| tag name | v0.1.7 (29854a7ca7ff131498b5a7f70a2fb41bc5213945) |
| tag date | 2017-01-18 16:19:51 +0100 |
| tagged by | Alexander Larsson <alexl@redhat.com> |
| tagged object | commit 5dec838ba8... |
| download | bubblewrap-0.1.7.tar.gz |
|---|
Release 0.1.7 (CVE-2017-5226)
This release backs out the change in 0.1.6 which unconditionally
called setsid() in order to fix a security issue with `TIOCSTI`, aka
CVE-2017-522. That change caused some behavioural issues that are
hard to work with in some cases. For instance, it makes shell job
control not work for the bwrap command.
Instead there is now a new option --new-session which works like
0.1.6. It is recommended that you use this if possible, but if not we
recommended that you neutralize this some other way, for instance
using SECCOMP, which is what flatpak does:
https://github.com/flatpak/flatpak/commit/902fb713990a8f968ea4350c7c2a27ff46f1a6c4
In order to make it easy to create maximally safe sandboxes we have
also added a new commandline switch called --unshare-all. It unshares
all possible namespaces and is currently equivalent with:
--unshare-user-try --unshare-ipc --unshare-pid --unshare-net \
--unshare-uts --unshare-cgroup-try
However, the intent is that as new namespaces are added to the kernel they will
be added to this list. Additionally, if --share-net is specified the network
namespace is *not* unshared.
This release also has some bugfixes:
* bwrap reaps (unexpected) children that are inherited from the
parent, something which can happen if bwrap is part of a shell
pipeline.
* bwrap clears the capability bounding set. The permitted
capabilities was already empty, and use of PR_NO_NEW_PRIVS should
make it impossible to increase the capabilities, but more
layers of protection is better.
* The seccomp filter is now installed at the very end of bwrap, which
means the requirement of the filter is minimal. Any bwrap seccomp
filter must at least allow: execve, waitpid and write
Git-EVTag-v0-SHA512: 5794231c542988f81e628786383e91dc44d5bd5a9cf816f11cc3a34cbb6eb511b14f945c28d14e1f78babf4f02543f13b199d16e90b3aa8e7a8270daf4be486d
-----BEGIN PGP SIGNATURE-----
iD8DBQBYf4eX62IW3bdscOkRAgynAJkBOwzczJ7pc/ivRgbSTdaXlOAB5QCfVFCC
NQNpdQYw7T17jUMP3Ys8LvY=
=r2z3
-----END PGP SIGNATURE-----