally still set to 0.3.1)

This release fixes a mostly theoretical security issue in unusual/broken
setups where $XDG_RUNTIME_DIR is unset.

There are some other smaller fixes, as well as an addition to the JSON
API that allows reading the inner process exit code, separately from
the bwrap exit code.

Thanks to all contributors!

Iain Lane (1):
      tests: Handle systems without merged-/usr

Jakub Wilk (2):
      Fix typos
      Print "Out of memory" on stderr, not stdout

Richard Maw (3):
      Revert "README.md: Delete cat logo picture (not DFSG compliant)"
      bwrap: add option json-status-fd to show child exit code
      bwrap: Report COMMAND exit code in json-status-fd

Simon McVittie (3):
      man page: Describe --chdir, not nonexistent --cwd
      Don't create our own temporary mount point for pivot_root
      tests: Ensure that tmpfs with oldroot/newroot doesn't appear in container

Timothy E Baldwin (1):
      Make lockdata long enough on 32-bit with 64-bit file pointers.

Git-EVTag-v0-SHA512: 1320cc04e853be996e6fa53fb3e472f732ac02855ab05984fa3350aed1d8760fc3b9eac0e6af06843a1f6265afe424e042c937d64606ef2eb29ec53a3539c217

Release 0.3.1

New feature in this release is --bind-try (as well as --dev-bind-try
and --ro-bind-try) which works like the regular versions if the source
exists, but does nothing if it doesn't exist.

The mount type for the root tmpfs was also changed to "tmpfs" instead
of being empty, as the later could cause problems with some programs
when parsing the mountinfo files in /proc.

Alexander Larsson (1 PR, 1 commit)
  Post-release version bump to 0.3.1 (#285)

Colin Walters (1 PR, 1 commit)
  Use "tmpfs" instead of empty string for mount (#278)

Patrick Griffis (1 PR, 1 commit)
  Add --bind-try options (#283)

chocolateboy (1 PR, 1 commit)
  Fix doc typo (#280)

0.3.0

The biggest feature from this release is that bwrap
now supports being invoked recursively (from other container
runtimes such as Docker/podman/runc as well as bwrap itself)
when user namespaces are enabled, and the outer container manager
allows it (Docker's default seccomp policy doesn't).

This is useful for testing scenarios; for example a project
uses Kubernetes for its CI, but inside build the project wants to run
each unit test in their own pid namespace, without going out
and creating a new pod for every single unit test.

Similarly, rpm-ostree compose tree uses bwrap internally for scripts,
and we want to support running rpm-ostree inside a container as well.

Another feature is bwrap now supports -- to terminate argument
parsing. To detect availablity of this, you could parse bwrap --version.

Thanks to all contributors!

Colin Walters (3 PRs, 3 commits)
  ci: Update to FAH27 (#262)
  Release 0.3.0 (#277)
  PR: #256
    Use pivot_root() instead of chroot() for final root
    (and 2 commits from other authors)

Giuseppe Scrivano (1 PR, 2 commits)
  PR: #256
    bwrap, pivot_root: do not require write access to the rootfs
    bwrap: do not always make /proc/{sys,sysrq-trigger,irq} ro
    (and 1 commits from other authors)

Olivier Blin (1 PR, 1 commit)
  Fix leak detected by LSan/ASan (#271)

Simon McVittie (1 PR, 1 commit)
  Add "--" pseudo-argument to end option parsing (#261)


Git-EVTag-v0-SHA512: 2acf37a4a482f4fcde5ff3ec7c0e04e7b7971d1da8c542b5b1a3284deb983ad8c879975e9e360f8da428d5f4ce0b451acdcba9d45c4c9488f6660f177eb5dd04

Release 0.2.1

This is a minor release with some fixes and cleanups.

We now distribute all the demos in the tarball and there was some
fixes to make them work on more distributions and with different
versions of python.

There was an issue with mkdir when running bubblewrap on an NFS
filesystem that has been fixed, so flatpak now works on NFS shares.

Some leaks have been fixed, including a file descriptor leak.

bubblewrap now builds on systems without PR_CAP_AMBIENT.

Alexander Larsson (2):
      Don't rely on mkdir returning EEXISTS (fixing NFS)
      Release 0.2.1

Marcos Paulo de Souza (2):
      Remove O_RDONLY flag when O_PATH is used
      README.md: Remove double dots

Mickaël Salaün (1):
      bubblewrap: Do not leak FDs dedicated to setup_newroot

Philip Withnall (2):
      tests: Correct number of tests in test-run.sh
      bwrap: Second attempt at fixing an argv handling leak

Simon McVittie (5):
      build: Include various interesting files in tarballs
      Skip prctl(PR_CAP_AMBIENT) if PR_CAP_AMBIENT isn't defined
      userns-block-fd: Search $PATH for python
      userns-block-fd: Search the PATH for bwrap
      userns-block-fd: Add support for Python 3

Release 0.2.0

Some new features in this release, and a variety of contributors, which is
always great to see!

On the bugfix side: bwrap now automatically detects the new
user namespace restrictions in Red Hat Enterprise Linux 7.4:
bubblewrap: check for max_user_namespaces == 0.
PR: #215

The most notable features are new arguments --as-pid1, and
--cap-add/--cap-drop. These were added for running systemd (or in general a
"full" init system) inside bubblewrap. But the capability options are also
useful for unprivileged callers to potentially retain capbilities inside the
sandbox (for example CAP_NET_ADMIN), when user namespaces are enabled.
Conversely, privileged callers (uid 0) can conversely drop capabilities (without
user namespaces). Contributed by Giuseppe Scrivano.
PR: #101

Another smaller feature is: With --dev, add /dev/fd and /dev/core symlinks
which should improve compatibility with older software.
PR: #207

Philip Withnall ran bwrap through Coverity; no critical issues
were found, but changes were made to pacify the analysis and we'll
be sure to keep the analyzer happy in the future.

Thanks in particular to Simon McVittie who contributed a lot of improvements
to the test suite, code review, as well as identified an issue with the
licensing of the logo.

Thanks to all contributors!

Alexander Larsson (1):
      Merge pull request #196 from giuseppe/no-reaper

Colin Walters (9):
      demos/shell: Use --die-with-parent
      main: Squash a -Wunused-result error, enable FORTIFY_SOURCE in CI
      tests: Import libtest-core.sh from ostree
      README.md: Delete cat logo picture (not DFSG compliant)
      Retain all caps when invoked by uid 0, work around systemd seccomp filter
      main: Fix typo, tweak command line argument descriptions
      With --dev, add /dev/fd and /dev/core symlinks
      Avoid leaking --args-fd to child process
      Release 0.2.0

Giuseppe Scrivano (8):
      bubblewrap: add --as-pid-1
      bubblewrap: add --cap-add and --cap-drop
      bubblewrap: add option --userns-block-fd
      demos: add demo userns-block-fd.py
      bubblewrap.c: fix typo
      bubblewrap: do not always leave caps in the unprivileged case
      tests: add tests for --cap-add
      README.md: add bwrap-oci to the list of users

Jonathan Lebon (1):
      ci: rename files to new name and bump to f26

Marcos Paulo de Souza (3):
      bubblewrap: Remove not needed MS_MGC_VAL mount flag
      bubblewrap.c: Fix typo secomp -> seccomp in drop_all_caps
      acquire_privs: Cosmetic change to reduce indentation

Philip Withnall (4):
      bubblewrap: Improve const-correctness of argv handling
      bubblewrap: Fix a minor memory leak in --args handling
      bubblewrap: Close FDs on exiting PID 1
      bubblewrap: Add various assertions on SetupOp handling

Simon McVittie (10):
      Distribute test helper library
      tests: Don't write to predictable filenames in /tmp
      tests: Improve diagnostics if non-root caps test fails
      tests: Send diagnostics to stderr
      tests: Interpret stdout as TAP syntax
      tests: Produce finer-grained TAP output
      tests: Ensure non-root users have access to libcap tools
      Partially revert "bubblewrap: Fix a minor memory leak in --args handling"
      tests: Add basic test coverage for --args
      tests: Fix a race condition between attempts to lock a file

Tristan Cacqueray (1):
      bubblewrap: check for max_user_namespaces == 0

Vasya Novikov (4):
      add --unshare-all completion
      bash completion: remove duplicates
      bash completion: fix code style
      bash completion: add --new-session

Vladimir Panteleev (1):
      Prefix error messages with program name

Git-EVTag-v0-SHA512: 6eafa80a60be2cd66396ab7d4a36e7c6c24ed0b0d8dc207ecee6252e7d45f04fd04e1997c60218f0bb8b90e60ee80ed46cc7d8b521b08cb1ba4450440ee646cf

0.1.8

This release has a new notable feature in --die-with-parent,
which is based on the Linux prctl(PR_SET_PDEATHSIG) API.
I suspect most users of bwrap probably want to use this - if
for example if you run bwrap ... make check, this will help
ensure that no processes leak from the test suite.

Besides that, there's mostly a collection of smaller bugfixes.

Thanks to all contributors!

Aidan Hobson Sayers (2):
      Remove privileged_op flags that are never used
      Correctly validate remount-ro argument

Aleksa Sarai (1):
      README: update references to runC

Colin Walters (8):
      build: Remove unbalanced ) in help message
      tests: Use --unshare-user-try
      ci: Revamp to actually run the tests
      Be more informative if loopback setup fails
      tests: Fold test-basic.sh into test-run.sh
      ci: Disable ASAN leak checking
      main: Parse --version early before acquiring capabilities
      Release 0.1.8

Giuseppe Scrivano (1):
      test-run.sh: fix the path for the usage string

Marek Jarycki (1):
      Add --die-with-parent

Mario Sanchez Prada (1):
      Ignore EPERM when dropping caps from bounding set

Tristan Cacqueray (1):
      Ignore missing sysrq-trigger file

valoq (2):
      Add --require-userns build option for setuid mode
      Added --unshare-all to manpage


Git-EVTag-v0-SHA512: f5e3aa406f46241b83a0174a390048820d2040e35fba0b5a9d68bb634e3b6799205b9f854b99fa0cca05148752c8f4d255747023eaf4d5cd903f0da5d4905334
-----BEGIN PGP SIGNATURE-----

iQEwBAABCgAaBQJY2ntnExx3YWx0ZXJzQHZlcmJ1bS5vcmcACgkQ3EX9WSHBPws6
aAf/f18Y6e/OsIrEAKTI3ZDzI1AvgM6kZdi7xQDpuPURxmpeP6515n7LxXbsOBhX
fye4WuvNaM1YDiZVO69JR9OaYTlutqvBmJrHmw2b3WwO4jUf8IyS8VgGe+gfZL1X
/hGoh8aoAUxhIYDtOqC6Bj+fnziFdWgH3q8CsApXz32rNpANNurMQv2C/pLP+ROg
7sHwxFvcbGpjBviHjw0kmnCWKub4GGNnAPvQg/TMo4xx94mkbnUMxq27tw+k03VS
uV1O3wq8OE4bGIWXCdREdvpWaCiN8Bw1vFaLmrSLBmIXNry35k3l+bm6oAd1DRLP
lylBIhhdyV0yWIdn42besDwHsg==
=AOKE
-----END PGP SIGNATURE-----

Release 0.1.7 (CVE-2017-5226)

This release backs out the change in 0.1.6 which unconditionally
called setsid() in order to fix a security issue with TIOCSTI, aka
CVE-2017-522. That change caused some behavioural issues that are
hard to work with in some cases. For instance, it makes shell job
control not work for the bwrap command.

Instead there is now a new option --new-session which works like
0.1.6. It is recommended that you use this if possible, but if not we
recommended that you neutralize this some other way, for instance
using SECCOMP, which is what flatpak does:

flatpak/flatpak@902fb71

In order to make it easy to create maximally safe sandboxes we have
also added a new commandline switch called --unshare-all. It unshares
all possible namespaces and is currently equivalent with:

--unshare-user-try --unshare-ipc --unshare-pid --unshare-net
--unshare-uts --unshare-cgroup-try

However, the intent is that as new namespaces are added to the kernel they will
be added to this list. Additionally, if --share-net is specified the network
namespace is not unshared.

This release also has some bugfixes:

• bwrap reaps (unexpected) children that are inherited from the
  parent, something which can happen if bwrap is part of a shell
  pipeline.
• bwrap clears the capability bounding set. The permitted
  capabilities was already empty, and use of PR_NO_NEW_PRIVS should
  make it impossible to increase the capabilities, but more
  layers of protection is better.
• The seccomp filter is now installed at the very end of bwrap, which
  means the requirement of the filter is minimal. Any bwrap seccomp
  filter must at least allow: execve, waitpid and write

Alexander Larsson (7):
      Handle inherited children dying
      Clear capability bounding set
      Make the call to setsid() optional, with --new-session
      demos/bubblewrap-shell.sh: Unshare all namespaces
      Call setsid() and setexeccon() befor forking the init monitor
      Install seccomp filter at the very end
      Bump version to 0.1.7

Colin Walters (6):
      Release 0.1.6
      man: Correct namespace user -> mount
      demo/shell: Add /var/tmp compat symlink, tweak PS1, add more docs
      Release 0.1.6
      ci: Combine ASAN and UBSAN
      Add --unshare-all and --share-net

$ sha256sum bubblewrap-0.1.7.tar.xz 
e98c1c1c0d353765e62e17b17913d21cce585eda8093cbdf17977377eee5e3de  bubblewrap-0.1.7.tar.xz

0.1.6

This fixes a security issue with TIOCSTI, aka CVE-2017-522. Note bubblewrap is
far from the only program that has this issue, and I think the best fix is
probably in the kernel to support disabling this ioctl.

Programs can also work around this by calling setsid() on their own in an exec
handler before doing an exevp("bwrap").

Git-EVTag-v0-SHA512: aea2bc21fa6194f7d5c4eaf7294dd35e4434616678d2f79c1e9044aca063bf77db199b1030628ced2eb7d3a33d6a6419047e32ea7891be396d9ddb50a7b1f745
-----BEGIN PGP SIGNATURE-----

iQEwBAABCgAaBQJYdPxgExx3YWx0ZXJzQHZlcmJ1bS5vcmcACgkQ3EX9WSHBPwtv
NAgAr5CNW9ZZmYvNWGBm5W0uJuwb1rmBB5Pb2izEfBEi90MdrFg7ZQF+JJLB+EEQ
9XsKZLVd/d6drJkycf3fDq35tVzm6cEMq+pidnujGzS+skQqzmEpqISt8G2GQap0
MnnlJlLpwYwUMJvSqa4Xx/WDM/3Cf1FTI7jPwl1uBccU/4x2w0Apa0PG/pvsJ+3N
BxahkioeeMTrgd1a7BZbwUSMYnx0+4kB92v5JOnYh8wF/fCVgwlb5p0GN5Qz2jNj
YCxyeGZfGk/071/FiHDKW64cmSwEV9gPRWMeRT39n5MfRcKcP2tIEHEVxT61ErLR
OndJWLN2+hFmCxjdrOLSw9fmdw==
=OpAb
-----END PGP SIGNATURE-----